Trust & Privacy

Qlik has an ongoing commitment to protecting the data of our customers, business partners and employees. We believe in communicating in an open, transparent manner about the ways in which your data is collected and used, and respecting customers’ choice and control over their data. Accordingly, we have developed a robust, enterprise-wide privacy program to ensure compliance with the evolving landscape of privacy and data protection laws and maintain the trust our customers have in our products and services.

Trust in Qlik as a Privacy Compliant Vendor

Qlik’s Privacy Team, led by our Data Protection Officer, in conjunction with our Information Security Team, administers and monitors the effectiveness of our privacy program. Our privacy program is supported by a cross-functional team of Data Privacy Champions, including representatives from Legal, IT, R&D, Product, Consulting, Sales, Marketing and Support. The privacy program is underpinned by comprehensive processes and controls, such as:

  • Measures to ensure the lawful transfer of personal data between Qlik group companies in different countries.
  • Our record of data processing activities, as required under Article 30 GDPR.
  • Privacy-By-Design and Privacy-By-Default methodologies, e.g., in our vendor vetting and our R&D/product development processes.
  • Data retention and access rules.
  • Regular data privacy and security training.
  • Comprehensive data privacy policies and notices, including our Product Privacy Notice and our Privacy & Cookie Notice.

Privacy in Qlik’s Products and Services

Privacy-By-Design
Organizations and individuals can use Qlik products with confidence, knowing that we built our products, from inception, with security and privacy in mind. We utilize both security- and privacy-by-design practices in our development processes which adhere to applicable privacy laws.

Your Data, Your Choice
You decide what content data (i.e., the data/applications) you upload into or create in our products. You can also correct and delete your content data whenever you need, to suit your business.

Data Access
For client-managed products that are on-premise or customer/third party hosted Qlik SaaS solutions, Qlik does not host these and has no access to your content data.


Privacy in Qlik Cloud

Qlik as a Data Processor
Qlik is a processor of our customers’ personal data within Qlik Cloud. Therefore, customers can confidently use personal data in their tenants with the knowledge that the Qlik Data Processing Addendum provides the protections required by applicable law.

Your Tenant, Your Data, Your Choice
You decide what content data (i.e., the data/applications) you upload into or create in your Qlik Cloud tenant. You control the access, correction and deletion of your Qlik Cloud tenant content data to suit your business and privacy-related compliance needs. Qlik Cloud is a no-view service, with content data content encrypted and hosted according to the customer’s region preference.

Security of Your Data
Your content data is encrypted in Qlik Cloud and we have multiple layers of security in place to protect it. Qlik personnel do not have direct access to your data unless you otherwise invite us into your Qlik Cloud tenant (e.g., to perform Consulting Services). Visit our Trust and Security page to learn more about the security controls we apply to protect your data and to view our security certifications and accreditations.

Choose your Region
You can select your server location by region when creating your Qlik Cloud tenant.

Read our Product Privacy Notice for more information on how Qlik handles privacy within our products, the server regions available to our Qlik Cloud customers, and other relevant information.

Frequently Asked Questions

  • At Qlik, we ensure personal data is protected and that we and our products comply with data protection/privacy laws, including the EU General Data Protection Regulation (GDPR).

    These include, for example:

    • Appointing a global Data Protection Officer.
    • Measures to safeguard the lawful transfer of personal data between group companies in different countries.
    • Maintaining a Record of Processing Activities, as required under Article 30 GDPR.
    • Privacy-By-Design and Privacy-By-Default processes, e.g., in our vendor vetting and in our R&D/product development processes.
    • Data Retention and Access governance.
    • Implementing Privacy Policies and Notices on various topics, from website data collection to our products.
    • Maintaining a data incident detection and response program.
    • Regular privacy and security training.

  • Yes, when creating a new Qlik Cloud tenant, you have the option to select your region of preference for storing your content data. You maintain control over access to your content (e.g., apps) through permissions and access granting.

    Please note that personal data in your Qlik Cloud tenant may leave your region:

    1. If you share the data outside the EU, e.g., by sharing content data with a colleague in the US; and/or
    2. If you attach personal data to a Qlik support case (Qlik does not require personal data from you to provide support services and we advise that you anonymize the data before disclosing it to Qlik) or, in the unlikely event that a Qlik employee needs to access your tenant to fix an issue. Qlik uses its Affiliates and third parties for support and consulting services, some of which may be located globally. Qlik has implemented, internally and with relevant external sub-processors, data protection agreements ensuring lawful data transfers. You can find Qlik’s list of sub-processors on Qlik Community.

  • On-premise products are client managed and you maintain control over where your data is stored. Qlik cannot access your content data.

  • Qlik Cloud is a no-view service. Customer content, and access to it, is decided and controlled by the customer and its users. Qlik’s Data Processing Addendum enables customers to input personal data content (as defined under laws such as the UK and EU’s GDPRs, Brazil’s LGPD, California’s CCPA, etc.) into Qlik Cloud. If your organization has signed a Business Associate Agreement (BAA) with Qlik, this enables you to input US PHI (as defined under US HIPAA) into Qlik Cloud.

    As a general software provider our offerings are generally not subject to industry-specific laws. Visit our Trust & Security page to view our certifications/attestations, including those relating to specific industries. Subject to our agreements with you customers may determine, in light of their particular country and industry requirements, whether the controls of Qlik Cloud meet their particular (e.g., industry specific) requirements and decide whether to put their industry-specific data into Qlik Cloud. Further information regarding Qlik Cloud security, controls and certifications and can be found on our Trust & Security page.

    As Qlik Cloud is not PCI DSS certified, customers should not store PCI DSS data in Qlik Cloud.

  • Please see our Schrems II FAQ for information relating to Qlik customer data and the Schrems II decision.

  • Yes. Customers wishing to update their terms for the latest Standard Contractual Clauses (SCCs) may either:

    • Execute our current customer Data Processing Addendum (to replace their existing DPA with Qlik) in order to update their terms to include the latest EU and UK SCCs: Legal Agreements . Our current DPA also references our latest Qlik Cloud Security Addendum, which customer may avail of by executing our latest DPA; or
    • Alternatively, customers may execute a DPA amendment letter which merely replaces the references to the “old” SCCs in their current DPA with the “new” SCCs. To execute this letter, please visit here.

  • For Qlik Cloud, Qlik does not have direct access to your content data unless you invite us into your Qlik Cloud tenant. For further information see our Product Privacy Notice.

    For Qlik's on-premise products, which are client-managed, Qlik does not receive the content that the customer puts in the software. For support and consulting services, support case attachments and/or consulting-related data are only accessible to those that need access as part of their job responsibilities. All Qlik personnel are bound by confidentiality obligations and receive training on data protection and security.

  • Please speak with your Qlik sales contact to discuss/execute a Qlik BAA.

  • Qlik’s lead Data Protection Authority (DPA) for pan-European data protection matters would be the Swedish DPA. Qlik has a significant presence in Sweden, where we were founded and is still home to our European R&D and Support Infrastructure teams.

  • Yes, Qlik has a global Data Protection Officer. Any inquiries can be sent to [email protected].

  • No.

  • For technical support queries, Qlik will only process personal data that is provided per instruction from the relevant customer to resolve the relevant technical issue. Qlik does not require personal data from you to provide support services and we advise that you anonymize the data before disclosing it to Qlik. Any data sent as part of a support case attachment is subject to Qlik’s data retention and deletion rules (for support cases, deletion is typically within 90 days of case closure). Like any business we may use third party cloud hosting tools to provide these services. A list of these sub-processor systems is available on Qlik Community.

  • Qlik may hold B2B contact details in our sales and marketing databases for the purpose of customer services, sending marketing information and conducting sales related operations. Checks are made on a regular basis for any contact details that have remained inactive in our sales and marketing databases for a total of 2 years, and if so, they are deleted out of the database. Any deletion and marketing opt-out requests are actioned promptly. For further information, please see our Website Privacy & Cookie Notice.

Other Privacy and Security Materials

If you have further privacy questions please contact our privacy team/Data Protection Officer at [email protected].