Trust & Privacy

Qlik has an ongoing commitment to protecting the data of our customers, business partners and employees. We believe in communicating in an open, transparent manner about the ways in which your data is collected and used, and respecting customers’ choice and control over their data. Accordingly, we have developed a robust, enterprise-wide privacy program to ensure compliance with the evolving landscape of privacy and data protection laws and maintain the trust our customers have in our products and services.

Trust in Qlik as a privacy compliant vendor

  • Measures to ensure the lawful transfer of personal data between Qlik group companies in different countries

  • Our record of data processing activities, as required under Article 30 GDPR

  • Privacy-By-Design and Privacy-By-Default methodologies, e.g., in our vendor vetting and our R&D/product development processes

  • Data retention and access rules

  • Regular data privacy and security training

  • Comprehensive data privacy policies and notices, including our Product Privacy Notice and our Privacy & Cookie Notice

Privacy in Qlik’s products and services

Privacy-by-design

Organizations and individuals can use Qlik products with confidence, knowing that we built our products, from inception, with security and privacy in mind. We utilize both security- and privacy-by-design practices in our development processes which adhere to applicable privacy laws.

Your data, your choice

You decide what content data (i.e., the data/applications) you upload into or create in our products. You can also correct and delete your content data whenever you need, to suit your business. Our Product Privacy Notice also explains what data of yours we host depending on your deployment model.

Data access

Customers can easily manage the access to their data by using the access features within our offerings. For our cloud solutions, all data is encrypted, and customers can also avail of our Client-Managed-Key functionality for Qlik Cloud. For client-managed products that are on-premises or customer/third party hosted Qlik SaaS solutions, Qlik does not host these and has no access to your content data.

Privacy in the cloud

Qlik as a data processor

Qlik is a processor of our customers’ personal data within our cloud offerings. Therefore, customers can confidently use personal data in their tenants with the knowledge that the Qlik Data Processing Addendum provides the protections required by applicable law.

Your tenant, your data, your choice
Security of your data

Your content data is encrypted and we have multiple layers of security in place to protect it. Qlik personnel do not have direct access to your data unless you otherwise invite us into your tenant (e.g., to perform Consulting Services). Visit our Trust and Security page to learn more about the security controls we apply to protect your data and to view our security certifications and accreditations.

Choose your region

You can select your server location by region when creating your tenant.

Read our Product Privacy Notice for more information on how Qlik handles privacy within our products, the server regions available to our customers, and other relevant information.

To view more Qlik certifications, visit our Trust and Security page.

Frequently Asked Questions

When is Qlik a data processor on behalf of customers?

The terms governing the processing of personal data by Qlik on behalf of customers are set out in our Data Processing Addendum. Qlik may be a data processor on behalf of customers in two scenarios, subject to our written agreements:

  1. Cloud: Qlik is the data processor of personal data within customers’ content data while it resides in our cloud offerings. our cloud offerings are no-view encrypted services, with customer content data, and any personal data within it (and access to it), decided and controlled by the customer; and/or

  2. Qlik Services: When Qlik provides support or consulting services to a customer, customers may choose to share content data (from the cloud or a client-managed deployment) with Qlik, which may contain personal data. Such sharing, and whether the content data contains any personal data, is at the discretion and control of the customer. Personal data aspects within content data, in particular for Qlik Support, should be anonymized or minimized by the customer as per privacy law data anonymization/minimization best-practices prior to sharing with Qlik, for example before upload to the support portal on Qlik Community.

Like other software providers, Qlik is not a data processor for customers’ content within their client-managed deployments, as any content data a customer chooses to put into or create in the Qlik client-managed deployment stays on the customer's system(s), unless it is otherwise shared by the customer with Qlik (e.g., for Qlik services).

Does my data stay in my country/region?

For our cloud offerings, yes. We host your content data only in the location you choose.

Qlik Cloud has six tenant locations: Ireland (EMEA 1), Frankfurt (EMEA 2), London (EMEA 3), USA (Americas), Australia (APAC 1) and Singapore (APAC 2). Please note that the back-ups are also in the same data-region (with the EMEA back-ups: EMEA 1 in France, EMEA 2 in Italy & EMEA 3 in Spain, AMERICAS back-up in USA, APAC 1 in Australia, and APAC 2 in South Korea).

Talend Cloud has four tenant locations: Germany, Japan, Australia and two in the United States (one utilizing AWS infrastructure, one utilizing MS Azure Infrastructure).  Backups of our Talend Cloud are stored in-region in the U.S., EU and APAC. Our customers control access to their tenant and who they invite into their tenant (and where these users are).

For on-premise customers, your content data is hosted on your systems in the location(s) you select. Qlik does not host, or have access to, this content data.

For Qlik services (technical support, consulting, etc.), customers may choose to share their content data from their cloud offering or their on-prem deployments. However, Qlik does not typically require sensitive/content data to perform our services, and the data we receive for such services does not typically contain any personal data. Such sharing, for example what data a customer inputs/attaches to a technical support ticket, is at the discretion and control of the customer. Any sensitive content, such as personal data aspects, should be anonymized or minimized by the customer as per privacy law data anonymization/minimization best-practice prior to sharing with Qlik, for example before upload to the support portal on Qlik Community. Please note that content data provided to Qlik for services may leave the customer’s country/region. This is because, while Qlik support is generally provided in-region to customers, Qlik’s support model is 24/7/365 (“follow-the-sun”) in order to provide continuous support to our customers. As such, support tickets may be dealt with by Qlik team members outside the customer’s region and support content data may be stored/accessible abroad. For Qlik consulting, while our consulting team members tend to primarily service customers in the same region, we may rely on consulting resources and systems outside of the customer’s region in order to best serve our customers. Further information is available in our International Transfers/Schrems II FAQ.

Qlik’s subprocessor list is available here. Qlik’s responsibilities relating to subprocessors are set out in our Data Processing Addendum.

What Privacy/Data Protection measures does Qlik have in place?

At Qlik, we have a mature and robust privacy program built to ensure that we comply with the privacy laws relevant to our business, such as the EU’s GDPR, California’s CCPA and Brazil's LGPD. We ensure that any personal data in our care is protected and that we and our offerings comply with data protection/privacy laws.

Our privacy program and measures include:

  • Appointing a global Data Protection Officer.

  • Measures to safeguard the lawful transfer of personal data between group companies in different countries.

  • Maintaining a Record of Processing Activities, as required by laws such as GDPR’s Article 30.

  • Privacy-By-Design and Privacy-By-Default processes, e.g., in our vendor vetting and in our R&D/product development processes.

  • Data retention and access governance.

  • Implementing Privacy Policies and Notices on various topics, from website data collection to our products.

  • Providing customers with a Data Processing Addendum, enabling them to provide us personal data of theirs.

  • Maintaining a data incident detection and response program.

  • Regular privacy and security training.

  • Honoring data subject rights requests.

  • Certification of our U.S. operating companies under the EU-US Data Privacy Frameworks.

I have on-premises products, which are client-managed; will my content data leave my region?

On-premises products are client managed and you maintain control over where your data is stored. Qlik cannot access your content data.

What personal data types are permitted into Qlik’s cloud offerings?

Our cloud offerings are no-view services. Customer content, and access to it, is decided and controlled by the customer and its users. Qlik’s Data Processing Addendum enables customers to input personal data content (as defined under laws such as the UK and EU’s GDPRs, Brazil’s LGPD, California’s CCPA, etc.) into our cloud offerings. If your organization has signed a Business Associate Agreement (BAA) with Qlik, this enables you to input US PHI (as defined under US HIPAA) into our cloud offerings.

As a general software provider our offerings are generally not subject to industry-specific laws. Visit our Trust & Security page to view our certifications/attestations, including those relating to specific industries. Subject to our agreements with you customers may determine, in light of their particular country and industry requirements, whether the controls of our cloud offerings meet their particular (e.g., industry specific) requirements and decide whether to put their industry-specific data into our cloud offerings. Further information regarding security, controls and certifications and can be found on our Trust & Security page.

As our cloud offerings are not PCI DSS certified, customers should not store PCI DSS data in our cloud offerings.

What is Qlik's approach to Schrems II/international transfers of personal data?

Please see our FAQ for information relating to Qlik customer data international transfers.

What personal data does Qlik have access to?

For our cloud offerings, Qlik does not have direct access to your content data unless you invite us into your tenant. For further information see our Product Privacy Notice.

For Qlik's on-premise products, which are client-managed, Qlik does not receive the content that the customer puts in the software. For support and consulting services, support case attachments and/or consulting-related data are only accessible to those that need access as part of their job responsibilities. All Qlik personnel are bound by confidentiality obligations and receive training on data protection and security.

Can I sign a Business Associate Agreement (BAA) with Qlik relating to US PHI under HIPAA?

Please speak with your Qlik sales contact to discuss/execute a Qlik BAA.

Where is Qlik’s lead Data Protection Authority in the EU?

Qlik’s lead Data Protection Authority (DPA) for pan-European data protection matters would be the Swedish DPA. Qlik has a significant presence in Sweden, where we were founded and has large European R&D and Customer Support teams.

Does Qlik have a Data Protection Officer (DPO)?

Yes, Qlik has a global Data Protection Officer. Any inquiries can be sent to privacy@qlik.com.

Has Qlik ever been subject to infringement proceedings by a Privacy/Data Protection Regulator?

No.

How does Qlik Support comply with privacy laws, in particular the GDPR?

For technical support queries, Qlik will only process personal data that is provided per instruction from the relevant customer to resolve the relevant technical issue. Qlik does not require personal data from you to provide support services and we advise that you anonymize the data before disclosing it to Qlik. Any data sent as part of a support case attachment is subject to Qlik’s data retention and deletion rules (for support cases, deletion is typically within 90 days of case closure). Like any business we may use third party cloud hosting tools to provide these services. A list of these sub-processor systems is available on Qlik Community.

How long does Qlik retain my personal data for Sales & Marketing purposes?
Does Qlik comply with Brazil’s LGPD?

Qlik Services (as defined in the Qlik Data Processing Addendum) can be used in compliance with Brazil’s General Data Protection Law (LGPD) and Brazilian customers can use our offerings with confidence. Qlik meets the criteria of the LGPD through: