// Trust & Security Report
Alteryx, Inc.
AI-ready data analytics platform (Alteryx One SaaS, Alteryx Designer desktop, Auto Insights, Machine Learning, Analytics Hub); serves 8,000+ enterprises across 90+ countries
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.alteryx.com“SOC 2 Type II Report listed under Certifications and Reports. Oct 7 2025 bulletin: 'the latest Alteryx SOC 2 Type II Report is now available through the Alteryx Trust Center.'”
Verify on trust.alteryx.com“ISO 27001:2022 listed as a certification with 'Alteryx ISO 27001 Certificate Award PDF' available as a featured document in the Trust Center.”
Verify on trust.alteryx.com“Aug 29 2025 bulletin: 'We are now ISO 22301 certified!' Certificate Award PDF available in the Trust Center. 'This achievement reflects our commitment to operational resilience.'”
Verify on trust.alteryx.com“CSA STAR 1 listed as a certification; CAIQ Alteryx One document available as a featured document. Level 1 is a self-assessment (CAIQ); Level 2 third-party audit not evidenced.”
Verify on trust.alteryx.com“HIPAA listed among the 5 Certifications and Reports; 'Alteryx HIPAA Report' is a featured Trust Center document. Note: HIPAA has no government-issued certification; this represents a third-party audit report. Cloud addendum restricts regulated data use to supported product features.”
Verify on alteryx.com“DPA automatically incorporated into cloud terms. 'For Personal Data transferred from within the EEA, Standard Contractual Clauses provide the appropriate transfer safeguards.'”
> Show 6 unconfirmed / not-held certifications
source: trust.alteryx.comNo public evidence of ISO 27017 (cloud security controls) certification on the Alteryx Trust Center or any verified vendor-domain page.
source: trust.alteryx.comNo public evidence of ISO 27018 (PII in the cloud) certification on the Alteryx Trust Center or any verified vendor-domain page.
source: alteryx.comNo public evidence of ISO 42001 certification. Alteryx publishes AI Principles documentation but no third-party AI governance audit found.
source: alteryx.comNo FedRAMP authorization found. FIPS-compatible desktop/server environments are mentioned for public sector but this is FIPS compatibility, not FedRAMP authorization.
source: trust.alteryx.comNo public evidence of PCI DSS certification on the Alteryx Trust Center or any verified vendor-domain page.
source: trust.alteryx.comOnly CSA STAR Level 1 (self-assessment/CAIQ) is evidenced. No third-party Level 2 audit found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily US (AWS and GCP infrastructure). On-premises and hybrid deployment options are available for customers requiring local data residency. EU-U.S. SCCs cover cross-border transfers.
Alteryx's privacy policy explicitly states: 'We do not use your personal information to train artificial intelligence models' and prohibits third-party vendors from using personal data for LLM training. Policy also states they do not use Google Workspace APIs to develop, improve, or train generalized AI. No opt-out is needed because training does not occur.
// Security controls
Identity and access management
SSO and SCIM provisioning; SAML, OAuth, Active Directory integration; role-based access control with segregation of duties
alteryx.comPenetration testing
Annual third-party penetration testing (confirmed in Trust Center quick summary)
trust.alteryx.comBusiness continuity
ISO 22301:2019 certified Business Continuity Management System; disaster recovery plan in place
trust.alteryx.comIncident response
Documented cyber security incident response plan; publicly disclosed supply chain incidents (Drift/Salesloft Aug 2025, Gainsight Oct 2025) with transparency bulletins
trust.alteryx.comAudit logging
Rich audit trails and end-to-end lineage tracking; run-level logs; version history
alteryx.comFIPS compatibility
Desktop analytics and server environments meet FIPS compatibility thresholds per NIST/FISMA requirements
alteryx.comSubprocessors
Subprocessor list available via Trust Center; primary cloud infrastructure on AWS and GCP
trust.alteryx.com// Products & data scope
data: Customer data workflows, datasets, models; processed in US cloud (AWS/GCP); SOC 2 and ISO 27001 scope
Primary enterprise offering; cloud terms restrict use with regulated/sensitive data unless expressly supported; HIPAA use requires product-feature confirmation
data: Data processed locally within customer environment; FIPS-compatible for public sector
On-premises deployment; customer retains full data sovereignty; HIPAA/regulated data can be handled within org's own compliant framework
data: Business data for automated insight generation
SaaS product hosted on GCP; separate IT and security guidance available
data: Customer datasets used for model training within customer workspace only; not used for Alteryx model training
Integrated into Alteryx One; AI Principles apply
data: Workflow metadata, governance policies, access controls
Includes SSO/SCIM, lineage tracking, Collibra/Atlan integrations
// What to watch
- HIPAA nuance: Trust Center labels HIPAA as a 'certification' but HIPAA has no official government certification; Alteryx holds a third-party HIPAA audit/assessment report. Additionally, the cloud addendum explicitly states cloud products 'are not designed to be used with Regulated Data or Sensitive Data unless the processing of such data is expressly supported as a feature.' BAA availability per product should be confirmed with Alteryx before listing as unconditionally HIPAA-compliant.
- CSA STAR Level 1 is a self-assessment (CAIQ questionnaire only); it does not involve a third-party audit. This is distinct from CSA STAR Level 2 (audited). AIFOXX listings should reflect this distinction.
- No FedRAMP authorization found. FIPS compatibility is noted for desktop/server environments but this is not FedRAMP. Public sector buyers in the US federal space should verify.
- Two supply chain incidents disclosed in 2025 (Drift/Salesloft Aug 2025 and Gainsight Oct-Nov 2025) involving third-party Salesforce integrations. Both disclosed proactively via Trust Center bulletins. No customer data confirmed accessed in either incident. Transparent handling is a positive signal.
- No ISO 27017 or ISO 27018 certifications found. For cloud-specific data privacy controls these are common asks in enterprise procurement.
// At a glance
Pricing model
Subscription (SaaS); perpetual license (Designer desktop); free trial available
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Alteryx, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.alteryx.com