// Trust & Security Report

    Alteryx, Inc. logo

    Alteryx, Inc.

    AI-ready data analytics platform (Alteryx One SaaS, Alteryx Designer desktop, Auto Insights, Machine Learning, Analytics Hub); serves 8,000+ enterprises across 90+ countries

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II Report listed under Certifications and Reports. Oct 7 2025 bulletin: 'the latest Alteryx SOC 2 Type II Report is now available through the Alteryx Trust Center.'

    Verify on trust.alteryx.com
    ISO 27001:2022
    HELD

    ISO 27001:2022 listed as a certification with 'Alteryx ISO 27001 Certificate Award PDF' available as a featured document in the Trust Center.

    Verify on trust.alteryx.com
    ISO 22301:2019
    HELD

    Aug 29 2025 bulletin: 'We are now ISO 22301 certified!' Certificate Award PDF available in the Trust Center. 'This achievement reflects our commitment to operational resilience.'

    Verify on trust.alteryx.com
    CSA STAR Level 1
    HELD

    CSA STAR 1 listed as a certification; CAIQ Alteryx One document available as a featured document. Level 1 is a self-assessment (CAIQ); Level 2 third-party audit not evidenced.

    Verify on trust.alteryx.com
    HIPAA
    HELD

    HIPAA listed among the 5 Certifications and Reports; 'Alteryx HIPAA Report' is a featured Trust Center document. Note: HIPAA has no government-issued certification; this represents a third-party audit report. Cloud addendum restricts regulated data use to supported product features.

    Verify on trust.alteryx.com
    GDPR (adequacy/SCCs)
    HELD

    DPA automatically incorporated into cloud terms. 'For Personal Data transferred from within the EEA, Standard Contractual Clauses provide the appropriate transfer safeguards.'

    Verify on alteryx.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 (cloud security controls) certification on the Alteryx Trust Center or any verified vendor-domain page.

    source: trust.alteryx.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 (PII in the cloud) certification on the Alteryx Trust Center or any verified vendor-domain page.

    source: trust.alteryx.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification. Alteryx publishes AI Principles documentation but no third-party AI governance audit found.

    source: alteryx.com
    FedRAMP
    NOT CONFIRMED

    No FedRAMP authorization found. FIPS-compatible desktop/server environments are mentioned for public sector but this is FIPS compatibility, not FedRAMP authorization.

    source: alteryx.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on the Alteryx Trust Center or any verified vendor-domain page.

    source: trust.alteryx.com
    CSA STAR Level 2
    NOT CONFIRMED

    Only CSA STAR Level 1 (self-assessment/CAIQ) is evidenced. No third-party Level 2 audit found.

    source: trust.alteryx.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily US (AWS and GCP infrastructure). On-premises and hybrid deployment options are available for customers requiring local data residency. EU-U.S. SCCs cover cross-border transfers.

    Alteryx's privacy policy explicitly states: 'We do not use your personal information to train artificial intelligence models' and prohibits third-party vendors from using personal data for LLM training. Policy also states they do not use Google Workspace APIs to develop, improve, or train generalized AI. No opt-out is needed because training does not occur.

    // Security controls

    Encryption in transit

    TLS

    alteryx.com

    Encryption at rest

    AES-256

    alteryx.com

    Identity and access management

    SSO and SCIM provisioning; SAML, OAuth, Active Directory integration; role-based access control with segregation of duties

    alteryx.com

    Penetration testing

    Annual third-party penetration testing (confirmed in Trust Center quick summary)

    trust.alteryx.com

    MDM program

    Formal mobile device management program in place

    trust.alteryx.com

    Business continuity

    ISO 22301:2019 certified Business Continuity Management System; disaster recovery plan in place

    trust.alteryx.com

    Incident response

    Documented cyber security incident response plan; publicly disclosed supply chain incidents (Drift/Salesloft Aug 2025, Gainsight Oct 2025) with transparency bulletins

    trust.alteryx.com

    Cyber insurance

    Confirmed (listed in Trust Center quick summary)

    trust.alteryx.com

    Audit logging

    Rich audit trails and end-to-end lineage tracking; run-level logs; version history

    alteryx.com

    FIPS compatibility

    Desktop analytics and server environments meet FIPS compatibility thresholds per NIST/FISMA requirements

    alteryx.com

    Subprocessors

    Subprocessor list available via Trust Center; primary cloud infrastructure on AWS and GCP

    trust.alteryx.com

    Vulnerability disclosure

    Report a Vulnerability link available on Trust Center

    trust.alteryx.com

    // Products & data scope

    Alteryx OneCloud SaaS analytics platform

    data: Customer data workflows, datasets, models; processed in US cloud (AWS/GCP); SOC 2 and ISO 27001 scope

    Primary enterprise offering; cloud terms restrict use with regulated/sensitive data unless expressly supported; HIPAA use requires product-feature confirmation

    Alteryx DesignerDesktop/on-premises workflow automation

    data: Data processed locally within customer environment; FIPS-compatible for public sector

    On-premises deployment; customer retains full data sovereignty; HIPAA/regulated data can be handled within org's own compliant framework

    Auto InsightsAutomated business intelligence (SaaS)

    data: Business data for automated insight generation

    SaaS product hosted on GCP; separate IT and security guidance available

    Machine Learning / Predictive AnalyticsAutoML and predictive modeling

    data: Customer datasets used for model training within customer workspace only; not used for Alteryx model training

    Integrated into Alteryx One; AI Principles apply

    Analytics Hub (Workspace)Enterprise collaboration and governance

    data: Workflow metadata, governance policies, access controls

    Includes SSO/SCIM, lineage tracking, Collibra/Atlan integrations

    // What to watch

    • HIPAA nuance: Trust Center labels HIPAA as a 'certification' but HIPAA has no official government certification; Alteryx holds a third-party HIPAA audit/assessment report. Additionally, the cloud addendum explicitly states cloud products 'are not designed to be used with Regulated Data or Sensitive Data unless the processing of such data is expressly supported as a feature.' BAA availability per product should be confirmed with Alteryx before listing as unconditionally HIPAA-compliant.
    • CSA STAR Level 1 is a self-assessment (CAIQ questionnaire only); it does not involve a third-party audit. This is distinct from CSA STAR Level 2 (audited). AIFOXX listings should reflect this distinction.
    • No FedRAMP authorization found. FIPS compatibility is noted for desktop/server environments but this is not FedRAMP. Public sector buyers in the US federal space should verify.
    • Two supply chain incidents disclosed in 2025 (Drift/Salesloft Aug 2025 and Gainsight Oct-Nov 2025) involving third-party Salesforce integrations. Both disclosed proactively via Trust Center bulletins. No customer data confirmed accessed in either incident. Transparent handling is a positive signal.
    • No ISO 27017 or ISO 27018 certifications found. For cloud-specific data privacy controls these are common asks in enterprise procurement.

    // At a glance

    Pricing model

    Subscription (SaaS); perpetual license (Designer desktop); free trial available

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Alteryx, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.alteryx.com

    > Browse all vendor trust reports