// Trust & Security Report
NICE Ltd.
NICE CXone / CXone Mpower
Certifications held
15
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on nice.com“NiCE demonstrates its commitment to compliance by maintaining industry-leading certifications for CXone and undergoing regular third-party audits including PCI-DSS, ISO 27001, SOC 2+ HITRUST, IRAP, FedRAMP, and more.”
Verify on nice.com“FedRAMP - Authorization, North America. Package ID: FR1704655535. Level: Moderate Impact Level.”
Verify on nice.com“C5 - Certification, EU Sovereign Cloud”
Verify on nice.com“HIPAA - Law, North America (listed as a compliance framework; no specific BAA or HIPAA attestation type confirmed on public-facing pages)”
Verify on nice.com“NICE Systems, Inc., Mattersight Corporation, Nexidia Inc., Actimize Inc., Arcaris Inc., NICE Systems Technologies Inc. adhere to the EU-U.S. Data Privacy Framework Principles”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multi-region: Americas (US East, US West, Canada, South America, FedRAMP US East), EMEA, APAC
Ambiguous. NICE claims AI models are 'trained on the largest CX dataset in the industry and refined across billions of interactions' but does not explicitly confirm or deny using individual customer data for shared model training. The Terms prohibit customers from using the service to train competing AI models (Section 3.6). The DPA restricts NICE's processing to the 'Permitted Purpose' under the Master Relationship Agreement. Third-party models are described as operating 'within secure, private instances.' No explicit opt-out mechanism for AI model training was found on public-facing pages. Enterprise customers should seek written confirmation in their contract.
// Security controls
Access controls
Role-based access control (RBAC), multi-factor authentication (MFA), quarterly account reviews
nice.comIncident response
Formal Information Security Incident Response Plan with client notification obligations
nice.comUptime SLA
99.99% monthly availability guaranteed with multi-region redundancy; historical availability 99.99-100% across all regions (Jan-May 2026)
nice.comBug bounty / vulnerability disclosure
No public bug bounty program found on HackerOne, Bugcrowd, or the NICE website as of 2026-06-27
Penetration testing
Not explicitly confirmed on public-facing pages; referenced indirectly via third-party audits and compliance program
nice.comSub-processor list
Available on request via NICE Customer portal (not publicly listed); 10-day advance notice of sub-processor changes per DPA
nice.comCustomer audit rights
Customers may audit once per 12-month period with 60 days written notice, at their own expense (regulators or post-incident may trigger additional audits)
nice.comData deletion
Data destroyed on termination or expiry of Master Relationship Agreement; archived backup data isolated until deletion is possible
nice.com// Products & data scope
data: Full enterprise customer interaction data: voice calls, digital channels, chat transcripts, workforce analytics, quality recordings. Highest compliance scope including FedRAMP Moderate for US government use cases.
Core CCaaS offering. Includes Omnichannel Routing, AI Agents (via Cognigy), Knowledge Management, Recording Management, Outbound Engagement, Quality Management, Workforce Management, Interaction Analytics, Performance Management, Feedback Management, Copilot for Agents/Supervisors. Available across Americas, EMEA, APAC cloud regions. Named Gartner Magic Quadrant Leader for CCaaS 11 consecutive years.
data: Processes customer interaction transcripts and agent performance data; uses proprietary AI models described as trained on 'the largest CX dataset in the industry.' Data scope is customer interaction-level.
Embedded AI suite within CXone covering sentiment analysis, behavior prediction, automated QA scoring, and agent coaching. Uses NICE-proprietary AI models. AI training data provenance not fully disclosed publicly.
data: Financial transaction data, regulatory compliance records, fraud detection signals. Separate product line with distinct compliance posture targeting financial services regulation.
Separate from CXone. Targets banking, capital markets, insurance. Has its own compliance certifications relevant to financial regulation (AML, fraud, surveillance). Not covered by CXone certifications.
data: Emergency response communications data. FedRAMP authorized use cases. Strict government-grade data handling.
Separate product line targeting government and first responder agencies. FedRAMP Moderate authorization (Package ID: FR1704655535) is shared infrastructure.
// What to watch
- AI training data provenance is ambiguous: NICE states AI models are trained on 'the largest CX dataset in the industry and refined across billions of interactions' but does not explicitly confirm or deny using individual customer production data for shared model training. Enterprise buyers should obtain written contractual clarification.
- No public bug bounty program found despite vendor scale (25,000+ enterprise customers, NASDAQ-listed). This is atypical for a security-mature enterprise vendor of this size.
- Sub-processor list is not publicly disclosed; only available via the NICE customer portal (requires existing customer login). This limits pre-contract due diligence.
- HIPAA compliance is listed as a regulatory framework on the Trust Center but no specific BAA terms or HIPAA attestation type (e.g., independent audit) is confirmed on public-facing pages. Healthcare customers must obtain a signed BAA.
- Brand Embassy (acquired NICE subsidiary) GDPR FAQ is outdated (2018); current GDPR terms are governed by the main NICE DPA and privacy policy.
// At a glance
Pricing model
Enterprise subscription (CCaaS). Usage-based tiered model billed monthly in arrears. No publicly listed per-seat pricing; requires contact with sales team. Packages available as preconfigured bundles (Essential, Core, Complete tiers referenced in resources).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on NICE Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
nice.com