// Trust & Security Report

    NICE Ltd. logo

    NICE Ltd.

    NICE CXone / CXone Mpower

    Certifications held

    15

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II + HITRUST
    HELD

    NiCE demonstrates its commitment to compliance by maintaining industry-leading certifications for CXone and undergoing regular third-party audits including PCI-DSS, ISO 27001, SOC 2+ HITRUST, IRAP, FedRAMP, and more.

    Verify on nice.com
    ISO 27001
    HELD

    ISO 27001 - Certification, Global

    Verify on nice.com
    ISO 27017
    HELD

    ISO 27017 - Certification, Global

    Verify on nice.com
    ISO 27018
    HELD

    ISO 27018 - Certification, Global

    Verify on nice.com
    ISO 27701
    HELD

    ISO 27701 - Certification, Global

    Verify on nice.com
    ISO 9001
    HELD

    ISO 9001 - Certification, Global

    Verify on nice.com
    FedRAMP Moderate
    HELD

    FedRAMP - Authorization, North America. Package ID: FR1704655535. Level: Moderate Impact Level.

    Verify on nice.com
    PCI DSS
    HELD

    PCI DSS - Certification, Global

    Verify on nice.com
    IRAP
    HELD

    IRAP - Authorization, APAC

    Verify on nice.com
    C5 (BSI Cloud Computing Compliance Criteria Catalogue)
    HELD

    C5 - Certification, EU Sovereign Cloud

    Verify on nice.com
    Cyber Essentials Plus
    HELD

    Cyber Essentials Plus - Certification, EMEA

    Verify on nice.com
    HIPAA
    HELD

    HIPAA - Law, North America (listed as a compliance framework; no specific BAA or HIPAA attestation type confirmed on public-facing pages)

    Verify on nice.com
    EU-US Data Privacy Framework (DPF)
    HELD

    NICE Systems, Inc., Mattersight Corporation, Nexidia Inc., Actimize Inc., Arcaris Inc., NICE Systems Technologies Inc. adhere to the EU-U.S. Data Privacy Framework Principles

    Verify on nice.com
    WCAG 2.2
    HELD

    WCAG 2.2 - Certification, Global

    Verify on nice.com
    Sarbanes-Oxley (SOX)
    HELD

    Sarbanes-Oxley - Certification, North America

    Verify on nice.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multi-region: Americas (US East, US West, Canada, South America, FedRAMP US East), EMEA, APAC

    Ambiguous. NICE claims AI models are 'trained on the largest CX dataset in the industry and refined across billions of interactions' but does not explicitly confirm or deny using individual customer data for shared model training. The Terms prohibit customers from using the service to train competing AI models (Section 3.6). The DPA restricts NICE's processing to the 'Permitted Purpose' under the Master Relationship Agreement. Third-party models are described as operating 'within secure, private instances.' No explicit opt-out mechanism for AI model training was found on public-facing pages. Enterprise customers should seek written confirmation in their contract.

    // Security controls

    Encryption at rest and in transit

    AES encryption at rest; TLS in transit

    nice.com

    Security Operations Center

    24/7 Cybersecurity Operations Center (CSOC) with SIEM monitoring

    nice.com

    Access controls

    Role-based access control (RBAC), multi-factor authentication (MFA), quarterly account reviews

    nice.com

    Incident response

    Formal Information Security Incident Response Plan with client notification obligations

    nice.com

    Uptime SLA

    99.99% monthly availability guaranteed with multi-region redundancy; historical availability 99.99-100% across all regions (Jan-May 2026)

    nice.com

    Bug bounty / vulnerability disclosure

    No public bug bounty program found on HackerOne, Bugcrowd, or the NICE website as of 2026-06-27

    Penetration testing

    Not explicitly confirmed on public-facing pages; referenced indirectly via third-party audits and compliance program

    nice.com

    Sub-processor list

    Available on request via NICE Customer portal (not publicly listed); 10-day advance notice of sub-processor changes per DPA

    nice.com

    Customer audit rights

    Customers may audit once per 12-month period with 60 days written notice, at their own expense (regulators or post-incident may trigger additional audits)

    nice.com

    Data deletion

    Data destroyed on termination or expiry of Master Relationship Agreement; archived backup data isolated until deletion is possible

    nice.com

    // Products & data scope

    CXone / CXone Mpower Platform (CCaaS)Contact Center as a Service (CCaaS)

    data: Full enterprise customer interaction data: voice calls, digital channels, chat transcripts, workforce analytics, quality recordings. Highest compliance scope including FedRAMP Moderate for US government use cases.

    Core CCaaS offering. Includes Omnichannel Routing, AI Agents (via Cognigy), Knowledge Management, Recording Management, Outbound Engagement, Quality Management, Workforce Management, Interaction Analytics, Performance Management, Feedback Management, Copilot for Agents/Supervisors. Available across Americas, EMEA, APAC cloud regions. Named Gartner Magic Quadrant Leader for CCaaS 11 consecutive years.

    NICE Enlighten AI (Embedded AI/Analytics)AI Analytics / Workforce Intelligence

    data: Processes customer interaction transcripts and agent performance data; uses proprietary AI models described as trained on 'the largest CX dataset in the industry.' Data scope is customer interaction-level.

    Embedded AI suite within CXone covering sentiment analysis, behavior prediction, automated QA scoring, and agent coaching. Uses NICE-proprietary AI models. AI training data provenance not fully disclosed publicly.

    NICE ActimizeFinancial Crime and Compliance

    data: Financial transaction data, regulatory compliance records, fraud detection signals. Separate product line with distinct compliance posture targeting financial services regulation.

    Separate from CXone. Targets banking, capital markets, insurance. Has its own compliance certifications relevant to financial regulation (AML, fraud, surveillance). Not covered by CXone certifications.

    NICE Public SafetyPublic Safety / Government

    data: Emergency response communications data. FedRAMP authorized use cases. Strict government-grade data handling.

    Separate product line targeting government and first responder agencies. FedRAMP Moderate authorization (Package ID: FR1704655535) is shared infrastructure.

    // What to watch

    • AI training data provenance is ambiguous: NICE states AI models are trained on 'the largest CX dataset in the industry and refined across billions of interactions' but does not explicitly confirm or deny using individual customer production data for shared model training. Enterprise buyers should obtain written contractual clarification.
    • No public bug bounty program found despite vendor scale (25,000+ enterprise customers, NASDAQ-listed). This is atypical for a security-mature enterprise vendor of this size.
    • Sub-processor list is not publicly disclosed; only available via the NICE customer portal (requires existing customer login). This limits pre-contract due diligence.
    • HIPAA compliance is listed as a regulatory framework on the Trust Center but no specific BAA terms or HIPAA attestation type (e.g., independent audit) is confirmed on public-facing pages. Healthcare customers must obtain a signed BAA.
    • Brand Embassy (acquired NICE subsidiary) GDPR FAQ is outdated (2018); current GDPR terms are governed by the main NICE DPA and privacy policy.

    // At a glance

    Pricing model

    Enterprise subscription (CCaaS). Usage-based tiered model billed monthly in arrears. No publicly listed per-seat pricing; requires contact with sales team. Packages available as preconfigured bundles (Essential, Core, Complete tiers referenced in resources).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on NICE Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    nice.com

    > Browse all vendor trust reports