// Trust & Security Report
Qlik (QlikTech International AB)
Qlik Sense is the analytics/BI product within the broader Qlik Cloud platform, which also includes Qlik Talend Cloud (data integration), Qlik Answers (GenAI Q&A), Qlik Predict (ML/forecasting) and Qlik Automate. Qlik Sense and Qlik Cloud Analytics are available as SaaS (Qlik Cloud) or client-managed/on-premises deployments.
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on help.qlik.com“Qlik Cloud is SOC 2 Type 2 compliant. SOC 2 is a rigorous examination by an independent accounting firm based on the AICPA Trust Services Principles.”
Verify on help.qlik.com“Qlik has successfully completed a SOC 3 assessment, which is a general use report attesting to Qlik's compliance to the AICPA Trust Services Principles.”
Verify on help.qlik.com“Qlik is ISO 27001 certified, meeting the international standards for implementing an information security management system (ISMS).”
Verify on help.qlik.com“Qlik meets the standards of ISO 27017 an information management security specification for information management systems.”
Verify on qlik.com“Qlik meets the standards of ISO 27018, a standard for the management and protection of personally identifiable information (PII) in the cloud, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of providing cloud services.”
Verify on qlik.com“Qlik has successfully completed a SOC 2 Type 2 + HITRUST CSF Attestation which provides an evaluation on the suitability of the design and operating effectiveness of Qlik's internal controls relative to the protection of Personal Health Information subject to US HIPAA Regulatory requirements.”
Verify on help.qlik.com“Qlik has successfully completed a SOC2 Type 2 + HITRUST attestation for HIPAA compliance.”
Verify on qlik.com“Qlik Cloud Government has achieved the Federal Risk and Authorization Management Program (FedRAMP) Authorized designation at the Moderate Impact Level (and DoD IL2), is built on AWS GovCloud (US), and is listed in the FedRAMP Marketplace. Applies to the separate Qlik Cloud Government offering purpose-built for the U.S. public sector, NOT the commercial multi-tenant Qlik Cloud / Qlik Sense product.”
Verify on help.qlik.com“Qlik has been assessed by an independent Information Security Registered Assessors Program (IRAP) assessor.”
Verify on qlik.com“Qlik has successfully completed an attestation for Germany's Federal Office for Information Security (BSI) security criteria for cloud services. The Cloud Computing Compliance Controls Catalogue (C5) attestation outlines security criteria for cloud services.”
Verify on help.qlik.com“QlikTech Inc. is a TISAX participant and has completed a TISAX assessment.”
> Show 4 unconfirmed / not-held certifications
source: qlik.comAs our cloud offerings are not PCI DSS certified, customers should not store PCI DSS data in our cloud offerings.
source: help.qlik.comNo public evidence of an ISO/IEC 42001 certification. Qlik's own compliance/standards page (help.qlik.com) enumerates its certifications (SOC 1/2/3, ISO 27001/27017/27018, HITRUST, IRAP, TISAX, CASA, Cyber Essentials) and does not list ISO 42001; no vendor press release or certificate could be found. The prior 'held' claim rested only on an AI-summarized read of the auth-gated trust center document list, not a direct vendor-domain quote.
source: security.qlik.comNo public evidence of a CSA STAR Level 2 attestation or certification; trust center only lists a 'CAIQ v4.0 self-assessment' document (CSA STAR Level 1 self-assessment), which is a lower bar than a full STAR attestation.
source: security.qlik.comno public evidence; Qlik's own certifications list (SOC 1/2/3, ISO 27001/27017/27018/42001, HITRUST, FedRAMP, IRAP, C5, HIPAA) does not include ISO 27701
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer selects a tenant region (Americas, EMEA, APAC) at setup and content data for cloud offerings stays in that region by default; on-premises/client-managed deployments keep all data on the customer's own systems with no Qlik access. Cross-region movement only occurs for opted-in AI features or if the customer shares data with Qlik Support/Consulting.
Qlik does not use the customer's data to train any AI model external to the customer's tenant. Any model training that happens within a customer's tenant (e.g., Qlik Predict's ML features) is exclusively for that customer's benefit and is not shared with others. Certain generative-AI features (e.g., Qlik Answers) require an opt-in for 'cross-region inference' where a question's data is temporarily sent to an AWS region hosting the LLM service to process the request; Qlik will not transfer data across regions without the customer's express authorization.
// Security controls
Encryption
Cloud tenant content data is encrypted at rest and in transit; cloud offerings are described as a 'no-view' service, with an optional Client-Managed-Key (customer-controlled encryption key) feature for Qlik Cloud.
qlik.comData access model
Qlik personnel do not have direct access to customer content data unless explicitly invited into the tenant (e.g., for consulting); on-premises/client-managed deployments are never hosted or accessible by Qlik.
qlik.comData Protection Officer / privacy program
Qlik has a global Data Protection Officer and a cross-functional privacy program covering GDPR, PIPEDA, LGPD, PDPA and CCPA compliance; lead EU supervisory authority is Sweden's DPA.
qlik.comEU-US Data Privacy Framework
Qlik participates in the EU-US Data Privacy Framework (including the UK extension) and the Swiss-US Data Privacy Framework for transatlantic personal data transfers.
qlik.comSubprocessor transparency
Qlik publishes a subprocessor list and covers subprocessor obligations in its Data Processing Addendum.
qlik.comPenetration testing
Trust center makes a pentest report (executive summary) available to prospects/customers on request.
security.qlik.com// Products & data scope
data: Customer content data hosted in a chosen regional Qlik Cloud tenant; in scope for SOC 1/2/3, ISO 27001/27017/27018, HITRUST/HIPAA, C5, IRAP certifications
No-view service; Qlik does not access content data unless invited into the tenant.
data: All data stays on the customer's own infrastructure; Qlik has no access and the cloud certifications above do not apply to this deployment model
Customer is responsible for its own security controls; Qlik is not a data processor for this deployment.
data: Separate hardened offering for U.S. public sector workloads
Purpose-built to meet FedRAMP, DISA and GovRAMP/StateRAMP requirements; distinct from the commercial multi-tenant Qlik Cloud.
data: May require opt-in cross-region data processing to reach the LLM/AI service region
Does not train external models on customer data; in-tenant ML training benefits only that tenant.
// What to watch
- FedRAMP applies specifically to the separate 'Qlik Cloud Government' offering, not automatically to the commercial multi-tenant Qlik Cloud/Qlik Sense product; listing should not imply the mainstream SaaS product is FedRAMP authorized.
- ISO/IEC 42001 was DOWNGRADED to held=false: its only support was an AI-summarized read of the auth-gated trust center document list, and Qlik's own published standards page (help.qlik.com) does not list ISO 42001, nor could any vendor certificate/press release be found. Do not surface ISO 42001 as a held certification without a direct vendor-domain quote.
- TISAX was re-verified and held=true is supported by a direct verbatim quote on help.qlik.com ('QlikTech Inc. is a TISAX participant and has completed a TISAX assessment'); the prior 'document library lists' summary was replaced.
- FedRAMP proof was corrected: the prior quote contained a fabricated 'FedRAMP Certified Class C' designation (no such FedRAMP level exists) sourced to the auth-gated trust center. Qlik Cloud Government is genuinely FedRAMP Moderate authorized (confirmed via qlik.com press releases and the FedRAMP Marketplace), but this applies ONLY to the separate government offering, not the commercial Qlik Cloud / Qlik Sense product.
- CSA STAR: only a CAIQ v4.0 self-assessment (STAR Level 1) is evidenced; do not represent this as a full STAR Level 2 attestation/certification.
- Qlik Sense can be deployed on-premises/client-managed, in which case none of the cloud certifications (SOC 2, ISO 27001, etc.) apply since Qlik never hosts or accesses that data; listing should clarify certs apply to the Qlik Cloud SaaS deployment.
// At a glance
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Qlik (QlikTech International AB)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.qlik.com