// Trust & Security Report

    Qlik (QlikTech International AB) logo

    Qlik (QlikTech International AB)

    Qlik Sense is the analytics/BI product within the broader Qlik Cloud platform, which also includes Qlik Talend Cloud (data integration), Qlik Answers (GenAI Q&A), Qlik Predict (ML/forecasting) and Qlik Automate. Qlik Sense and Qlik Cloud Analytics are available as SaaS (Qlik Cloud) or client-managed/on-premises deployments.

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Qlik Cloud is SOC 2 Type 2 compliant. SOC 2 is a rigorous examination by an independent accounting firm based on the AICPA Trust Services Principles.

    Verify on help.qlik.com
    SOC 1 Type 2
    HELD

    Qlik Cloud is AICPA SSAE18 SOC 1 Type II compliant.

    Verify on help.qlik.com
    SOC 3
    HELD

    Qlik has successfully completed a SOC 3 assessment, which is a general use report attesting to Qlik's compliance to the AICPA Trust Services Principles.

    Verify on help.qlik.com
    ISO 27001
    HELD

    Qlik is ISO 27001 certified, meeting the international standards for implementing an information security management system (ISMS).

    Verify on help.qlik.com
    ISO 27017 (cloud security)
    HELD

    Qlik meets the standards of ISO 27017 an information management security specification for information management systems.

    Verify on help.qlik.com
    ISO 27018 (cloud PII/privacy)
    HELD

    Qlik meets the standards of ISO 27018, a standard for the management and protection of personally identifiable information (PII) in the cloud, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of providing cloud services.

    Verify on qlik.com
    HIPAA
    HELD

    Qlik has successfully completed a SOC 2 Type 2 + HITRUST CSF Attestation which provides an evaluation on the suitability of the design and operating effectiveness of Qlik's internal controls relative to the protection of Personal Health Information subject to US HIPAA Regulatory requirements.

    Verify on qlik.com
    HITRUST CSF
    HELD

    Qlik has successfully completed a SOC2 Type 2 + HITRUST attestation for HIPAA compliance.

    Verify on help.qlik.com
    FedRAMP
    HELD

    Qlik Cloud Government has achieved the Federal Risk and Authorization Management Program (FedRAMP) Authorized designation at the Moderate Impact Level (and DoD IL2), is built on AWS GovCloud (US), and is listed in the FedRAMP Marketplace. Applies to the separate Qlik Cloud Government offering purpose-built for the U.S. public sector, NOT the commercial multi-tenant Qlik Cloud / Qlik Sense product.

    Verify on qlik.com
    IRAP (Australia)
    HELD

    Qlik has been assessed by an independent Information Security Registered Assessors Program (IRAP) assessor.

    Verify on help.qlik.com
    C5 (Germany BSI)
    HELD

    Qlik has successfully completed an attestation for Germany's Federal Office for Information Security (BSI) security criteria for cloud services. The Cloud Computing Compliance Controls Catalogue (C5) attestation outlines security criteria for cloud services.

    Verify on qlik.com
    TISAX
    HELD

    QlikTech Inc. is a TISAX participant and has completed a TISAX assessment.

    Verify on help.qlik.com
    > Show 4 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    As our cloud offerings are not PCI DSS certified, customers should not store PCI DSS data in our cloud offerings.

    source: qlik.com
    ISO/IEC 42001:2023 (AI management system)
    NOT CONFIRMED

    No public evidence of an ISO/IEC 42001 certification. Qlik's own compliance/standards page (help.qlik.com) enumerates its certifications (SOC 1/2/3, ISO 27001/27017/27018, HITRUST, IRAP, TISAX, CASA, Cyber Essentials) and does not list ISO 42001; no vendor press release or certificate could be found. The prior 'held' claim rested only on an AI-summarized read of the auth-gated trust center document list, not a direct vendor-domain quote.

    source: help.qlik.com
    CSA STAR (Level 2 attestation/certification)
    NOT CONFIRMED

    No public evidence of a CSA STAR Level 2 attestation or certification; trust center only lists a 'CAIQ v4.0 self-assessment' document (CSA STAR Level 1 self-assessment), which is a lower bar than a full STAR attestation.

    source: security.qlik.com
    ISO 27701 (privacy information management)
    NOT CONFIRMED

    no public evidence; Qlik's own certifications list (SOC 1/2/3, ISO 27001/27017/27018/42001, HITRUST, FedRAMP, IRAP, C5, HIPAA) does not include ISO 27701

    source: security.qlik.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer selects a tenant region (Americas, EMEA, APAC) at setup and content data for cloud offerings stays in that region by default; on-premises/client-managed deployments keep all data on the customer's own systems with no Qlik access. Cross-region movement only occurs for opted-in AI features or if the customer shares data with Qlik Support/Consulting.

    Qlik does not use the customer's data to train any AI model external to the customer's tenant. Any model training that happens within a customer's tenant (e.g., Qlik Predict's ML features) is exclusively for that customer's benefit and is not shared with others. Certain generative-AI features (e.g., Qlik Answers) require an opt-in for 'cross-region inference' where a question's data is temporarily sent to an AWS region hosting the LLM service to process the request; Qlik will not transfer data across regions without the customer's express authorization.

    // Security controls

    Encryption

    Cloud tenant content data is encrypted at rest and in transit; cloud offerings are described as a 'no-view' service, with an optional Client-Managed-Key (customer-controlled encryption key) feature for Qlik Cloud.

    qlik.com

    Data access model

    Qlik personnel do not have direct access to customer content data unless explicitly invited into the tenant (e.g., for consulting); on-premises/client-managed deployments are never hosted or accessible by Qlik.

    qlik.com

    Data Protection Officer / privacy program

    Qlik has a global Data Protection Officer and a cross-functional privacy program covering GDPR, PIPEDA, LGPD, PDPA and CCPA compliance; lead EU supervisory authority is Sweden's DPA.

    qlik.com

    EU-US Data Privacy Framework

    Qlik participates in the EU-US Data Privacy Framework (including the UK extension) and the Swiss-US Data Privacy Framework for transatlantic personal data transfers.

    qlik.com

    Subprocessor transparency

    Qlik publishes a subprocessor list and covers subprocessor obligations in its Data Processing Addendum.

    qlik.com

    Penetration testing

    Trust center makes a pentest report (executive summary) available to prospects/customers on request.

    security.qlik.com

    // Products & data scope

    Qlik Sense / Qlik Cloud Analytics (SaaS)Cloud BI/analytics (multi-tenant SaaS)

    data: Customer content data hosted in a chosen regional Qlik Cloud tenant; in scope for SOC 1/2/3, ISO 27001/27017/27018, HITRUST/HIPAA, C5, IRAP certifications

    No-view service; Qlik does not access content data unless invited into the tenant.

    Qlik Sense (client-managed / on-premises)Self-hosted BI/analytics

    data: All data stays on the customer's own infrastructure; Qlik has no access and the cloud certifications above do not apply to this deployment model

    Customer is responsible for its own security controls; Qlik is not a data processor for this deployment.

    Qlik Cloud GovernmentGovernment/public-sector SaaS

    data: Separate hardened offering for U.S. public sector workloads

    Purpose-built to meet FedRAMP, DISA and GovRAMP/StateRAMP requirements; distinct from the commercial multi-tenant Qlik Cloud.

    Qlik Answers / Qlik Predict (GenAI/ML features)Generative AI and ML add-ons within Qlik Cloud

    data: May require opt-in cross-region data processing to reach the LLM/AI service region

    Does not train external models on customer data; in-tenant ML training benefits only that tenant.

    // What to watch

    • FedRAMP applies specifically to the separate 'Qlik Cloud Government' offering, not automatically to the commercial multi-tenant Qlik Cloud/Qlik Sense product; listing should not imply the mainstream SaaS product is FedRAMP authorized.
    • ISO/IEC 42001 was DOWNGRADED to held=false: its only support was an AI-summarized read of the auth-gated trust center document list, and Qlik's own published standards page (help.qlik.com) does not list ISO 42001, nor could any vendor certificate/press release be found. Do not surface ISO 42001 as a held certification without a direct vendor-domain quote.
    • TISAX was re-verified and held=true is supported by a direct verbatim quote on help.qlik.com ('QlikTech Inc. is a TISAX participant and has completed a TISAX assessment'); the prior 'document library lists' summary was replaced.
    • FedRAMP proof was corrected: the prior quote contained a fabricated 'FedRAMP Certified Class C' designation (no such FedRAMP level exists) sourced to the auth-gated trust center. Qlik Cloud Government is genuinely FedRAMP Moderate authorized (confirmed via qlik.com press releases and the FedRAMP Marketplace), but this applies ONLY to the separate government offering, not the commercial Qlik Cloud / Qlik Sense product.
    • CSA STAR: only a CAIQ v4.0 self-assessment (STAR Level 1) is evidenced; do not represent this as a full STAR Level 2 attestation/certification.
    • Qlik Sense can be deployed on-premises/client-managed, in which case none of the cloud certifications (SOC 2, ISO 27001, etc.) apply since Qlik never hosts or accesses that data; listing should clarify certs apply to the Qlik Cloud SaaS deployment.

    // At a glance

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Qlik (QlikTech International AB)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.qlik.com

    > Browse all vendor trust reports