// Trust & Security Report
Statista GmbH
Statista is a data-as-a-service / market research platform: the core Statistics Portal (Basic/Starter/Personal/Professional accounts), Market Insights, Consumer Insights (survey panel data), a programmatic Statista API, a newer 'Research AI' natural-language answer tool, plus related sub-brands Statista+ (statistaplus.com), Statista Rankings (rankings.statista.com), and Statista Strategy Consulting. Regional entities include Statista GmbH (Germany, primary controller), Statista Inc. (Americas) and Statista Limited (UK/EU).
Certifications held
1
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on statista.com“"We will only use your personal data in accordance with the applicable data protection law" and processing bases cited include GDPR Art. 6(1)(a) consent, 6(1)(b) contract, 6(1)(c) legal obligation, and 6(1)(f) legitimate interests; an external Data Protection Officer (Eagle lsp GmbH, privacy@eagle-lsp.com) is designated, and inquiries can be sent to dataprotection@statista.com.”
> Show 8 unconfirmed / not-held certifications
source: statista.comNo public evidence. No SOC 2 report, badge, or trust center referencing SOC 2 was found on statista.com, statistaplus.com, or rankings.statista.com.
source: applytosupply.digitalmarketplace.service.gov.uk'ISO/IEC 27001 certification: Not certified' — self-declared answer by Statista Limited on the UK Government Digital Marketplace supplier questionnaire (not statista.com; included for context since no vendor-domain page claims this cert either).
source: statista.comNo public evidence. Statista is a statistics/market-research data provider, not a healthcare data processor; no HIPAA statement found on any vendor-owned page.
source: statista.com"All of our customers' payment and contact details are transmitted using SSL encryption" — payment processing is delegated to Stripe Payments Europe Ltd, a third-party PCI-DSS-certified processor. This is the processor's certification, not Statista's own PCI-DSS certification.
source: applytosupply.digitalmarketplace.service.gov.uk'Cyber Essentials: Yes' is self-declared by Statista Limited on the UK Gov Digital Marketplace listing, but this claim is not corroborated anywhere on statista.com itself, so it is graded held=false pending vendor-domain confirmation.
source: applytosupply.digitalmarketplace.service.gov.uk'CSA STAR Certification: No' per the UK Gov Digital Marketplace self-declaration; no vendor-domain evidence of CSA STAR either.
source: statista.comNo public evidence. No AI-governance certification is referenced on statista.com despite the company offering a 'Research AI' product.
source: statista.comNo public evidence; Statista does not present itself as a US federal government cloud service provider.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Germany (primary), United States, Singapore, and other locations within/outside the EEA per the UK G-Cloud listing; 'to ensure global access by customers, Statista stores customer data globally.' Customers do not appear to have data-residency choice.
Statista's Master Service Agreement / General Terms state it is 'prohibited — without prior explicit consent — to use content for the purposes of training, developing, programming, improving, and/or enriching AI systems,' but this clause protects Statista's own licensed statistics/content from being scraped to train third-party AI models; it is not a statement about whether Statista's own 'Research AI' feature trains models on customer queries or uploaded data. No public statement was found addressing that specific question, so trains_on_customer_data is left unresolved (null).
// Security controls
Encryption in transit
TLS 1.2+ / SSL for payment and contact data; G-Cloud listing also cites IPsec/TLS VPN gateway options.
applytosupply.digitalmarketplace.service.gov.ukEncryption at rest
"All stored individual data is anonymized and encrypted" (vendor statement); underlying cloud storage (AWS) protections referenced in the G-Cloud listing.
statista.comPayment processing
Outsourced to Stripe Payments Europe Ltd; Statista itself does not claim its own PCI-DSS certification.
statista.comData Protection Officer
External DPO appointed: Eagle lsp GmbH, Neustädter Neuer Weg 22, 20459 Hamburg, Germany (privacy@eagle-lsp.com).
statista.comInternal security governance
Vendor states protections include firewalls, encryption in transit, role-based access rules, an IT-Security Officer, a Data Protection Officer, an external lawyer, internal security processes, audits and monitoring; UK listing adds annual third-party penetration testing and a named board-level security officer.
applytosupply.digitalmarketplace.service.gov.uk// Products & data scope
data: Account/contact/payment data; no customer business data uploaded.
Core product; free Basic tier plus paid tiers up to €599/mo Personal and negotiated Professional (team) pricing.
data: Aggregated third-party market data; account data only.
Covers 190+ countries/territories across Advertising, Consumer, Health, Industry, Mobility, Technology, Financial, and eCommerce verticals.
data: Aggregated survey panel data (3,000,000+ interviews, 56 countries); no direct end-user PII exposed to customers.
Marketed to marketers/planners/product managers.
data: API keys/account credentials; delivers Statista's statistics data to customer systems.
No dedicated API-specific DPA or security page found; governed by the general Master Service Agreement.
data: User natural-language queries; unclear whether queries are retained/used to improve the model.
Includes an in-product disclaimer 'Our AI can make mistakes. Please check important information.' No AI-specific privacy documentation was found.
data: Project-specific client data under a bespoke engagement; has its own separate privacy policy (statistaplus.com).
Enterprise/custom engagement product line, distinct legal entity terms.
// What to watch
- The UK G-Cloud listing (Statista Limited) states 'Cyber Essentials: Yes' but this is a gov.uk self-declaration, not corroborated on statista.com; graded held=false per the vendor-domain-proof rule, but the AIFOXX team should not read this as a firm 'no' either.
- ISO 27001 'Not certified' is likewise sourced from the same third-party G-Cloud page rather than a vendor-domain statement; no statista.com page makes an ISO 27001 claim in either direction.
- The AI-training prohibition clause in Statista's Master Service Agreement concerns protecting Statista's own licensed content from third-party AI scraping, not whether Statista's own 'Research AI' feature trains on customer queries — this is a distinct, unresolved question and should not be conflated.
- Statista is commonly reported as a subsidiary of Ströer SE & Co. KGaA (~81% stake), but this parent-company relationship was not independently confirmed on a statista.com page during this review.
- Payment PCI compliance belongs to the payment processor (Stripe), not to Statista directly — flagged to avoid host/vendor cert conflation.
// At a glance
Pricing model
Freemium + tiered subscription (Basic free, Starter/Personal self-serve monthly billed annually, Professional/enterprise sales-assisted); custom pricing for API, Consumer Insights, and consulting.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Statista GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
statista.com