// Trust & Security Report

    Statista GmbH logo

    Statista GmbH

    Statista is a data-as-a-service / market research platform: the core Statistics Portal (Basic/Starter/Personal/Professional accounts), Market Insights, Consumer Insights (survey panel data), a programmatic Statista API, a newer 'Research AI' natural-language answer tool, plus related sub-brands Statista+ (statistaplus.com), Statista Rankings (rankings.statista.com), and Statista Strategy Consulting. Regional entities include Statista GmbH (Germany, primary controller), Statista Inc. (Americas) and Statista Limited (UK/EU).

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "We will only use your personal data in accordance with the applicable data protection law" and processing bases cited include GDPR Art. 6(1)(a) consent, 6(1)(b) contract, 6(1)(c) legal obligation, and 6(1)(f) legitimate interests; an external Data Protection Officer (Eagle lsp GmbH, privacy@eagle-lsp.com) is designated, and inquiries can be sent to dataprotection@statista.com.

    Verify on statista.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No SOC 2 report, badge, or trust center referencing SOC 2 was found on statista.com, statistaplus.com, or rankings.statista.com.

    source: statista.com
    ISO/IEC 27001
    NOT CONFIRMED

    'ISO/IEC 27001 certification: Not certified' — self-declared answer by Statista Limited on the UK Government Digital Marketplace supplier questionnaire (not statista.com; included for context since no vendor-domain page claims this cert either).

    source: applytosupply.digitalmarketplace.service.gov.uk
    HIPAA
    NOT CONFIRMED

    No public evidence. Statista is a statistics/market-research data provider, not a healthcare data processor; no HIPAA statement found on any vendor-owned page.

    source: statista.com
    PCI DSS
    NOT CONFIRMED

    "All of our customers' payment and contact details are transmitted using SSL encryption" — payment processing is delegated to Stripe Payments Europe Ltd, a third-party PCI-DSS-certified processor. This is the processor's certification, not Statista's own PCI-DSS certification.

    source: statista.com
    Cyber Essentials (UK scheme)
    NOT CONFIRMED

    'Cyber Essentials: Yes' is self-declared by Statista Limited on the UK Gov Digital Marketplace listing, but this claim is not corroborated anywhere on statista.com itself, so it is graded held=false pending vendor-domain confirmation.

    source: applytosupply.digitalmarketplace.service.gov.uk
    CSA STAR
    NOT CONFIRMED

    'CSA STAR Certification: No' per the UK Gov Digital Marketplace self-declaration; no vendor-domain evidence of CSA STAR either.

    source: applytosupply.digitalmarketplace.service.gov.uk
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. No AI-governance certification is referenced on statista.com despite the company offering a 'Research AI' product.

    source: statista.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; Statista does not present itself as a US federal government cloud service provider.

    source: statista.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Germany (primary), United States, Singapore, and other locations within/outside the EEA per the UK G-Cloud listing; 'to ensure global access by customers, Statista stores customer data globally.' Customers do not appear to have data-residency choice.

    Statista's Master Service Agreement / General Terms state it is 'prohibited — without prior explicit consent — to use content for the purposes of training, developing, programming, improving, and/or enriching AI systems,' but this clause protects Statista's own licensed statistics/content from being scraped to train third-party AI models; it is not a statement about whether Statista's own 'Research AI' feature trains models on customer queries or uploaded data. No public statement was found addressing that specific question, so trains_on_customer_data is left unresolved (null).

    // Security controls

    Encryption in transit

    TLS 1.2+ / SSL for payment and contact data; G-Cloud listing also cites IPsec/TLS VPN gateway options.

    applytosupply.digitalmarketplace.service.gov.uk

    Encryption at rest

    "All stored individual data is anonymized and encrypted" (vendor statement); underlying cloud storage (AWS) protections referenced in the G-Cloud listing.

    statista.com

    Payment processing

    Outsourced to Stripe Payments Europe Ltd; Statista itself does not claim its own PCI-DSS certification.

    statista.com

    Data Protection Officer

    External DPO appointed: Eagle lsp GmbH, Neustädter Neuer Weg 22, 20459 Hamburg, Germany (privacy@eagle-lsp.com).

    statista.com

    Internal security governance

    Vendor states protections include firewalls, encryption in transit, role-based access rules, an IT-Security Officer, a Data Protection Officer, an external lawyer, internal security processes, audits and monitoring; UK listing adds annual third-party penetration testing and a named board-level security officer.

    applytosupply.digitalmarketplace.service.gov.uk

    // Products & data scope

    Statistics Portal (Basic/Starter/Personal/Professional accounts)Statistics & market data database

    data: Account/contact/payment data; no customer business data uploaded.

    Core product; free Basic tier plus paid tiers up to €599/mo Personal and negotiated Professional (team) pricing.

    Market InsightsMarket sizing / KPI data tool

    data: Aggregated third-party market data; account data only.

    Covers 190+ countries/territories across Advertising, Consumer, Health, Industry, Mobility, Technology, Financial, and eCommerce verticals.

    Consumer InsightsSurvey / consumer behavior data

    data: Aggregated survey panel data (3,000,000+ interviews, 56 countries); no direct end-user PII exposed to customers.

    Marketed to marketers/planners/product managers.

    Statista APIProgrammatic data access

    data: API keys/account credentials; delivers Statista's statistics data to customer systems.

    No dedicated API-specific DPA or security page found; governed by the general Master Service Agreement.

    Research AIAI-assisted Q&A over Statista's dataset

    data: User natural-language queries; unclear whether queries are retained/used to improve the model.

    Includes an in-product disclaimer 'Our AI can make mistakes. Please check important information.' No AI-specific privacy documentation was found.

    Statista+ / Statista StrategyCustom research & strategy consulting

    data: Project-specific client data under a bespoke engagement; has its own separate privacy policy (statistaplus.com).

    Enterprise/custom engagement product line, distinct legal entity terms.

    // What to watch

    • The UK G-Cloud listing (Statista Limited) states 'Cyber Essentials: Yes' but this is a gov.uk self-declaration, not corroborated on statista.com; graded held=false per the vendor-domain-proof rule, but the AIFOXX team should not read this as a firm 'no' either.
    • ISO 27001 'Not certified' is likewise sourced from the same third-party G-Cloud page rather than a vendor-domain statement; no statista.com page makes an ISO 27001 claim in either direction.
    • The AI-training prohibition clause in Statista's Master Service Agreement concerns protecting Statista's own licensed content from third-party AI scraping, not whether Statista's own 'Research AI' feature trains on customer queries — this is a distinct, unresolved question and should not be conflated.
    • Statista is commonly reported as a subsidiary of Ströer SE & Co. KGaA (~81% stake), but this parent-company relationship was not independently confirmed on a statista.com page during this review.
    • Payment PCI compliance belongs to the payment processor (Stripe), not to Statista directly — flagged to avoid host/vendor cert conflation.

    // At a glance

    Pricing model

    Freemium + tiered subscription (Basic free, Starter/Personal self-serve monthly billed annually, Professional/enterprise sales-assisted); custom pricing for API, Consumer Insights, and consulting.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Statista GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    statista.com

    > Browse all vendor trust reports