// Trust & Security Report
Salesforce, Inc. (Tableau Software, LLC, a Salesforce company)
Tableau data visualization and business intelligence platform: Tableau Cloud (SaaS, formerly Tableau Online), Tableau Server (self-hosted), Tableau Desktop/Prep (client authoring tools), Tableau Public (free public sharing), Tableau Pulse and Tableau Agent (Salesforce Einstein/Agentforce-powered AI features), Tableau Next (next-gen AI analytics on Salesforce Data Cloud), and Tableau Government Cloud
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on compliance.salesforce.com“SOC 2 Report - Tableau. Product covered: Tableau Cloud. Reporting period May 1, 2025 - April 30, 2026, updated June 8, 2026. Provides assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data, addressing security, availability, and confidentiality.”
Verify on compliance.salesforce.com“Certificate covers 18 services including Salesforce Services (First Party and Hyperforce), Data Cloud, MuleSoft, Heroku, and Tableau Cloud, explicitly: 'Applicable to the services branded as Tableau Cloud.' Reporting period March 10, 2026 - January 27, 2027, updated April 17, 2026.”
Verify on compliance.salesforce.com“Certificate scope includes Tableau Cloud and Tableau Next among 17 covered Salesforce services. Reporting period March 10, 2026 - January 27, 2027, updated April 17, 2026.”
Verify on compliance.salesforce.com“Certificate applies to 'the services branded as Tableau Cloud' among 18 covered Salesforce offerings. Reporting period March 10, 2026 - January 27, 2027, updated April 18, 2026.”
Verify on compliance.salesforce.com“ISO 42001:2023 - Salesforce AI Platform, Agentforce and Slack AI. Services covered explicitly list: Tableau Cloud - 'Applicable to the services branded as Tableau Cloud' and Tableau Next - 'Applicable to the services branded as Tableau Next, including the underlying Data Cloud, Tableau Semantics and Agentforce Services.' Valid September 30, 2025 - September 29, 2028.”
Verify on compliance.salesforce.com“Tableau Cloud is compliant with the Health Information and Portability Accountability Act (HIPAA). Whitepaper 'Tableau Cloud and the HIPAA Security Rule' available, updated December 2, 2022.”
Verify on help.tableau.com“Tableau Cloud meets Payment Card Industry Data Security Standard (PCI-DSS) 4.0 compliance. PCI ASV Network Scan reports published per Hyperforce region (US East/West, Tokyo, Singapore, Sydney, Canada, EU/Germany), updated 2026-06-20.”
Verify on compliance.salesforce.com“TISAX Assessment Results covers 7 Salesforce services including Tableau Cloud explicitly. Scope ID S14843, Assessment ID AYSLF1-1.”
Verify on compliance.salesforce.com“C5 (ISAE 3000) Report - Tableau Cloud, updated 2026-06-22.”
Verify on compliance.salesforce.com“UK Cyber Essentials Certificate and UK Cyber Essentials Plus Certificate listed for Tableau Cloud, both updated 2026-06-22.”
> Show 1 unconfirmed / not-held certifications
source: compliance.salesforce.comFedRAMP authorization applies to the separate Tableau Government Cloud offering (Moderate, authorized 2021-01-25) and to Tableau Next/Agentforce/Data Cloud (High). The commercial Tableau Cloud product assessed here is not itself FedRAMP-authorized; government buyers must use the distinct Tableau Government Cloud SKU.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Tableau Cloud runs on Salesforce Hyperforce infrastructure with regional options including US East/West, Canada, EU (Germany), UK, Japan, Singapore, and Australia; Tableau Server is self-hosted so data residency is entirely customer-controlled.
For Tableau Agent / Tableau AI (Einstein/Agentforce Trust Layer) in Tableau Cloud: 'Neither customer data nor conversations sent to the Large Language Model (LLM) are saved to the LLM, and no customer data is ever used to train the model.' Zero-data-retention agreements are in place with third-party LLM providers, and admins can enable/disable AI features per user group or site. This applies to the current AI feature set; verify per-contract terms for legacy Tableau Server/Desktop deployments that predate these AI features, since offline/self-hosted installs do not send data to Salesforce-hosted LLMs at all.
// Security controls
Encryption in transit
All communication between users and Tableau Cloud is encrypted via SSL/TLS; Tableau Cloud supports TLS 1.2 and higher.
help.tableau.comInfrastructure hosting
Tableau Cloud runs on Salesforce Hyperforce, Salesforce's own public-cloud infrastructure layer, with region-specific deployments audited individually (PCI ASV scans per region).
compliance.salesforce.comAI trust layer
AI features (Tableau Agent, Tableau Pulse) run on the Agentforce Trust Layer (formerly Einstein Trust Layer), which enforces zero data retention with third-party LLM providers and excludes customer data from model training.
help.tableau.comRow-level / granular access control
Role-based access controls and row-level security restrict data visibility by user role and permission.
help.tableau.comVulnerability scanning
Recurring PCI Approved Scanning Vendor (ASV) network scans published per Hyperforce region on the compliance site.
compliance.salesforce.com// Products & data scope
data: Customer visualization data, connected data-source credentials, and end-user account data hosted on Salesforce Hyperforce. This is the product covered by essentially all certifications above (SOC 2, ISO 27001/27017/27018/42001, HIPAA, PCI DSS, TISAX, C5, Cyber Essentials).
Primary SaaS SKU and the one carrying the full compliance stack; the certifications in this assessment should not be assumed to extend to Tableau Server or Desktop.
data: Runs entirely on customer-managed infrastructure (on-prem or customer cloud account); data never leaves the customer's environment unless they choose to send it out.
Security/compliance posture (encryption, access control, patching) is the customer's own responsibility, not covered by Tableau Cloud's SOC 2/ISO certificates.
data: Local application; connects to on-prem or cloud data sources chosen by the user.
No SaaS-side data custody; compliance posture depends on where the user publishes/connects, not on Tableau Cloud's certifications.
data: Published workbooks and underlying data are publicly visible by design.
Not intended for sensitive or confidential data; distinct free tier with a separate terms of use from Tableau Cloud.
data: Natural-language queries and underlying workbook data processed through the Agentforce Trust Layer and third-party LLMs under zero-retention agreements.
Admin-controlled opt-in per user group or site; not used to train foundation models per vendor documentation.
data: Built on Data Cloud and Agentforce Services rather than the classic Tableau Cloud stack.
Separately named in the same ISO 27001/27017/27018/42001 certificates as Tableau Cloud, and is the product line that achieved FedRAMP High alongside Agentforce.
data: Isolated government community cloud boundary for federal/state customers.
The distinct SKU that carries FedRAMP Moderate authorization (since 2021); the standard commercial Tableau Cloud product does not itself hold FedRAMP.
// What to watch
- Identity/scope note: Tableau's own trust.tableau.com now 301-redirects to trust.salesforce.com, and all certification proof was located on compliance.salesforce.com (Salesforce's shared compliance site) rather than a Tableau-only domain. Since Tableau Software LLC has been a wholly-owned Salesforce subsidiary since 2019 and Salesforce's compliance site explicitly names 'Tableau Cloud' and 'Tableau Next' as in-scope services on each certificate, this is treated as valid vendor-domain evidence, not a conflation with an unrelated company — but list the vendor as 'Salesforce (Tableau)' to avoid confusing buyers who expect an independent trust center.
- Certification scope is Tableau Cloud (and Tableau Next) specifically. Tableau Server (self-hosted) and Tableau Desktop are NOT covered by these SOC 2/ISO/HIPAA/PCI certificates; do not imply blanket coverage across the whole product family.
- FedRAMP is held only by the separate Tableau Government Cloud SKU (Moderate) and by Tableau Next/Agentforce (High), not by the standard commercial Tableau Cloud offering assessed here.
// At a glance
Pricing model
Per-user subscription tiers (Viewer/Explorer/Creator) for Tableau Cloud and Server, sold directly or via Salesforce enterprise agreements; Tableau Public is free
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Salesforce, Inc. (Tableau Software, LLC, a Salesforce company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.salesforce.com