// Trust & Security Report

    Salesforce, Inc. (Tableau Software, LLC, a Salesforce company) logo

    Salesforce, Inc. (Tableau Software, LLC, a Salesforce company)

    Tableau data visualization and business intelligence platform: Tableau Cloud (SaaS, formerly Tableau Online), Tableau Server (self-hosted), Tableau Desktop/Prep (client authoring tools), Tableau Public (free public sharing), Tableau Pulse and Tableau Agent (Salesforce Einstein/Agentforce-powered AI features), Tableau Next (next-gen AI analytics on Salesforce Data Cloud), and Tableau Government Cloud

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC 2 Report - Tableau. Product covered: Tableau Cloud. Reporting period May 1, 2025 - April 30, 2026, updated June 8, 2026. Provides assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data, addressing security, availability, and confidentiality.

    Verify on compliance.salesforce.com
    ISO/IEC 27001:2022
    HELD

    Certificate covers 18 services including Salesforce Services (First Party and Hyperforce), Data Cloud, MuleSoft, Heroku, and Tableau Cloud, explicitly: 'Applicable to the services branded as Tableau Cloud.' Reporting period March 10, 2026 - January 27, 2027, updated April 17, 2026.

    Verify on compliance.salesforce.com
    ISO/IEC 27017:2015 (cloud security controls)
    HELD

    Certificate scope includes Tableau Cloud and Tableau Next among 17 covered Salesforce services. Reporting period March 10, 2026 - January 27, 2027, updated April 17, 2026.

    Verify on compliance.salesforce.com
    ISO/IEC 27018:2019 (cloud PII protection)
    HELD

    Certificate applies to 'the services branded as Tableau Cloud' among 18 covered Salesforce offerings. Reporting period March 10, 2026 - January 27, 2027, updated April 18, 2026.

    Verify on compliance.salesforce.com
    ISO/IEC 42001:2023 (AI management system)
    HELD

    ISO 42001:2023 - Salesforce AI Platform, Agentforce and Slack AI. Services covered explicitly list: Tableau Cloud - 'Applicable to the services branded as Tableau Cloud' and Tableau Next - 'Applicable to the services branded as Tableau Next, including the underlying Data Cloud, Tableau Semantics and Agentforce Services.' Valid September 30, 2025 - September 29, 2028.

    Verify on compliance.salesforce.com
    HIPAA
    HELD

    Tableau Cloud is compliant with the Health Information and Portability Accountability Act (HIPAA). Whitepaper 'Tableau Cloud and the HIPAA Security Rule' available, updated December 2, 2022.

    Verify on compliance.salesforce.com
    PCI DSS 4.0
    HELD

    Tableau Cloud meets Payment Card Industry Data Security Standard (PCI-DSS) 4.0 compliance. PCI ASV Network Scan reports published per Hyperforce region (US East/West, Tokyo, Singapore, Sydney, Canada, EU/Germany), updated 2026-06-20.

    Verify on help.tableau.com
    TISAX (automotive-industry ISO 27001-based assessment)
    HELD

    TISAX Assessment Results covers 7 Salesforce services including Tableau Cloud explicitly. Scope ID S14843, Assessment ID AYSLF1-1.

    Verify on compliance.salesforce.com
    C5 (ISAE 3000, German BSI cloud attestation)
    HELD

    C5 (ISAE 3000) Report - Tableau Cloud, updated 2026-06-22.

    Verify on compliance.salesforce.com
    UK Cyber Essentials / Cyber Essentials Plus
    HELD

    UK Cyber Essentials Certificate and UK Cyber Essentials Plus Certificate listed for Tableau Cloud, both updated 2026-06-22.

    Verify on compliance.salesforce.com
    > Show 1 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    FedRAMP authorization applies to the separate Tableau Government Cloud offering (Moderate, authorized 2021-01-25) and to Tableau Next/Agentforce/Data Cloud (High). The commercial Tableau Cloud product assessed here is not itself FedRAMP-authorized; government buyers must use the distinct Tableau Government Cloud SKU.

    source: compliance.salesforce.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Tableau Cloud runs on Salesforce Hyperforce infrastructure with regional options including US East/West, Canada, EU (Germany), UK, Japan, Singapore, and Australia; Tableau Server is self-hosted so data residency is entirely customer-controlled.

    For Tableau Agent / Tableau AI (Einstein/Agentforce Trust Layer) in Tableau Cloud: 'Neither customer data nor conversations sent to the Large Language Model (LLM) are saved to the LLM, and no customer data is ever used to train the model.' Zero-data-retention agreements are in place with third-party LLM providers, and admins can enable/disable AI features per user group or site. This applies to the current AI feature set; verify per-contract terms for legacy Tableau Server/Desktop deployments that predate these AI features, since offline/self-hosted installs do not send data to Salesforce-hosted LLMs at all.

    // Security controls

    Encryption in transit

    All communication between users and Tableau Cloud is encrypted via SSL/TLS; Tableau Cloud supports TLS 1.2 and higher.

    help.tableau.com

    Infrastructure hosting

    Tableau Cloud runs on Salesforce Hyperforce, Salesforce's own public-cloud infrastructure layer, with region-specific deployments audited individually (PCI ASV scans per region).

    compliance.salesforce.com

    AI trust layer

    AI features (Tableau Agent, Tableau Pulse) run on the Agentforce Trust Layer (formerly Einstein Trust Layer), which enforces zero data retention with third-party LLM providers and excludes customer data from model training.

    help.tableau.com

    Row-level / granular access control

    Role-based access controls and row-level security restrict data visibility by user role and permission.

    help.tableau.com

    Vulnerability scanning

    Recurring PCI Approved Scanning Vendor (ASV) network scans published per Hyperforce region on the compliance site.

    compliance.salesforce.com

    // Products & data scope

    Tableau Cloud (formerly Tableau Online)SaaS business intelligence / analytics

    data: Customer visualization data, connected data-source credentials, and end-user account data hosted on Salesforce Hyperforce. This is the product covered by essentially all certifications above (SOC 2, ISO 27001/27017/27018/42001, HIPAA, PCI DSS, TISAX, C5, Cyber Essentials).

    Primary SaaS SKU and the one carrying the full compliance stack; the certifications in this assessment should not be assumed to extend to Tableau Server or Desktop.

    Tableau ServerSelf-hosted business intelligence

    data: Runs entirely on customer-managed infrastructure (on-prem or customer cloud account); data never leaves the customer's environment unless they choose to send it out.

    Security/compliance posture (encryption, access control, patching) is the customer's own responsibility, not covered by Tableau Cloud's SOC 2/ISO certificates.

    Tableau Desktop / Tableau PrepClient-installed authoring tools

    data: Local application; connects to on-prem or cloud data sources chosen by the user.

    No SaaS-side data custody; compliance posture depends on where the user publishes/connects, not on Tableau Cloud's certifications.

    Tableau PublicFree public-sharing SaaS

    data: Published workbooks and underlying data are publicly visible by design.

    Not intended for sensitive or confidential data; distinct free tier with a separate terms of use from Tableau Cloud.

    Tableau Pulse / Tableau Agent (AI features)Generative-AI analytics layer within Tableau Cloud

    data: Natural-language queries and underlying workbook data processed through the Agentforce Trust Layer and third-party LLMs under zero-retention agreements.

    Admin-controlled opt-in per user group or site; not used to train foundation models per vendor documentation.

    Tableau NextNext-generation AI analytics on Salesforce Data Cloud

    data: Built on Data Cloud and Agentforce Services rather than the classic Tableau Cloud stack.

    Separately named in the same ISO 27001/27017/27018/42001 certificates as Tableau Cloud, and is the product line that achieved FedRAMP High alongside Agentforce.

    Tableau Government CloudGovernment/public-sector SaaS

    data: Isolated government community cloud boundary for federal/state customers.

    The distinct SKU that carries FedRAMP Moderate authorization (since 2021); the standard commercial Tableau Cloud product does not itself hold FedRAMP.

    // What to watch

    • Identity/scope note: Tableau's own trust.tableau.com now 301-redirects to trust.salesforce.com, and all certification proof was located on compliance.salesforce.com (Salesforce's shared compliance site) rather than a Tableau-only domain. Since Tableau Software LLC has been a wholly-owned Salesforce subsidiary since 2019 and Salesforce's compliance site explicitly names 'Tableau Cloud' and 'Tableau Next' as in-scope services on each certificate, this is treated as valid vendor-domain evidence, not a conflation with an unrelated company — but list the vendor as 'Salesforce (Tableau)' to avoid confusing buyers who expect an independent trust center.
    • Certification scope is Tableau Cloud (and Tableau Next) specifically. Tableau Server (self-hosted) and Tableau Desktop are NOT covered by these SOC 2/ISO/HIPAA/PCI certificates; do not imply blanket coverage across the whole product family.
    • FedRAMP is held only by the separate Tableau Government Cloud SKU (Moderate) and by Tableau Next/Agentforce (High), not by the standard commercial Tableau Cloud offering assessed here.

    // At a glance

    Pricing model

    Per-user subscription tiers (Viewer/Explorer/Creator) for Tableau Cloud and Server, sold directly or via Salesforce enterprise agreements; Tableau Public is free

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Salesforce, Inc. (Tableau Software, LLC, a Salesforce company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.salesforce.com

    > Browse all vendor trust reports