Building a Foundation of Trust

It starts with transparency. Learn more about security and data privacy with Alteryx.

Security

Alteryx Information Security Program utilizes an overarching framework to address enterprise information security governance, protecting information assets and systems against attacks and incidents while ensuring appropriate security is a priority at all levels of the product development process. It is a risk-based program that aligns with industry-standard frameworks, such as NIST CF and SIRT, to incorporate those security principles applicable to our regulatory and contractual obligations.

Read the Whitepaper

Read Information Security
Program Description

Privacy

Alteryx has implemented a global privacy program to address the needs of its users, customers, and partners. With respect to any personal data collected and used by Alteryx in our relationship with users (e.g., via Alteryx Community, events or certification training), Alteryx will comply with applicable data protection law, including the GDPR and CCPA, consistent with the obligations and representations set out in its published Privacy Policy and, with respect to customer data, our DPA.

Read Privacy Policy

Data Transfers

Alteryx complies with its obligations under data protection law with respect to all restricted, cross-border transfers of personal data. Access to customer content through hosting, support, or professional services is managed as a data transfer subject to the standard contractual clauses outlined in Alteryx’s standard data processing agreement (DPA). Internal data transfers between Alteryx entities utilize a comprehensive intra-company DPA and standard contractual clauses.

Read DPA

Data Practices

Alteryx’s privacy program aligns to the NIST Privacy framework using a data lifecycle approach to both product development and our data practices. To comply with applicable law in the jurisdictions in which we do business, as well as to ensure alignment with industry best practices and customer obligations, Alteryx applies a consistent set of privacy principles based on those outlined by the GDPR and any additional requirements for privacy and marketing by state, province, country, or region.

Data Subject Rights

Alteryx has implemented the means of responding to data subject requests under both the GDPR and the California Consumer Protection Act (CCPA). The option to make a do-not-sell request under the CCPA is easily accessible in the cookie preference settings on our websites and using our data request form, either online or via the designated toll-free telephone number. Other types of data subject requests may also be made using our consolidated request form. For detailed information and link to the request form, see our Privacy Policy.

Read Privacy Policy

Usage Data

As further described in the Privacy Policy and our terms of use, Alteryx may collect data attributable to an individual through a few primary sources: directly from the individual or his/her employer, from Alteryx partners and data processors, and in a limited manner through use of Alteryx products and services. Protecting the confidentiality of personal data, including usage data, is our first priority and Alteryx follows best practices to maintain oversight where usage data is collected.

Ethics

Alteryx is committed to promoting high standards of honest and ethical business conduct and compliance with applicable laws, rules and regulations. We lead the company guided by our Code of Business Conduct and Ethics and a set of core values that shape our behaviors and maintain our culture. Our shared values of Customer First, Accountability, Equality, Integrity, and Empowerment inform the development of our products, the service of our customers, and the achievement of our business objectives.

How Alteryx Uses Data

Compliance

Alteryx maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer and user data in accordance with all applicable industry standards and practices. Our security program includes measures intended to meet or exceed data protection requirements for personal data, including those outlined by the GDPR and CCPA.

Trust

Alteryx provides a desktop analytics and server environments that meet the thresholds for Federal Information Processing Standards (FIPS) compatibility as established by the National Institute of Standards and Technology (NIST) and in accordance with the Federal Information Security Management Act (FISMA) and as approved by the Secretary of Commerce.

Reliability

Alteryx strives to deliver stable solutions that customers can operate with confidence, and we take defects and downtimes seriously. Alteryx follows ISO 22301 guidelines for managing and maintaining plans for continuity of operations. This includes identifying critical processes, reviewing their components, and verifying response times in line with the company’s recovery time objectives.

ESG/Sustainability

We recently completed our first-ever ESG Materiality Assessment, which will guide our ESG reporting and disclosures going forward. We are currently signed on to three pledges, including: Pledge 1% (free product donations and volunteering time), CEO Action Pledge (diversity, equity and inclusion), and America Is All In (Paris Climate Agreement). We are also members of ImpactCloud, a coalition of tech companies committed to supporting nonprofit digital transformation.

Learn more

Private Data Handling

The ISO 27001 certified Alteryx Analytics Cloud Platform enhances security, isolates permissions, and manages risk by separating application control planes and data planes. The control plane orchestrates workloads, provides the user interface, and manages application usage data. The data plane gives customers self-service access to their data to run analytic workloads. To further enhance security, customers can keep the data plane in their own cloud environment using Private Data Handling.

Read the Whitepaper

Governance

Alteryx offers product functionality to help IT teams comply with internal governance policies and procedures, including connectivity, security, audit logs, and versioning. Alteryx recommends a comprehensive and modern reference framework for analytics governance. This framework maintains flexibility to enable rapid prototyping and quick analysis while outlining how additional controls can be applied to routinely executed, high-risk processes.

Learn More

Responsible AI Principles
Alteryx’s Responsible AI Principles reflect a commitment to ethical and inclusive AI innovation, emphasizing transparency and explainability to help ensure users understand AI outcomes. The principles advocate for human agency and oversight, enabling informed decision-making while protecting rights. Trust and accountability are prioritized, with Alteryx implementing robust security and privacy measures. Reliability and safety are central, with rigorous testing of AI models to help ensure accurate and intended results.

Read Alteryx’s Responsible
AI Principles
 
 

FREQUENTLY ASKED QUESTIONS

Alteryx Privacy

 

Alteryx’s Data Processing Agreement (“DPA”)

 
What does the Alteryx DPA cover?

Alteryx’s DPA applies to the extent Alteryx acts as a data processor on behalf of a customer. When customers upload Customer Content (e.g., inputs, workflows, outputs) to use with any of our cloud products, or when a customer provides our customer support team with information such as log files, our DPA applies. Our DPA is automatically incorporated into our cloud terms and support description without any additional action required by a customer. DPA terms are found at www.alteryx.com/dpa

 
What is Customer Content?

“Customer Content” is the term used in our DPA to mean any data or information that a customer uploads, connects to, or imports into Alteryx products, including internal data sets or other sources not supplied by Alteryx, together with any workflows, recipes, insights, or other materials created by a customer using Alteryx products, along with log-in credentials for accessing or linking to third party data sources while using Alteryx products. Customer Content also includes logs uploaded by the customer as part of a support request and any raw data provided or made accessible to Alteryx or its sub-processors in providing professional services that a customer purchases. Customer Content does not include Usage Data.

 
Do we need a DPA if we only use on-premises software?

For on-premises software, such as Alteryx Designer, customers don’t upload Customer Content to Alteryx systems, but instead, they work within their own environment to store and use their data. However, Alteryx still provides support services to users of on-premises software, and customers may provide log files as part of a support ticket to help us troubleshoot an issue. To the extent these log files contain personal data (normally just identifiers associated with the user submitting the ticket), our DPA applies.

 
Does Alteryx’s DPA apply to Customer Content that does not include personal data?

DPA obligations stem from data protection laws, like the California’s CCPA and the EU’s GDPR, and are intended to apply solely to personal data. However, as part of Alteryx’s business model and product design, Alteryx can’t see what data is included in the Customer Content uploaded by customers to use with our cloud products, so we can’t determine what data, if any, is personal data. As a result, Alteryx assumes that Customer Content may contain personal data and treats all Customer Content in accordance with our DPA.

 
What happens now that the UK has left the EU? Does Alteryx apply different rules regarding privacy?

Since leaving the European Union, the United Kingdom has adopted its own privacy mechanisms, which we have accounted for in our privacy practices, including in our DPA. To the extent applicable, we incorporate the United Kingdom’s International Data Transfer Addendum in our standard DPA. We are also registered with the UK’s data protection authority, the Information Commissioner’s Office (ICO), with respect to our data practices within the United Kingdom.

 
Why does our data need to be transferred to the US?

Alteryx stores Customer Content (for both hosted products and to provide customer support) with our third-party cloud service providers (e.g., AWS, GCP). Our systems are currently designed to access Customer Content from these service providers in the United States. However, we offer a variety of options that allow you to store Customer Content in your environment and location of your choosing. These options include our on-premises products as well as our Private Data Handling options for our cloud products.

 
Can we choose the locations from which Alteryx provides us support?

Alteryx uses a “follow the sun” support model so that we can provide subject matter experts globally, wherever and whenever needed by our customers. We cannot redirect or otherwise limit support locations on a customer-by-customer basis as that would significantly impede our ability to timely support other customers at scale.

 

Usage Data, Metadata, Telemetry

 
What is Usage Data and is it covered by Alteryx’s DPA?

Usage Data includes data about how individual users interact with our products and services. It does not include any uploaded Customer Content or the analyses and insights or any outputs customers derive from Customer Content when using our products. In other words, Usage Data focuses on how our products are used, not the raw data uploaded for use with our products. Usage Data is not processed for or on behalf of a customer but is instead determined solely by Alteryx and used for Alteryx’s internal business purposes. Alteryx acts in its capacity as a data controller, directly regulated by data protection laws, with respect to all Usage Data, so it is not covered by Alteryx’s processor obligations under our DPA.

 
Is user registration information part of Usage Data?

Data collected about authorized users as part of initial registration and license utilization is considered a component of Usage Data. This type of Usage Data is required to document and support license fulfillment and reporting (e.g., how many seat licenses have been activated, how many licenses remain open, and whether assigned licenses are being used efficiently). Registration and license fulfillment data also allows Alteryx to ensure that the terms of any license restrictions or caps under the customer agreement are met.

 
To what extent do you aggregate and deidentify the personal data that Alteryx collects?

While identifying information is required in certain circumstances (e.g., for security and license compliance purposes), we aggregate and deidentify personal data collected as Usage Data to the extent feasible in using the data for the purposes for which it was collected. We have processes in place to review our internal uses of Usage Data to ensure the privacy and security of our users’ personal data. If the purposes for processing Usage Data can be accomplished using aggregated or deidentified data, we limit the access to and use of personal data to that format.

 
Is Usage Data used for general product/service improvement? Does this include personal data or Customer Content?

We analyze Usage Data to help give us insights that may lead to improvements to our products and services, particularly when it comes to improving user experience or correcting errors. This analysis comes from aggregated data since our product improvements do not require identifying individual users or customers. Customer Content is not used for any product improvement purposes since we do not access any raw content uploaded to Alteryx products and services.

 
Is Usage Data used to contact individual users?

Usage Data may be used for the benefit of individual users by helping with personalization of our in-app products and services, or for content and enablement recommendations. For example, users of a particular tool might see a training or “next best tool” recommendations related to that tool. However, a user’s preferences and settings, together with any requirements of data protection or marketing regulations, will govern any user outreach.

 
How does Alteryx’s Privacy Policy apply?

Any personal data that Alteryx collects from individuals, including users of our products, sites, and services, is collected and used subject to our privacy policy. This policy outlines how and from what sources personal data may be collected, how such data is used, and with whom it may be shared. The policy also specifies the means by which individuals may exercise rights pertaining to their data.

 
Can customers collect or access any Alteryx Usage Data?

Alteryx provides customers with various self-service tools to help them understand their Alteryx product usage. For example, Alteryx’s License and Downloads Portal provides detailed customer license usage information. Customers may also consider implementing Customer Managed Telemetry, which allows customers to collect certain Alteryx product usage information from within their environment. To comply with regulatory obligations and its own user policies, Alteryx cannot provide customers with detailed usage information that identifies specific individuals except in those limited circumstances and using customary reports required to substantiate license fulfillment.

 
Does Alteryx disclose Usage Data to third parties?

We only disclose Usage Data to service providers acting on our behalf under appropriate contractual protections. Where Usage Data includes personal data, all third-party service providers are bound to our DPA and security terms for data processors.

 
Will customers be notified of data breaches related to Usage Data?

In accordance with applicable data protection law, Alteryx will notify impacted individuals concerning any confirmed breach of their personal data, including personal data collected as Usage Data. Usage Data is not part of Customer Content and is not in scope for Alteryx’s breach notification obligations to customers under our DPA.

 

Alteryx’s Information Security Obligations

 
What is the document linked in the DPA entitled “Information Security Program Description”?

Most data protection laws require that data processors provide appropriate technical and organizational measures to adequately address the risks pertaining to the processing of personal data by such processors. In line with Alteryx’s processing of Customer Content while providing its cloud products and support services, we have implemented organizational, physical, technical and operational security measures aligned to standards such as ISO 27001, which are designed to protect the confidentiality, integrity and availability of those systems and data within our control. These technical and organizational measures are described in the Information Security Program Description, incorporated by reference in the Alteryx DPA.

 
What access do Alteryx employees and contractors have to Customer Content?

As described in the Information Security Program Description, Alteryx employees and contractors do not access or use Customer Content uploaded to our cloud products as part of their ordinary job duties. There are limited circumstances when customers request support from Alteryx that may require time-restricted access to Customer Content uploaded to Alteryx cloud products. In those circumstances, designated and trained Alteryx personnel may, with the customer’s approval and solely for the purpose of providing support, be given limited, monitored access to processing or storage environments that contain Customer Content.

 
Does Alteryx notify customers in the event of a data breach?

Alteryx’s DPA and Information Security Program Description specify that we notify customers, without undue delay, when we become aware of a security incident impacting Customer Content. Our dedicated incident response team is tasked with managing the identification and detection of security incidents, providing timely responses, and taking such steps as are necessary for prompt recovery of systems and data. Our incident response practices align with ISO 27035 and NIST 800-61.

 
How do we respond to government requests for customer data?

Unless prevented by law, we will ask the government authority making the request to direct such requests for customer information to the customer and we will notify the customer of such government request. If we are unable to notify the customer of a government request, we will evaluate on a case-by-case basis whether responding to the request is legally justified and take appropriate action accordingly.

 
How does Alteryx encrypt Customer Content?

We encrypt Customer Content in transit to and from our products, as well as at rest when the data is stored by us. For data at rest stored on our third-party cloud services (e.g., AWS, GCP etc.), we employ the encryption at rest methods made available by those services, such as AES-256. For encryption in transit, we use TLS 2.0 or above.

 
Where can I find out more information about Alteryx security practices?

You can visit our Trust website here. In addition, our help and documentation site contains specific information concerning the security measures applicable to individual products.