It starts with transparency. Learn more about security and data privacy with Alteryx.
Alteryx’s Information Security Program utilizes an overarching framework to address enterprise information security governance, protecting information assets and systems against attacks and incidents while ensuring appropriate security is a priority at all levels of the product development process. It is a risk-based program that aligns with industry-standard frameworks, such as NIST CF and SIRT, to incorporate those security principles applicable to our regulatory and contractual obligations.
Alteryx complies with its obligations under data protection law with respect to all restricted, cross-border transfers of personal data. Access to customer content through hosting, support, or professional services is managed as a data transfer subject to the standard contractual clauses outlined in Alteryx’s standard data processing agreement (DPA). Internal data transfers between Alteryx entities utilize a comprehensive intra-company DPA and standard contractual clauses.
Alteryx’s privacy program aligns to the NIST Privacy framework using a data lifecycle approach to both product development and our data practices. To comply with applicable law in the jurisdictions in which we do business, as well as to ensure alignment with industry best practices and customer obligations, Alteryx applies a consistent set of privacy principles based on those outlined by the GDPR and any additional requirements for privacy and marketing by state, province, country, or region.
Data Subject Rights
Alteryx is committed to promoting high standards of honest and ethical business conduct and compliance with applicable laws, rules and regulations. We lead the company guided by our Code of Business Conduct and Ethics and a set of core values that shape our behaviors and maintain our culture. Our shared values of Customer First, Accountability, Equality, Integrity, and Empowerment inform the development of our products, the service of our customers, and the achievement of our business objectives.
Alteryx maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer and user data in accordance with all applicable industry standards and practices. Our security program includes measures intended to meet or exceed data protection requirements for personal data, including those outlined by the GDPR and CCPA.
Alteryx provides a desktop analytics and server environments that meet the thresholds for Federal Information Processing Standards (FIPS) compatibility as established by the National Institute of Standards and Technology (NIST) and in accordance with the Federal Information Security Management Act (FISMA) and as approved by the Secretary of Commerce.
Alteryx strives to deliver stable solutions that customers can operate with confidence, and we take defects and downtimes seriously. Alteryx follows ISO 22301 guidelines for managing and maintaining plans for continuity of operations. This includes identifying critical processes, reviewing their components, and verifying response times in line with the company’s recovery time objectives.
We recently completed our first-ever ESG Materiality Assessment, which will guide our ESG reporting and disclosures going forward. We are currently signed on to three pledges, including: Pledge 1% (free product donations and volunteering time), CEO Action Pledge (diversity, equity and inclusion), and America Is All In (Paris Climate Agreement). We are also members of ImpactCloud, a coalition of tech companies committed to supporting nonprofit digital transformation.
Private Data Handling
The ISO 27001 certified Alteryx Analytics Cloud Platform enhances security, isolates permissions, and manages risk by separating application control planes and data planes. The control plane orchestrates workloads, provides the user interface, and manages application usage data. The data plane gives customers self-service access to their data to run analytic workloads. To further enhance security, customers can keep the data plane in their own cloud environment using Private Data Handling.
Alteryx’s DPA applies to the extent Alteryx acts as a data processor on behalf of a customer. When customers upload Customer Content (e.g., inputs, workflows, outputs) to use with any of our cloud products, or when a customer provides our customer support team with information such as log files, our DPA applies. Our DPA is automatically incorporated into our cloud terms and support description without any additional action required by a customer. DPA terms are found at www.alteryx.com/dpa
“Customer Content” is the term used in our DPA to mean any data or information that a customer uploads, connects to, or imports into Alteryx products, including internal data sets or other sources not supplied by Alteryx, together with any workflows, recipes, insights, or other materials created by a customer using Alteryx products, along with log-in credentials for accessing or linking to third party data sources while using Alteryx products. Customer Content also includes logs uploaded by the customer as part of a support request and any raw data provided or made accessible to Alteryx or its sub-processors in providing professional services that a customer purchases. Customer Content does not include Usage Data.
For on-premises software, such as Alteryx Designer, customers don’t upload Customer Content to Alteryx systems, but instead, they work within their own environment to store and use their data. However, Alteryx still provides support services to users of on-premises software, and customers may provide log files as part of a support ticket to help us troubleshoot an issue. To the extent these log files contain personal data (normally just identifiers associated with the user submitting the ticket), our DPA applies.
DPA obligations stem from data protection laws, like the California’s CCPA and the EU’s GDPR, and are intended to apply solely to personal data. However, as part of Alteryx’s business model and product design, Alteryx can’t see what data is included in the Customer Content uploaded by customers to use with our cloud products, so we can’t determine what data, if any, is personal data. As a result, Alteryx assumes that Customer Content may contain personal data and treats all Customer Content in accordance with our DPA.
Since leaving the European Union, the United Kingdom has adopted its own privacy mechanisms, which we have accounted for in our privacy practices, including in our DPA. To the extent applicable, we incorporate the United Kingdom’s International Data Transfer Addendum in our standard DPA. We are also registered with the UK’s data protection authority, the Information Commissioner’s Office (ICO), with respect to our data practices within the United Kingdom.
Alteryx stores Customer Content (for both hosted products and to provide customer support) with our third-party cloud service providers (e.g., AWS, GCP). Our systems are currently designed to access Customer Content from these service providers in the United States. However, we offer a variety of options that allow you to store Customer Content in your environment and location of your choosing. These options include our on-premises products as well as our Private Data Handling options for our cloud products.
Alteryx uses a “follow the sun” support model so that we can provide subject matter experts globally, wherever and whenever needed by our customers. We cannot redirect or otherwise limit support locations on a customer-by-customer basis as that would significantly impede our ability to timely support other customers at scale.
Usage Data includes data about how individual users interact with our products and services. It does not include any uploaded Customer Content or the analyses and insights or any outputs customers derive from Customer Content when using our products. In other words, Usage Data focuses on how our products are used, not the raw data uploaded for use with our products. Usage Data is not processed for or on behalf of a customer but is instead determined solely by Alteryx and used for Alteryx’s internal business purposes. Alteryx acts in its capacity as a data controller, directly regulated by data protection laws, with respect to all Usage Data, so it is not covered by Alteryx’s processor obligations under our DPA.
Data collected about authorized users as part of initial registration and license utilization is considered a component of Usage Data. This type of Usage Data is required to document and support license fulfillment and reporting (e.g., how many seat licenses have been activated, how many licenses remain open, and whether assigned licenses are being used efficiently). Registration and license fulfillment data also allows Alteryx to ensure that the terms of any license restrictions or caps under the customer agreement are met.
While identifying information is required in certain circumstances (e.g., for security and license compliance purposes), we aggregate and deidentify personal data collected as Usage Data to the extent feasible in using the data for the purposes for which it was collected. We have processes in place to review our internal uses of Usage Data to ensure the privacy and security of our users’ personal data. If the purposes for processing Usage Data can be accomplished using aggregated or deidentified data, we limit the access to and use of personal data to that format.
We analyze Usage Data to help give us insights that may lead to improvements to our products and services, particularly when it comes to improving user experience or correcting errors. This analysis comes from aggregated data since our product improvements do not require identifying individual users or customers. Customer Content is not used for any product improvement purposes since we do not access any raw content uploaded to Alteryx products and services.
Usage Data may be used for the benefit of individual users by helping with personalization of our in-app products and services, or for content and enablement recommendations. For example, users of a particular tool might see a training or “next best tool” recommendations related to that tool. However, a user’s preferences and settings, together with any requirements of data protection or marketing regulations, will govern any user outreach.
Alteryx provides customers with various self-service tools to help them understand their Alteryx product usage. For example, Alteryx’s License and Downloads Portal provides detailed customer license usage information. Customers may also consider implementing Customer Managed Telemetry, which allows customers to collect certain Alteryx product usage information from within their environment. To comply with regulatory obligations and its own user policies, Alteryx cannot provide customers with detailed usage information that identifies specific individuals except in those limited circumstances and using customary reports required to substantiate license fulfillment.
We only disclose Usage Data to service providers acting on our behalf under appropriate contractual protections. Where Usage Data includes personal data, all third-party service providers are bound to our DPA and security terms for data processors.
In accordance with applicable data protection law, Alteryx will notify impacted individuals concerning any confirmed breach of their personal data, including personal data collected as Usage Data. Usage Data is not part of Customer Content and is not in scope for Alteryx’s breach notification obligations to customers under our DPA.
Most data protection laws require that data processors provide appropriate technical and organizational measures to adequately address the risks pertaining to the processing of personal data by such processors. In line with Alteryx’s processing of Customer Content while providing its cloud products and support services, we have implemented organizational, physical, technical and operational security measures aligned to standards such as ISO 27001, which are designed to protect the confidentiality, integrity and availability of those systems and data within our control. These technical and organizational measures are described in the Information Security Program Description, incorporated by reference in the Alteryx DPA.
As described in the Information Security Program Description, Alteryx employees and contractors do not access or use Customer Content uploaded to our cloud products as part of their ordinary job duties. There are limited circumstances when customers request support from Alteryx that may require time-restricted access to Customer Content uploaded to Alteryx cloud products. In those circumstances, designated and trained Alteryx personnel may, with the customer’s approval and solely for the purpose of providing support, be given limited, monitored access to processing or storage environments that contain Customer Content.
Alteryx’s DPA and Information Security Program Description specify that we notify customers, without undue delay, when we become aware of a security incident impacting Customer Content. Our dedicated incident response team is tasked with managing the identification and detection of security incidents, providing timely responses, and taking such steps as are necessary for prompt recovery of systems and data. Our incident response practices align with ISO 27035 and NIST 800-61.
Unless prevented by law, we will ask the government authority making the request to direct such requests for customer information to the customer and we will notify the customer of such government request. If we are unable to notify the customer of a government request, we will evaluate on a case-by-case basis whether responding to the request is legally justified and take appropriate action accordingly.
We encrypt Customer Content in transit to and from our products, as well as at rest when the data is stored by us. For data at rest stored on our third-party cloud services (e.g., AWS, GCP etc.), we employ the encryption at rest methods made available by those services, such as AES-256. For encryption in transit, we use TLS 2.0 or above.
You can visit our Trust website here. In addition, our help and documentation site contains specific information concerning the security measures applicable to individual products.