Alteryx Privacy

Frequently Asked Questions

 

Alteryx’s Data Processing Agreement (“DPA”)

 
What does the Alteryx DPA cover?

Alteryx’s DPA applies to the extent Alteryx acts as a data processor on behalf of a customer. When customers upload Customer Content (e.g., inputs, workflows, outputs) to use with any of our cloud products, or when a customer provides our customer support team with information such as log files, our DPA applies. Our DPA is automatically incorporated into our cloud terms and support description without any additional action required by a customer. DPA terms are found at smartling.alteryx.com/dpa

 
What is Customer Content?

“Customer Content” is the term used in our DPA to mean any data or information that a customer uploads, connects to, or imports into Alteryx products, including internal data sets or other sources not supplied by Alteryx, together with any workflows, recipes, insights, or other materials created by a customer using Alteryx products, along with log-in credentials for accessing or linking to third party data sources while using Alteryx products. Customer Content also includes logs uploaded by the customer as part of a support request and any raw data provided or made accessible to Alteryx or its sub-processors in providing professional services that a customer purchases. Customer Content does not include Usage Data.

 
Do we need a DPA if we only use on-premises software?

For on-premises software, such as Alteryx Designer, customers don’t upload Customer Content to Alteryx systems, but instead, they work within their own environment to store and use their data. However, Alteryx still provides support services to users of on-premises software, and customers may provide log files as part of a support ticket to help us troubleshoot an issue. To the extent these log files contain personal data (normally just identifiers associated with the user submitting the ticket), our DPA applies.

 
Does Alteryx’s DPA apply to Customer Content that does not include personal data?

DPA obligations stem from data protection laws, like the California’s CCPA and the EU’s GDPR, and are intended to apply solely to personal data. However, as part of Alteryx’s business model and product design, Alteryx can’t see what data is included in the Customer Content uploaded by customers to use with our cloud products, so we can’t determine what data, if any, is personal data. As a result, Alteryx assumes that Customer Content may contain personal data and treats all Customer Content in accordance with our DPA.

 
What happens now that the UK has left the EU? Does Alteryx apply different rules regarding privacy?

Since leaving the European Union, the United Kingdom has adopted its own privacy mechanisms, which we have accounted for in our privacy practices, including in our DPA. To the extent applicable, we incorporate the United Kingdom’s International Data Transfer Addendum in our standard DPA. We are also registered with the UK’s data protection authority, the Information Commissioner’s Office (ICO), with respect to our data practices within the United Kingdom.

 
Why does our data need to be transferred to the US?

Alteryx stores Customer Content (for both hosted products and to provide customer support) with our third-party cloud service providers (e.g., AWS, GCP). Our systems are currently designed to access Customer Content from these service providers in the United States. However, we offer a variety of options that allow you to store Customer Content in your environment and location of your choosing. These options include our on-premises products as well as our Private Data Handling options for our cloud products.

 
Can we choose the locations from which Alteryx provides us support?

Alteryx uses a “follow the sun” support model so that we can provide subject matter experts globally, wherever and whenever needed by our customers. We cannot redirect or otherwise limit support locations on a customer-by-customer basis as that would significantly impede our ability to timely support other customers at scale.

 

Usage Data, Metadata, Telemetry

 
What is Usage Data and is it covered by Alteryx’s DPA?

Usage Data includes data about how individual users interact with our products and services. It does not include any uploaded Customer Content or the analyses and insights or any outputs customers derive from Customer Content when using our products. In other words, Usage Data focuses on how our products are used, not the raw data uploaded for use with our products. Usage Data is not processed for or on behalf of a customer but is instead determined solely by Alteryx and used for Alteryx’s internal business purposes. Alteryx acts in its capacity as a data controller, directly regulated by data protection laws, with respect to all Usage Data, so it is not covered by Alteryx’s processor obligations under our DPA.

 
Is user registration information part of Usage Data?

Data collected about authorized users as part of initial registration and license utilization is considered a component of Usage Data. This type of Usage Data is required to document and support license fulfillment and reporting (e.g., how many seat licenses have been activated, how many licenses remain open, and whether assigned licenses are being used efficiently). Registration and license fulfillment data also allows Alteryx to ensure that the terms of any license restrictions or caps under the customer agreement are met.

 
To what extent do you aggregate and deidentify the personal data that Alteryx collects?

While identifying information is required in certain circumstances (e.g., for security and license compliance purposes), we aggregate and deidentify personal data collected as Usage Data to the extent feasible in using the data for the purposes for which it was collected. We have processes in place to review our internal uses of Usage Data to ensure the privacy and security of our users’ personal data. If the purposes for processing Usage Data can be accomplished using aggregated or deidentified data, we limit the access to and use of personal data to that format.

 
Is Usage Data used for general product/service improvement? Does this include personal data or Customer Content?

We analyze Usage Data to help give us insights that may lead to improvements to our products and services, particularly when it comes to improving user experience or correcting errors. This analysis comes from aggregated data since our product improvements do not require identifying individual users or customers. Customer Content is not used for any product improvement purposes since we do not access any raw content uploaded to Alteryx products and services.

 
Is Usage Data used to contact individual users?

Usage Data may be used for the benefit of individual users by helping with personalization of our in-app products and services, or for content and enablement recommendations. For example, users of a particular tool might see a training or “next best tool” recommendations related to that tool. However, a user’s preferences and settings, together with any requirements of data protection or marketing regulations, will govern any user outreach.

 
How does Alteryx’s Privacy Policy apply?

Any personal data that Alteryx collects from individuals, including users of our products, sites, and services, is collected and used subject to our privacy policy. This policy outlines how and from what sources personal data may be collected, how such data is used, and with whom it may be shared. The policy also specifies the means by which individuals may exercise rights pertaining to their data.

 
Can customers collect or access any Alteryx Usage Data?

Alteryx provides customers with various self-service tools to help them understand their Alteryx product usage. For example, Alteryx’s License and Downloads Portal provides detailed customer license usage information. Customers may also consider implementing Customer Managed Telemetry, which allows customers to collect certain Alteryx product usage information from within their environment. To comply with regulatory obligations and its own user policies, Alteryx cannot provide customers with detailed usage information that identifies specific individuals except in those limited circumstances and using customary reports required to substantiate license fulfillment.

 
Does Alteryx disclose Usage Data to third parties?

We only disclose Usage Data to service providers acting on our behalf under appropriate contractual protections. Where Usage Data includes personal data, all third-party service providers are bound to our DPA and security terms for data processors.

 
Will customers be notified of data breaches related to Usage Data?

In accordance with applicable data protection law, Alteryx will notify impacted individuals concerning any confirmed breach of their personal data, including personal data collected as Usage Data. Usage Data is not part of Customer Content and is not in scope for Alteryx’s breach notification obligations to customers under our DPA.

 

Alteryx’s Information Security Obligations

 
What is the document linked in the DPA entitled “Information Security Program Description”?

Most data protection laws require that data processors provide appropriate technical and organizational measures to adequately address the risks pertaining to the processing of personal data by such processors. In line with Alteryx’s processing of Customer Content while providing its cloud products and support services, we have implemented organizational, physical, technical and operational security measures aligned to standards such as ISO 27001, which are designed to protect the confidentiality, integrity and availability of those systems and data within our control. These technical and organizational measures are described in the Information Security Program Description, incorporated by reference in the Alteryx DPA.

 
What access do Alteryx employees and contractors have to Customer Content?

As described in the Information Security Program Description, Alteryx employees and contractors do not access or use Customer Content uploaded to our cloud products as part of their ordinary job duties. There are limited circumstances when customers request support from Alteryx that may require time-restricted access to Customer Content uploaded to Alteryx cloud products. In those circumstances, designated and trained Alteryx personnel may, with the customer’s approval and solely for the purpose of providing support, be given limited, monitored access to processing or storage environments that contain Customer Content.

 
Does Alteryx notify customers in the event of a data breach?

Alteryx’s DPA and Information Security Program Description specify that we notify customers, without undue delay, when we become aware of a security incident impacting Customer Content. Our dedicated incident response team is tasked with managing the identification and detection of security incidents, providing timely responses, and taking such steps as are necessary for prompt recovery of systems and data. Our incident response practices align with ISO 27035 and NIST 800-61.

 
How do we respond to government requests for customer data?

Unless prevented by law, we will ask the government authority making the request to direct such requests for customer information to the customer and we will notify the customer of such government request. If we are unable to notify the customer of a government request, we will evaluate on a case-by-case basis whether responding to the request is legally justified and take appropriate action accordingly.

 
How does Alteryx encrypt Customer Content?

We encrypt Customer Content in transit to and from our products, as well as at rest when the data is stored by us. For data at rest stored on our third-party cloud services (e.g., AWS, GCP etc.), we employ the encryption at rest methods made available by those services, such as AES-256. For encryption in transit, we use TLS 2.0 or above.

 
Where can I find out more information about Alteryx security practices?

You can visit our Trust website here. In addition, our help and documentation site contains specific information concerning the security measures applicable to individual products.