Logo

Trust & security at Dataiku

Integrated Management System Policy

Dataiku is committed to delivering reliable, secure, and high-quality product and services, incorporating privacy-by-design principles and the responsible use of AI that our customers and stakeholders can trust.

We operationalize and maintain an Integrated Management System (IMS) that unifies quality, information security, privacy, and responsible AI practices. We monitor legal and regulatory requirements, engage stakeholders, assess risks and AI impacts to ensure responsible platform development and operations.

We protect information assets and personal data, maintain robust cybersecurity controls, and manage AI risks throughout the lifecycle with appropriate human oversight. Our approach prioritizes fairness, transparency, safety, and accountability.

Top management provides leadership, direction, and resources to ensure these commitments are integrated into business processes, communicated internally and externally where appropriate, and understood across the organization. We are committed to continually improving our IMS to sustain trust, regulatory alignment, and long-term stakeholder value.

Endorsed by: Senior Management

Security

The most critical business assets of Dataiku are the information it collects, produces, transmits, processes and stores, particularly when this information is entrusted to Dataiku by our customers. Protecting this information to ensure security and availability while reducing associated risks and related impacts from incidents is prioritized by Dataiku. Dataiku has designed, implemented, and is actively maintaining an information security program to accomplish this objective.

We deliver Dataiku’s platform via two methods:

Self-Managed (Custom / Cloud Stacks)

Dataiku’s software is installed on our client’s cloud environment or installed onto our clients’ internal IT environment. Dataiku, as a company, does not process, store our client’s data under this delivery method by default. Without explicit consent and action from our client, Dataiku personnel will not have access to our client’s data.

For more information regarding the Dataiku platform, please refer to https://doc.dataiku.com/dss/latest/.

For information on Dataiku security at the application level, please refer to https://doc.dataiku.com/dss/latest/security/index.html.

Dataiku Cloud (SaaS Offering)

Dataiku Cloud is Dataiku’s fully managed Software-as-a-Service solution, available as a multi-tenant or a single-tenant solution. In this case, Dataiku will be providing a managed service, and specified controls are implemented to ensure the security of the platform hosting client data. Unless access is required for regular maintenance, Dataiku will not access client data without explicit consent.

Dataiku also leverages existing security controls within the cloud provider infrastructure to provide services to our customers.

For more information regarding Dataiku Cloud, please refer to the Dataiku Cloud Risk and Security Practices.

Certifications & Memberships

Dataiku implements best practices and industry standards to achieve compliance with numerous leading information security certifications and authorizations. View our technical and regulatory certifications below.

ISO 27001

Dataiku is ISO 27001:2022 certified, demonstrating that Dataiku has implemented and maintained an Information

Security Management System (ISMS). The ISMS is the international gold standard of technical and administrative information security requirements involved in an organization’s risk management process. Download a copy of our certification here.

ISO 27701

Dataiku is ISO 27701:2019 (data processor & data controller) certified, demonstrating that Dataiku has implemented and maintained a Privacy Information Management System (PIMS) for its data processing activities.

ISO 9001

Dataiku is ISO 9001:2015 certified, demonstrating Dataiku’s commitment to delivering high quality product, services and meeting the needs of customers and applicable statutory and regulatory requirements. Download a copy of our certification here.

SOC 1 and SOC 2

Dataiku has completed SOC 1 Type II and SOC 2 Type II assessments to assure our customers that internal controls are in place to protect their data. It contains our auditor’s evaluation of the design, implementation, and operating effectiveness of Dataiku’s internal controls, based on the Internal Control over Financial Reporting (ICFR) or the AICPA Trust Services Principles and Criteria, respectively. Please reach out to your account representative to request a copy of our SOC 1 or SOC 2 Type II report.

HIPAA

To support the compliance programs for our Healthcare/ Life Sciences customers, Dataiku has voluntarily extended its Trust program to include a HIPAA (Health Insurance Portability and Accountability Act) compliance report. Our auditors provided their opinion on if the information security program implemented to support Dataiku Cloud conformed to the applicable implementation specifications within the HIPAA Security Rule, and the HITECH breach notification requirements, as described in HIPAA Part 164 of CFR 45. Please reach out to your account representative for a copy of our latest HIPAA compliance report.

GxP

Dataiku is a GxP-compliant supplier with a number of healthcare and pharmaceutical clients. Dataiku is able to demonstrate to our clients it meets industry-leading practices of quality and security to adhere to our clients’ Quality Management Systems (QMS).

To ensure Dataiku is up-to-date with the most current security best practices, Dataiku or its personnel are also part of the following international organizations.

  • Information Systems Audit and Control Association (ISACA)

    – Dataiku information security personnel hold numerous ISACA certifications and are active members of the ISACA community. Our personnel actively participate in knowledge sharing to enhance the current information security field.

  • International Information System Security Certification Consortium (ISC2)

    – Dataiku information security personnel hold numerous ISC2 certifications and are active members of the ISC2 community.

Accessibility

Digital Accessibility means making digital content and services understandable and usable by persons with disabilities. This accessibility statement applies to the Dataiku DSS software.

Dataiku is committed to making our product and services available to everyone. We undergo regular accessibility assessments and incorporate accessibility concerns when prioritizing and designing new features and functionalities, including features that enable users to work with data. Some of our team members have received specialized training.

Our commitment to accessibility is guided by the Web Content Accessibility Guidelines (WCAG) as well as the French Accessibility Guidelines (RGAA). A self-assessment against WCAG 2.2 Level AA, EN 301 549 V3.1.1 and V3.2.1 (international norm equivalent to the French RGAA), and Revised Section 508 was conducted on December 10, 2024, for Dataiku DSS 13. The detailed results are documented in Dataiku's Accessibility Conformance Report (VPAT 2.5, International Edition), available upon request. The Dataiku platform is currently partially compliant with WCAG 2.2 Level AA. At this time, Dataiku has not conducted a conformity audit in accordance with the French RGAA because it does not apply to us.

Dataiku DSS is a web application and benefits from web browser accessibility capabilities. We offer keyboard shortcuts and explanatory overlays to ensure ease of navigation without a mouse. We strive to ensure reasonable contrast between text and background colors, making content legible for users with visual impairments. We avoid time-based functionality and complex gestures. The interface includes descriptive alt text for images and properly labeled interface elements in order to ensure a good level of compatibility with screen reader software (screen reader software is a third-party product, and users are responsible for obtaining their own license for screen reader software).

Privacy Program Overview

Dataiku has a privacy team, led by the Legal & Compliance team consisting of legal, compliance, IT security, IT, engineering, and operations personnel that governs and monitors the effectiveness of our privacy program. Privacy risks are evaluated regularly as a part of its annual risk assessment exercise. Risks identified are addressed using a risk-based basis, communicated, and tracked internally with relevant teams within Dataiku. Our Privacy Policy highlights how Dataiku handles privacy within our company and our product. Our privacy team can be reached at [email protected].

Any breaches of personal data processed by Dataiku follow the internal incident management process, where an internal incident response team coordinates the response of the incident and engages subject matter experts as needed.

Dataiku also conducts mandatory data handling training during onboarding and annually as a part of its compliance training program to educate employees on handling procedures for personnel data. Personal data, if captured, is securely stored under industry-standard practices and is retained for a period limited to its necessity and per legal and regulatory requirements.

Dataiku is compliant with global data protection regulations, such as the GDPR and the CCPA.

Self-Managed (On-Premise / Cloud Stacks)

Dataiku clients can deploy the Dataiku platform on-premises or within their cloud tenant. Dataiku does not store, process, or access client content data with this deployment method. Clients decide the content data ingested into the Dataiku platform and can correct or delete the data as desired to serve the intended business needs.

Dataiku Cloud (SaaS Offering)

For Dataiku Cloud, Dataiku is a data processor. The Data Processing Addendum (“DPA”) is available for our customers’ reference for the protection and compliance procedures that Dataiku provides as required by applicable data privacy laws.

Our customers can choose the region where their content data is stored and decide what type of data should be ingested into Dataiku Cloud. The content data can be accessed, modified, and deleted anytime to serve the intended business needs.

Additionally, Dataiku Cloud provides multiple layers of security to protect our customers’ data, including controls already provided by AWS and additional controls performed by Dataiku. For more information regarding these controls, please refer to the Dataiku Cloud Risk and Security Practices.

Resources

Dataiku Master License Agreement (on-prem)

Dataiku Cloud Terms (SaaS)

Dataiku Data Processing Addendum (SaaS)

Dataiku Privacy Policy

Dataiku Cloud Risk and Security Practices

Dataiku Product Documentation

Dataiku Security Documentation

Frequently asked questions

Dataiku only collects personal data, to the extent necessary to fulfill a variety of purposes such as: - Provide and support our website and services; - Verify accounts and activity; - Provide licenses or register you to use our Service; - Provide you with customer support for our Service; - Send you questionnaires and surveys that allow us to improve our Service; - Allow you to apply for positions at Dataiku; - Allow you to make a request for a demo of our Service; - Enable you to register for events organised by us and/or in collaboration with others; - Allow us to carry out obligations relating to any agreements entered into with Users and/or their companies; - Allow us to collect usage statistics for internal analytics relating to our Service in order to improve the Service and provide better support; - Notify you of changes to our Service and Websites; and For more details, please check our Privacy Policy

Dataiku works with third-party providers with whom we might share your personal information, to the extent required, to provide our services. All Dataiku’s third-party providers who have access to personal data have adhered to strict data processing obligations, consistent with our services and in accordance with applicable laws and regulations. Your personal data may be transferred to and stored by Dataiku, its affiliates, or its third-party providers, in countries outside the EEA. Dataiku has taken steps to offer to the personal data exported from the EEA, the same level of protection as the one set by the GDPR, by implementing technical and operational measures to ensure the integrity of your personal information.

Dataiku is engaged to offer its customers transparency and control on their personal information. As a data subject, you have rights on your personal information and when possible, you can request to view, correct, complete, delete or limit the personal information we hold about you. Dataiku has in place an easy mechanism, allowing you to contact us and choose the fate of your personal information.

If you wish to exercise your rights relating to your personal data, please contact us at [email protected]. When you contact us, please indicate your decision on what you would like us to do with the personal data we have about you (deletion, limitation, correction, etc.)

If you have any questions concerning our privacy policies or how we treat your personal data, please email us at [email protected].