Compliance organizations: ISO-27001, ISO-27017, AICPA SOC 2, California Consumer Privacy Act, GDPR, CBPR Privacy, PRP Privacy, ISO-27018, ISO-27701, FedRAMP, HITRUST CSF

Our compliance programs demonstrate our commitment to safeguarding the confidentiality, integrity, and availability of our clients’ data. We strive to be industry leaders in regulatory requirements and compliance – we achieve this through our SOC 2 Type II platform compliance, in addition to our ISO 27001, 27017, 27018 and 27701 certifications. Our processes and controls are regularly audited by internal and external parties, including clients and independent assessors. In addition, we are compliant with GDPR, CCPA, HIPAA as well as HITRUST, CBPR and PRP certified. We have taken a number of steps to ensure we have control over our clients data:

  • We use data centers in various geographic locations for continuity and regulatory purposes, which are Tier III, SOC 2 and/or ISO 27001 certified

  • Our data centers have common security practices, including closed-circuit video monitoring and 24/7-manned guards, and require the use of biometric access controls to our locked cages

Medallia’s products that are a dedicated implementation in Medallia’s GovCloud environment for its Public Sector customers are FedRAMP High authorized. We meet all of the FISMA High requirements for federal government agencies. Our US Federal client’s programs are deployed in Medallia GovCloud that is FedRAMP High authorized. Medallia GovCloud deployment is on AWS GovCloud that is FedRAMP High authorized infrastructure.

Important: This document does not cover the security controls covered and products that are FedRAMP High approved for the Medallia GovCloud environment. Medallia FedRAMP High Package documents are required to be requested by submitting the FedRAMP Package Access Request form from marketplace.

Data Protection

Medallia provides a number of features to assist clients in complying with applicable data protection laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). Visit Medallia’s Data Protection website for more on our enterprise-grade controls to ensure data privacy, security and accuracy across your CX programs.

If you have any questions or comments about Medallia’s Privacy Policy or the practices of Medallia, if you would like to issue a complaint, or if you have an unresolved privacy and data use concern, we’d like to hear from you. Medallia responds to privacy-related requests in a timely fashion and pursuant to applicable law. To make a privacy-related request or to contact our Data Protection Officer, please contact us through the form found here, by phone at +1 866 562 1834, or by mail at the following address:

Medallia, Inc.

575 Market Street, Suite 1850

San Francisco, CA 94105

Attn: Data Protection Officer


The GDPR requires companies to be accountable for how they use, manage and maintain the personal data of their customers and employees. As described below, Medallia provides our clients with enterprise-grade controls to manage, govern access and ensure the security of personal data housed in Medallia Experience Cloud.


As stated in our privacy notice, Medallia does not sell or rent our client’s data, so many provisions of the CCPA will not apply to client use of Medallia. However, the CCPA does require that Medallia customers delete, export or modify the personal information of a consumer upon request. As described below, Medallia provides our clients the features they need to address these requests.

Full service data management

Medallia Experience Cloud automates GDPR and CCPA compliant deletion of customer or employee data for customers who receive requests from individual customers. Medallia’s reporting application also provides flexible options for data export and modification that comply with GDPR, CCPA, and other applicable laws.

Compliance reporting

Medallia provides reports to substantiate data deletion compliance. Our aim is to automate and ease the burden of compliance with applicable data protection laws like GDPR and CCPA, assuring our clients’ legal and compliance departments that we’re a safe place to store data.

Data retention

Medallia purges personal data from internal processing systems to minimize the data we retain per GDPR Article 5. Our reporting system retains customer data until our clients request deletion or end their relationship with Medallia Experience Cloud.

Data processing agreement (DPA)

Medallia offers a data processing agreement that ensures compliance with applicable global data protection laws. This agreement includes the European Commission’s standard contractual clauses and includes updates to address GDPR, Schrems II, and CCPA.

Risk Management

As a leader in the Experience Management space, our security program is also leading the way. Our Medallia Experience Cloud platform has been designed and is maintained to stay compliant with industry recognized standards, such as ISO 27001, 27017, 27018, and 27701 as well as SOC 2 Type II, and HIPAA. This is an important differentiator, as our platform itself, including our entire security program, has gone through the audit process by a third party to ensure we are meeting all of the stringent requirements posed by these regulations and standards. We can provide summaries of our certifications and reports upon request.

Information Security Management System

Medallia has developed a formal, documented Information Security Management System (ISMS) Policy and associated standards and procedures. These documents guide the development and operation of our platform, from assessing the risks we face, through developing and operating a secure system in accordance with industry best practices, to deploying updates to improve the capabilities and security of our solution.

Medallia has implemented all applicable security controls based on the International Organization of Standards ISO/IEC 27001:2013, ISO 27017:2015, and ISO 27018:2014. This approach relies on the establishment of an ISMS to manage security within a defined scope.

The objective of the ISMS is to protect and maintain the confidentiality, integrity and availability of Medallia’s Highly Confidential, Confidential, Internal and Public Information. Our ISMS has been designed to meet or exceed applicable federal, state, international security-related regulations and contractual obligations.

Risk Assessment

We perform an annual comprehensive risk assessment to evaluate the effectiveness of our security controls. As part of this process, we identify changes to assets, processes or regulatory/compliance requirements; review the adequacy of existing policies and procedures; analyze assets, threats and vulnerabilities; assess physical protection of computing and network equipment; review configuration and usage of servers, firewalls, and external network connections; categorize risks according to likelihood and severity; formulate treatment measures; and communicate results and treatment measures to appropriate stakeholders and management.

Sub-processors (subcontractors)

To support the delivery of software and professional services, Medallia, Inc. (or one of our subsidiaries) may use data processors with access to certain customer data. Medallia also relies on trusted partners to help configure and provide other services on our platform. These vendors have been evaluated by our security team's vendor risk management program, and we have signed appropriate security and subprocessing agreements with them. These partners may access your data from the country where their offices are located, but their access is provided using systems, procedures, and security controls that are equivalent to the systems, procedures and controls used by Medallia's employees in the U.S.

Note: Contact your Medallia Expert to provide provide important information about the identity, location and role of each Subprocessor.