Trust at Medallia

The experience you provide your customers never stops, and neither do we. As the market leader in Customer Experience Management (CEM), we are trusted by the world’s most revered companies to handle their data. We know how important data security is to our customers—many of whom operate in highly regulated industries like finance, healthcare, and energy—and we maintain industry-leading security practices to protect that data. Here’s an overview of how we have built security at Medallia.


Secure Data Centers

While we are a SaaS company, we own and maintain the infrastructure where our customers’ data is stored. We use Tier III, SSAE-16 and ISO 27001 certified data centers. Our data centers are located in various geographic locations for continuity and regulatory purposes. Entry to our data centers is monitored by closed-circuit video monitoring and 24/7 manned guards, and requires the use of biometric access controls.

Proactive Security

We believe in taking a proactive stance on securing our systems and applications. We follow industry best practices to harden all of our systems.

When it comes to our application, our developers follow industry best practices during development, including OWASP Top 10 and relevant technology specific guidelines to secure our application. Our code is tested rigorously prior to promotion to production.

Data Security

We realize the importance of the data you send us – which is why we provide our clients with complete control over what data is sent to us. In addition, our application supports TLS to encrypt all communications between the client and our servers. And, our security architecture ensures segregation of customer data.

Continuous Monitoring

We employ both internal and external services to perform continuous scanning and monitoring of our network and application to ensure that we remain secure. We also conduct regular vulnerability scans, risk assessments and penetration testing.


Configurable Security

We understand the importance of securing your data and that you have concerns about the data that is sent to us. As such, we provide you with completely customizable settings, such as granular role-based access, password complexity controls and IP whitelisting capability to better protect your data.

Access Control

Medallia follows a robust role-based access control methodology to only allow users with a “need to know” access to data. Access to production systems within Medallia is governed by access rights, authenticated by username/password and Public/private key infrastructure (PKI). Our application is configurable to leverage SAML 2.0 for SSO, with capabilities for granular access privileges.


We understand the importance of regulatory requirements and compliance. As such, Medallia’s processes and controls are regularly audited by internal and external parties, including clients and independent assessors. Medallia has successfully undergone a SOC 2 audit and a HIPAA assessment. Medallia uses approved Standard Contractual Clauses for the transfer of data collected in the European Economic Area and Switzerland to the United States, and is available to enter into Standard Contractual Clauses with clients that transfer such data to Medallia.




In order to report an incident, security issue, or concern, please send an email to to contact the Medallia security team