Why Medallia
Why Medallia

Learn how partnering with us can transform your business — for both customers and employees.
Success Stories

See results from brands like yours
ROI Calculator

Optimize your program spend
Enterprise-Grade Platform

Explore all features and benefits
World-Class Service

Get support for crucial operations
Global Impact

Impact the world beyond your own
AI Leadership

Follow our AI experience innovations
Partner Network

Access approved, localized expertise
Platform
Medallia Platform

Explore how experiences come together in one powerful platform.
Comprehensive Feedback Capture

Collect every signal for more meaningful data
Administration

Run complex, global programs with self-service
Role-Based Reporting

Close the loop and drive action quickly
AI & Analytics

Uncover essential insights from every interaction
Integrations

Easily share data across systems and teams
Pricing

Expand your program with flexible pricing
Enterprise-Grade Security

Keep your business data safe and compliant
Solutions
Customer Experience

End-to-end customer experience management and orchestration
Overview
Customer Experience Management
Digital Experience
Experience Orchestration
Personalized Messaging
Employee Experience

Employee listening and activation solutions
Overview
Employee Listening
Employee Activation
Ideas
Contact Center

Improve agent engagement and optimize service quality
Overview
Conversation Intelligence
Agent Coaching
Quality Management
Intelligent Callback
Market Research

Expert research strategy, design, analytics, and deliverables
Overview
Agile Research
Video
Research Strategy & Services
Industries
Automotive
Financial Services
Healthcare
Insurance
Life Sciences
Manufacturing
Public Sector
Retail
Restaurants
Technology & Services
Telco & Media
Travel & Hospitality
Utilities
Resources
Discover

Get guidance from leading experience professionals across a variety of mediums.
Blog
Newsroom
Customer Stories
Event Calendar
Careers
Medallia Xchange
Learn

Whether a tenured Medallia pro or a burgeoning advocate, there’s plenty to learn.
Training & Certification
Medallia User Group
Experience 101
Experience Now
Resource Library
Partners
Support

Our team is ready to support you with knowledge, help, and new enhancements.

Knowledge Center
Contact Support
exp
EXP Now

Medallia’s On-Demand Streaming Network

Watch Now

English

SELECT YOUR REGION & LANGUAGE

  • English

  • France (Français)

  • Germany (Deutsch)

  • Spain (Español)

  • Italy (Italiano)

  • Japan (日本語)

  • Korea (한국어)

  • Latin America (Español)

Request a demo

Data Privacy Framework Notice

Data Privacy Framework Notice

Privacy Policy Data Privacy @ Medallia Customer DPA Sub-processor List
Logos

Last Updated: April 28, 2025

Commitment to the Data Privacy Framework Principles

Medallia, Inc., as well as its subsidiaries Fields Marketing Research, Inc., Medallia Holdings, LLC, MonkeyLearn Inc., Sense360, Inc., StellaService Inc., VHT Holdco, LLC, Virtual Hold Technology Solutions, LLC, Voci Technologies Incorporated, and Zingle, Inc. (collectively “Medallia,” "we," "us," or "our"), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively, the “Frameworks”), as set forth by the U.S. Department of Commerce. 

Medallia is committed to adhering to the Data Privacy Framework Principles with respect to personal data received from the European Union, the United Kingdom, and Switzerland in reliance on the respective DPFs. This commitment is enforceable under U.S. law by the Federal Trade Commission (FTC).

If there is any conflict between the terms of this Data Privacy Framework Notice and the Data Privacy Framework Principles, the Principles shall govern.

To learn more about the Data Privacy Framework program, and to view our certification, please visit U.S. Department of Commerce’s Data Privacy Framework website at https://www.dataprivacyframework.gov/s/.

This Data Privacy Framework Notice supplements Medallia’s main Privacy Policy and should be read in conjunction with it. It specifically addresses the processing of personal data transferred from the EU, the UK, and Switzerland to the U.S. under the DPF.

Applicability

This Notice applies to personal data of individuals in the European Union, the United Kingdom, and Switzerland that Medallia receives and processes in the United States under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. This includes:

  • Personal data of our Covered Business Contacts.
  • Personal data processed on behalf of our clients (Covered Customer Data).
  • Human resources data of Medallia’s own employees, contractors, job applicants, former employees, and their dependents and beneficiaries in the EU, UK, and Switzerland (“Covered HR Data”).

Data Processed Under the DPF

Medallia provides a software-as-a-service platform and related online services to its customers, which are collectively called the Medallia Experience Cloud. Medallia processes personal data under the DPF in various capacities:

As a data controller:

  • Medallia collects and processes personal data of representatives of our clients, potential clients, vendors, service providers, professional advisors, business partners (including channel partners), consultants, or other third parties in the EEA, the United Kingdom, and Switzerland (“Covered Business Contacts”). This typically includes name, job title, company affiliation, and contact information.
  • Medallia collects and processes Covered HR Data related to its own current, prospective, and former employees, contractors, and their dependents and beneficiaries located in the EEA, the United Kingdom, and Switzerland for internal human resources and business administration purposes. This data may include, but is not limited to, contact information, human resources administration information, compensation and benefits data, performance information, and other data required for employment or contractor relationships. Medallia acts as a data controller for this data.

As a data processor: Medallia processes personal data of individuals in the EEA, the United Kingdom, and Switzerland on behalf of clients utilizing the Medallia Experience Cloud (“Covered Customer Data”). Clients determine the types of personal data processed within the platform, which may include data pertaining to their own customers and employees. Medallia processes Covered Customer Data strictly in accordance with the instructions of its clients.

Purposes of Collection and Use

For Covered Business Contacts: We collect and use the personal data of Covered Business Contacts for legitimate business purposes, including:

  • Providing information about our products and services.
  • Managing client accounts and relationships.
  • Onboarding and interacting with vendors and service providers.
  • Communicating with business partners and professional advisors.
  • Providing customer support and technical assistance.
  • Billing and financial management.
  • Marketing and event management (with appropriate consent where required and an ability to opt out).

For Covered Customer Data: We process Covered Customer Data solely for the purpose of providing the Medallia Experience Cloud platform and services to our clients, as specified in our agreements with them.

Disclosure and Accountability for Onward Transfer

Medallia may disclose personal data covered by this Notice to the following types of third parties, in compliance with the DPF Principles.

Service Providers: We may transfer personal data to third-party service providers who perform services on our behalf, such as hosting providers, customer support platforms, marketing service providers, and our channel partners, such as distributors and resellers. These third parties are contractually bound to process the personal data only for the limited and specified purposes for which they were engaged and to provide the same level of privacy protection as required by the DPF Principles. Medallia remains liable under the DPF Principles if our agent processes personal data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage. 

As Required by Law: Medallia may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We do not sell or rent personal data covered by this Notice to third parties for their own marketing purposes.

Security

Medallia maintains reasonable and appropriate technical and organizational measures to protect personal data covered by this Notice from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.

Data Integrity and Purpose Limitation

We collect and process personal data covered by this Notice only for the purposes for which it was collected or subsequently authorized. We take reasonable steps to ensure that the personal data we process is relevant, accurate, complete, and current for its intended use. We retain personal data in an identifiable form only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

Access and Choice

Individuals whose personal data is covered by this Notice have the right to access their personal data held by Medallia and to request that inaccurate data be corrected, amended, or deleted where processed in violation of the DPF Principles.

Individuals also have the right to opt out of:

  • The disclosure of their personal data to a third party other than a service provider acting on our behalf.
  • The use of their personal data for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized by the individual. 

To exercise these rights, or if you have other inquiries about your personal data covered by this Notice, please contact us using the contact information provided in our main Privacy Policy. We will respond to your request within a reasonable timeframe and in accordance with the DPF Principles.

Recourse, Enforcement, and Liability

In compliance with the Data Privacy Framework Principles, Medallia commits to resolve complaints about our collection or use of your personal data transferred to the United States pursuant to the DPF. Individuals in the European Union, the United Kingdom, and Switzerland with inquiries or complaints regarding this Data Privacy Framework Notice should first contact Medallia through the contact methods provided in our main Privacy Policy.

Medallia has further committed to cooperate with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved DPF Principles-related complaints concerning data transferred from the EU, the UK, and Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, you may contact the relevant EU DPA, the UK ICO, or the Swiss FDPIC for more information or to file a complaint. Contact details for the EU DPAs can be found at https://ec.europa.eu/newsroom/article29/items/612080,  contact details for the UK ICO can be found at https://ico.org.uk/global/contact-us/, and contact details for the Swiss FDPIC can be found at https://www.edoeb.admin.ch/en/. These recourse services are provided at no cost to you.

Under certain limited conditions, as more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration before the DPF Panel to address complaints that have not been resolved by other recourse and enforcement mechanisms. 

Medallia is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Changes to This Data Privacy Framework Notice

We may update this Data Privacy Framework Notice from time to time to reflect changes in our practices or applicable DPF requirements. The "Effective Date" at the top of this Notice indicates when it was most recently revised. We encourage you to periodically review this Notice for the latest information on our DPF practices.

Relationship to Medallia Privacy Policy

This Data Privacy Framework Notice should be read together with the main Medallia Privacy Policy. The Privacy Policy contains additional information about our data processing activities, the types of data collected, how we use and share data, your rights regarding your personal data, and how to contact us. In the event of any conflict between this Data Privacy Framework Notice and the main Privacy Policy regarding personal data processed under the DPF, this Data Privacy Framework Notice shall prevail.