GDPR and HIPAA  – All NVivo products are compliant with both the General Data Protection Regulations (GDPR) and the Heath Insurance Portability and Accountability Act 1996 (HIPAA).

ISO/IEC 27001:2013 – QSR International is in the process of becoming aligned to this international standard for information security management.


California Consumer Privacy Act 2018 (CCPA) – With similar requirements to GDPR, this Act places regulations on the selling of consumer information including consumer financial information.

FERPA – QSR International is compliant with The Family Educational Rights and Privacy Act of 1974 (FERPA) which applies to all schools that receive funds under an applicable program of the U.S. Department of Education. This legislation primarily deals with the security of educational records/protection of student privacy and all schools that fall under this legislation must only deal with entities who adhere to the data security/privacy requirements of FERPA.


The Canadian government requires data sovereignty which means that any data in relation to the Canadian government or any of its citizens must reside on servers within Canada. QSR International has addressed this requirement by employing the use of a data centre in Canada.


Australian Privacy Act 1988 (Cth) – QSR International is compliant with the Australian Privacy Act 1988 (Cth) which now includes the Notifiable Data Breaches (NDB) scheme. The NDB scheme establishes the requirements for entities in responding to data breaches, specifically in relation to data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

Act on the Protection of Personal Information (Act No.5 57 of 2003 as amended in 2016) – QSR is compliant with this Act which is Japan’s foremost data protection law. This legislation applies to all business operators that handle the personal data of individuals in Japan.