GDPR Compliance

ThoughtSpot constantly monitors the global privacy landscape and adapts our privacy program accordingly. We recognize the importance of remaining compliant with the General Data Protection Regulation (“GDPR”) and are committed to helping you comply with the GDPR.

Frequently asked questions

What is GDPR?

The GDPR is a comprehensive data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data.

Who must comply with GDPR?

The GDPR does not only apply to European companies, it extends to any organization worldwide that targets or offers services or products to EU residents.

Does GDPR impact ThoughtSpot Customers?

ThoughtSpot customers and their data only come within the purview of GDPR when ThoughtSpot processes personal data, which is defined rather broadly. “Processing” includes the collection, storage, transfer, or use, of personal data.

Does GDPR require information to stay or be stored within the EU?

No. GDPR does not require any data localization or data residency for data. Simply put, any EU personal data you transfer out of the EU, must have the same level of protection it gets under GDPR. This can be achieved through a number of legal frameworks, which ThoughtSpot abides by for the transfers.

Does ThoughtSpot utilize sub-processors to process personal data for the provision of ThoughtSpot SaaS applications?

Yes, ThoughtSpot engages sub-processors pursuant to a data transfer agreement for the provision of ThoughtSpot SaaS applications after thorough review and approval. A list of those authorized sub-processors can be found here.

Is ThoughtSpot GDPR compliant?

Yes. ThoughtSpot constantly evaluates and revises the implemented security and privacy programs to ensure that ThoughtSpot and its customers remain compliant with GDPR with the use of ThoughtSpot Cloud.

Data Processing Addendum

The Data Processing Addendum (“DPA”) is an agreement that sets out the legal framework under which ThoughtSpot processes Personal Data. The DPA is an addendum to the ThoughtSpot Cloud Subscription Agreement between ThoughtSpot and our customer, and forms part of the customer agreement.

The DPA is specific to ThoughtSpot’s multi-tenant services and covers the specific processes and procedures related to the way in which the services and infrastructure work. The DPA is also drafted to be consistent with the customer agreement and other relevant documentation.

A copy of the Data Processing Addendum can be found here or you may ask your ThoughtSpot Account Executive for more information.

The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned. There is no requirement for personal data to stay in the EU, but transfers outside of the European Economic Area are restricted, meaning that unless the European Commission has assessed the country’s privacy regime and declared it to be “adequate”, the data must be further protected by contract, or other EU-approved means. For any transfers to non-adequate countries, ThoughtSpot’s data processing addendum incorporates such EU-approved means, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services.