ThoughtSpot constantly monitors the global privacy landscape and adapts our privacy program accordingly. We recognize the importance of remaining compliant with the General Data Protection Regulation (“GDPR”) and are committed to helping you comply with the GDPR.
The GDPR is a comprehensive data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data.
The GDPR does not only apply to European companies, it extends to any organization worldwide that targets or offers services or products to EU residents.
ThoughtSpot customers and their data only come within the purview of GDPR when ThoughtSpot processes personal data, which is defined rather broadly. “Processing” includes the collection, storage, transfer, or use, of personal data.
No. GDPR does not require any data localization or data residency for data. Simply put, any EU personal data you transfer out of the EU, must have the same level of protection it gets under GDPR. This can be achieved through a number of legal frameworks, which ThoughtSpot abides by for the transfers.
Yes, ThoughtSpot engages sub-processors pursuant to a data transfer agreement for the provision of ThoughtSpot SaaS applications after thorough review and approval. A list of those authorized sub-processors can be found here.
Yes. ThoughtSpot constantly evaluates and revises the implemented security and privacy programs to ensure that ThoughtSpot and its customers remain compliant with GDPR with the use of ThoughtSpot Cloud.
The Data Processing Addendum (“DPA”) is an agreement that sets out the legal framework under which ThoughtSpot processes Personal Data. The DPA is an addendum to the ThoughtSpot Cloud Subscription Agreement between ThoughtSpot and our customer, and forms part of the customer agreement.
The DPA is specific to ThoughtSpot’s multi-tenant services and covers the specific processes and procedures related to the way in which the services and infrastructure work. The DPA is also drafted to be consistent with the customer agreement and other relevant documentation.
A copy of the Data Processing Addendum can be found here or you may ask your ThoughtSpot Account Executive for more information.
The GDPR requires companies to be transparent and accountable for their use of personal data, and to be able to demonstrate this to both regulators and the individuals concerned. There is no requirement for personal data to stay in the EU, but transfers outside of the European Economic Area are restricted, meaning that unless the European Commission has assessed the country’s privacy regime and declared it to be “adequate”, the data must be further protected by contract, or other EU-approved means. For any transfers to non-adequate countries, ThoughtSpot’s data processing addendum incorporates such EU-approved means, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services.