ThoughtSpot® Data Privacy Framework Policy

Effective as of September 1, 2023

ThoughtSpot, Inc. and its U.S. subsidiary, Mode Analytics, Inc. (collectively “ThoughtSpot”, “our”, “we”, or “us”) is committed to, and complies with, the EU‑U.S. Data Privacy Framework, the U.K. extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively the “Framework”) set forth by the United States Department of Commerce with respect to the collection, use, and retention of Personal Data transferred from the European Economic Area (“EEA”), the U.K., and Switzerland to the United States, respectively, as further described in the Scope section below. This Data Privacy Framework Policy (“Policy”) outlines our commitment to the Data Privacy Framework Principles (the “Principles”) and our practices for implementing the Principles. ThoughtSpot has certified to the Department of Commerce that it adheres to the Principles. If there is any conflict between the terms in this Policy and the Principles, the Principles shall govern to the extent of the conflict. ThoughtSpot’s Framework certification can be found here. To learn more about the Framework, please visit the Department of Commerce’s dedicated Framework website, located here.

Scope

We comply with the Principles with respect to the Personal Data we receive from our Customers or their Authorized Users in the EEA, the U.K., and Switzerland in connection with: (i) use of ThoughtSpot applications downloaded to Mobile Applications; (ii) use of ThoughtSpot’s hosted software applications (the “ThoughtSpot Cloud” and the “Mode platform”), and (iii) provisioning related support services (the “Support Services”) and consulting services (including activation services, training and certification) (the “Consulting Services) to our Customers.

Definitions

Capitalized terms not defined in this Policy shall have the same meanings as set forth in the ThoughtSpot Privacy Statement (“Privacy Statement”).

Notice - Types of Personal Data Collected

The types of Personal Data we may receive in the United States, as well as the purposes for which we collect and use it, are set out in the Privacy Statement.

Third Party Transfers/Disclosures

Information about the types of third parties to which we disclose Personal Data, the purposes for which we do so, and the transfer mechanisms implemented are described in the Privacy Statement.

If we have received your Personal Data in the United States and subsequently transfer that information to a third party acting as an agent, we will comply with the Accountability for Onward Transfer Principle, including ensuring that such agents have written agreements requiring them to provide at least the same level of protection as required by the Principles and/or applicable law. If such a third-party agent processes your Personal Data in a manner inconsistent with the Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.

Security

Considering the type of Personal Data and risks involved in the processing, we will take reasonable and appropriate safeguards to help protect Personal Data from accidental or unlawful destruction, loss, alteration, and unauthorized access or disclosure.

Data Integrity and Purpose Limitation

Any Personal Data we receive will be used for the purposes indicated in our Privacy Statement or as otherwise provided in a notice to you. We will not process Personal Data in a way that is incompatible with these purposes unless subsequently authorized by you.

We take reasonable steps to: (i) limit the collection and use of Personal Data to that which is relevant for the purposes for which it was collected, and (ii) ensure that such Personal Data is reliable, accurate, complete, and current.

We will retain your Personal Data in an identifiable form only for the period necessary to fulfill the purposes outlined in the Privacy Statement unless a longer retention period is required or permitted by law or by the Principles. We will adhere to the Principles for as long as we retain the Personal Data collected under the Framework.

Right of Access

EEA, U.K., and Swiss residents have rights to access their Personal Data and request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Framework. If you would like to exercise these rights, contact us [email protected] or use the contact details below. We may request specific information from you to confirm your identity and we will respond to your request in accordance with the Principles and applicable data protection laws.

You may also opt-out of receiving marketing communications from us by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you or by using the contact details below.

Your Choices

We will give you an opportunity to opt out where Personal Data we control about you is to be disclosed to an independent third party or is to be used for a purpose that is materially different from those set out in the Privacy Statement or subsequently provided to or authorized by you. If you otherwise wish to limit the use or disclosure of your Personal Data, please contact us using the details set out below.

Requirement to Disclose

In certain situations, we may be required to disclose Personal Data that we process under the Framework in response to lawful requests by public authorities, including to meet national security, to enforce contractual obligations, or to meet law enforcement requirements.

How to Contact ThoughtSpot

EEA, U.K., or Swiss individuals who have If you have any questions or complaints about this Policy or our privacy practices should first email us at [email protected], call us at (800) 508-7008, or write to us at: