Trust is paramount for successful business partnerships.
That’s why ThoughtSpot is committed to making security,
privacy, and compliance its top priority.
Set your own policies on users and
roles, security features, and searchable
ThoughtSpot Cloud’s architecture
is designed from the ground up for
maximum data security.
ThoughtSpot is compliant with
industry-standard regulations and
performs regular risk assessments.
Rest easy knowing that our procedures,
processes, and data centers keep your
data secure at all times.
Safe customer data management
policies that are compliant with
data privacy regulations.
Our policies and legal terms set
standards for our commitments to data
security and privacy.
ThoughtSpot Cloud features controls to enforce your
data governance policies and access rules.
Connect to the data warehouses of your choice to run live queries without moving your data.
Select only relevant source data tables and columns to make available for analysis.
Assign users, roles and privileges with differentiated access and available actions.
Allocate user privileges to share content, with ability to revoke access to previously shared content as needed.
Set granular object, column, row-level security rules to control what users are permitted to see.
Data no longer needed on an updated pinboard or answer is proactively deleted.
The safety of your data is our top priority.
Fully isolated tenants to prevent data leakage and provide protection against unauthorized access.
Multiple services monitor, detect, and protect against common attack vectors.
Comprehensive support for data encryption at rest and in transit, leveraging AES 256-bit encryption and keys unique to each customer.
ThoughtSpot Cloud runs on the industry’s most secure cloud infrastructure in AWS.
Your data remains stored in the data warehouse of your choice, and queries are performed live, in-database. No data movement required.
Granular object, table, column, row-level access rules control what users are permitted to see. Privileges determine what actions users can perform.
ThoughtSpot supports multi-factored authentication, LDAP, and integrates with various identity providers via SAML.
You have access to user login and activity logs that are secured and monitored for anomalies.
Access privileges of ThoughtSpot employees are based on job requirements using the principle of least privilege access and are revoked upon termination of employment. Entitlements are reviewed semi-annually.
Infrastructure access includes appropriate user account and authorization controls, which requires the use of secure VPN connections, two-factor authentication, complex passwords, and account lock-out rules.
ThoughtSpot is here to support you however you need. You control the level of access you want to provide to our support team, as well as the way in which you would like to engage us.
All data along with the tenant instance is deleted upon termination or expiration of the agreement or order form.
ThoughtSpot is compliant with industry-standard regulations
and performs regular risk assessments.
The ISO/IEC 27001:2013 certification specifies security management best practices and controls for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. It ensures that our ISMS is fine-tuned to keep pace with changes to security threats, essential in the fast-paced world of IT security. ThoughtSpot submits to a re-certification audit every third year, inclusive of an annual surveillance audit. ThoughtSpot’s certificate can be found here.
ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality.
A public facing SOC 3 report demonstrating ThoughtSpot has met the AICPA Trust Services Security, Availability, Processing Integrity, and Confidentiality Principles and Criteria is available here.
ThoughtSpot is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and ensures access to confidential data is limited and patient information is protected. A ThoughtSpot Business Associate Addendum is available to execute as needed. To understand how the security controls available within ThoughtSpot Analytics Cloud address the security and privacy requirements of HIPAA, please read the Security Infrastructure and HIPAA White Paper.
ThoughtSpot does not itself store or process any cardholder information and does not qualify as a processor, merchant, or service provider as described under Payment Card Industry Data Security Standards (PCI DSS). While ThoughtSpot does not come under the scope of PCI-DSS, our existing security program already addresses many of its concerns. As we evolve our security program and processes, we will continue to assess the benefits of obtaining compliance. As ThoughtSpot configurations and usage are your responsibility, PCI-DSS (and security and privacy overall) is a shared responsibility between ThoughtSpot and you.
ThoughtSpot performs information security risk assessments as part of a risk governance program that regularly tests, assesses and evaluates the effectiveness of the security program. Such assessments recognize and assess the impact of risks and implement risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats. This risk program is audited annually by an independent third party.
ThoughtSpot conducts quarterly security risk evaluations to assess threats to information assets, determine potential vulnerabilities, and provide remediation. Software patches are regularly deployed to customer instances to address known vulnerabilities.
When software vulnerabilities are revealed and addressed by a vendor patch, ThoughtSpot will obtain the patch from the applicable vendor and apply it within an appropriate time frame in accordance with ThoughtSpot’s then-current vulnerability management and security patch management standard operating procedure and only after it is tested and determined to be safe for installation in all production systems.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). ThoughSpot has completed the CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), that is available for download here and will be updated periodically.
Vulnerabilities or other security concerns can be emailed to [email protected] with the phrase “Security Vulnerability” in the subject line.
In order for us to most effectively and efficiently respond to your report, please provide any supporting material, as well as clear, concise steps to reproduce the issue in order to help us understand the nature and severity of the vulnerability.
ThoughtSpot is committed to being responsive and keeping you informed of our progress as we investigate and remediate your reported security concern. We will promptly acknowledge receipt of your report, and outline the next steps in the process. When the initial investigation is complete, results will be delivered to you along with a plan for resolution.
Please note that ThoughtSpot does not allow any attempts to actively penetrate, attack, or audit our infrastructure, whether by automated or manual means.
ThoughtSpot’s procedures, processes, and data
centers keep your data secure at all times.
ThoughtSpot’s modern cloud data centers are
designed for scale and elasticity,
ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.
ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.
Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.
ThoughtSpot employees are properly vetted and trained to ensure
compliance with security and privacy controls
All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are reviewed.
ThoughtSpot conducts background checks on all employees in accordance with relevant laws and regulations, and proportional to the business requirements, the sensitivity of the information to be accessed, and the perceived risks in accordance with ThoughtSpot’s Background Check Policy.
ThoughtSpot provides security training to help employees avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire and quarterly thereafter. ThoughtSpot retains attendance records and copies of security training materials to ensure proper completion of the training before any employee is granted access to systems.
ThoughtSpot is vigilant about the security and privacy of your data
All data flowing across the global network that interconnects our data centers and regions is automatically encrypted before it leaves our secured facilities. AWS provides tools that let ThoughtSpot easily encrypt your data in transit and at rest to ensure that only authorized users can access it. Encryption keys are managed by AWS Key Management Service (KMS) or CloudHSM using FIPS 140-2 Level 3 validated HSMs.
ThoughtSpot can give you the control and visibility you need to comply with regional and local data privacy laws and regulations. The design of the AWS global infrastructure allows you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.
Row level security (RLS) allows you to restrict a group’s access down to the table row. Once a rule is defined, as a group member searches, views an answer, or otherwise works with data, ThoughtSpot evaluates the user’s access against the rules and prevents the display of the restricted data. As a result, users see only the data they are permitted to see.
ThoughtSpot maintains secure application development policies and procedures aligned with industry-standard practices such as the OWASP Top Ten. All personnel responsible for secure application design and development receive appropriate training regarding ThoughtSpot’s secure application development practices. ThoughtSpot performs a combination of static and dynamic testing and code analysis and addresses any high priority vulnerabilities prior to each release.
Safe customer data management policies that are
compliant with data privacy regulations.
ThoughtSpot is fully compliant with the European Union’s General Data Protection Regulation (GDPR). ThoughtSpot’s data processing addendum incorporates EU-approved transfer mechanisms, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services. More information on GDPR can be found here. A list of the sub-processors authorized to process personal data for each of the relevant ThoughtSpot SaaS applications can be found here.
Although ThoughtSpot does not rely on the EU-US Privacy Shield as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18, ThoughtSpot remains committed to the principles of security and privacy contained within the Privacy Shield and continues to self-certify to the Privacy Shield requirements. ThoughtSpot’s continued adherence to the Privacy Shield can be found at the Privacy Shield website and in the ThoughtSpot Privacy Shield Policy.
ThoughtSpot maintains a privacy statement to the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.
ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.
In accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020.
ThoughtSpot uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, ThoughtSpot couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers. More information on ThoughtSpot’s response to the Schrems II ruling can be found here.
ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.
ThoughtSpot’s company policies and legal terms set
standards for its commitments to data security and privacy.
ThoughtSpot is committed to protecting the privacy of others, including with regard to its use of browser cookies.
This policy describes the information we collect by automated means through the use of information gathering tools on ThoughtSpot’s website.
ThoughtSpot’s obligations to subscribers and licensees are included on this page.
For customers making data available to ThoughtSpot under GDPR, the DPA may be countersigned to impose additional commitments on ThoughtSpot.
ThoughtSpot is committed to acting ethically, responsibly, and fighting forced labor.
ThoughtSpot complies with the attribution requirements of third-party licenses.