AI Agents
Embedded Analytics
Enterprise BI
AI-Augmented Dashboards
Automated Insights
Actionable Insights
Analyst Studio
Any Data, Anywhere
Ecosystem
Business Leader
Product Leader
Data Leader
Developer
Analyst
Financial Services
Healthcare
Retail & Ecommerce
Procurement
Manufacturing
Communications
Customers
Data Trends
The Data Chief
Analyst Reports
Case Studies
Ebooks
Documentation
Demo Videos
Training
Webinars
Community
Developer
Events
Pricing
Our Team
Press Releases
Support Center
Partners
Blog
In The News
Contact Us
Free trialGet demo
Free trialGet demo

ThoughtSpot Trust Center

Trust is paramount for successful business partnerships.
That’s why ThoughtSpot is committed to making security, privacy, and compliance its top priority.

ThoughtSpot’s security and
compliance reports   Access here

Enterprise-grade AI

Trusted, enterprise-grade AI enables faster, better decision-making.

Customer Control

Set your own policies on users and roles, security features, and searchable data sets.

Corporate Security

Rest easy knowing that our procedures, processes, and data centers keep your data secure at all times. data secure at all times.

Privacy & Compliance

Safe and transparent customer data management policies that are aligned with data privacy regulations.

Secure by Design Architecture

ThoughtSpot Cloud’s architecture is designed from the ground up with data security an integral part of what we do.

Governance & Reporting

ThoughtSpot performs regular risk assessments and operates a responsible disclosure program.

Policies & Terms

Our policies and legal terms set standards for our commitments to data security and privacy.

Customer Control

ThoughtSpot Cloud features controls to enforce your
data governance policies and access rules.

Data Connectivity

Connect to the data warehouses of your choice to run live queries without moving your data.

Data Selection

Select only relevant source data tables and columns to make available for analysis.

Privileges

Assign users, roles and privileges with differentiated access and available actions.

Content Sharing

Allocate user privileges to share content, with ability to revoke access to previously shared content as needed.

Data Security Rules

Set granular object, column, row-level security rules to control what users are permitted to see.

Data Retention

Data no longer needed on an updated liveboard or answer is proactively deleted.

ThoughtSpot is architected for data security

The safety of your data is our top priority.

Tenant Isolation

Fully isolated tenants to prevent data leakage and provide protection against unauthorized access.

Threat Detection

Multiple services monitor, detect, and protect against common attack vectors.

Data Encryption

Comprehensive support for data encryption at rest and in transit, leveraging AES 256-bit encryption and keys unique to each customer.

Secure Cloud Infrastructure

ThoughtSpot Cloud runs on the industry’s most secure cloud infrastructures.

Analytics at the Source

Your data remains stored in the data warehouse of your choice, and queries are performed live, in-database. No data movement required.

Authentication

ThoughtSpot supports multi-factored authentication, LDAP, and integrates with various identity providers via SAML.

Data Governance

Granular object, table, column, row-level access rules control what users are permitted to see. Privileges determine what actions users can perform.

Activity Audit Logs

You have access to user login and activity logs that are secured and monitored for anomalies.

Support Control

ThoughtSpot is here to support you however you need. You control the level of access you want to provide to our support team, as well as the way in which you would like to engage us.

Admin Access

Access privileges of ThoughtSpot employees are based on job requirements using the principle of least privilege access and are revoked upon termination of employment. Entitlements are reviewed semi-annually.

Infrastructure Access

Infrastructure access includes appropriate user account and authorization controls, which include the required use of secure VPN connections, two-factor authentication, complex passwords, account lock-out rules.

Account Termination

All data along with the tenant instance is deleted upon termination or expiration of the agreement or order form.

Privacy & Compliance

Our privacy and data protection program only uses data in ways that are consistent with current data protection laws and your wishes as a customer.

GDPR compliance

The General Data Protection Regulation (“GDPR”) regulates the use and protection of personal data originating from the European Economic Area (“EEA”) and provides individuals rights with regard to their personal data. ThoughtSpot is committed to supporting our customers in their GDPR compliance efforts. See ThoughtSpot’s Processing Addendum (DPA”) .

CCPA Compliance

The California Consumer Privacy Act (“CCPA”) creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. ThoughtSpot is committed to supporting its customers in their CCPA compliance efforts. The ThoughtSpot DPA addresses both GDPR and CCPA requirements.

ThoughtSpot AI & Privacy

ThoughtSpot’s robust privacy and security commitments outline how we protect user data and prioritize privacy apply equally to our use of AI. ThoughtSpot is committed to preserving our customers' privacy with ThoughtSpot Cloud AI-powered analytics and to supporting our customer’s privacy compliance efforts. See below under “ThoughtSpot Cloud AI Features” for more information on how ThoughtSpot utilizes AI in ThoughtSpot Cloud.

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulates protecting the privacy and security of health information. ThoughtSpot can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with ThoughtSpot. For more information on how ThoughtSpot Cloud provides security controls to meet the requirements of HIPAA, please see the Security Infrastructure and HIPAA Whitepaper .

Data Privacy Framework

For transfers to the United States, ThoughtSpot has self-certified to, and we are participants in, the new Data Privacy Framework (“DPF”). The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

ThoughtSpot’s continued adherence to the DPF can be found at the Data Privacy Framework site and in the Data Privacy Framework Policy.

International Personal Data Transfers

ThoughtSpot continues to use Standard Contractual Clauses (“SCCs”), which remain valid under the Schrems II decision by the European Court of Justice, as a legal mechanism for transferring personal data of its customers from the EEA to applicable jurisdictions. Our DPA includes the new EU Standard Contractual Clauses to support these transfers where applicable.

We also offer ‘Supplementary Measures’ to our customers – these are technical and operational measures (including encryption controls and disclosures regarding government requests for access to data) to provide data protection controls for our EU data transfers.

For more information, See our Transfer Impact Assessment Whitepaper here .

Law Enforcement Guidelines

ThoughtSpot has published guidelines describing our practices for responding to Third- Party Authority Requests. The ThoughtSpot Law Enforcement Guidelines describe our practices and procedures for responding to any Third-Party Authority requests.

Transparency Report

Annually, ThoughtSpot publishes its Transparency Report , which outlines the number of requests from Third-Party Authorities that ThoughtSpot has received for customer data. Up to December 31st, 2023, ThoughtSpot has not received any Third-Party Authority Requests.

Privacy Statement

At ThoughtSpot, we create trust with our customers through transparency. We are committed to providing customers with clear information about the data we handle and how we use it. ThoughtSpot maintains a Privacy Statement detailing the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

Cookie Policy

ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.elated support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

We Don’t Sell Your Data

ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.

Corporate Security

ThoughtSpot’s procedures, processes, and data
centers keep your data secure at all times.

Secure Data Center

ThoughtSpot’s modern cloud data centers are designed for scale and elasticity, while ensuring your data is protected against unauthorized breaches or data loss

Maximum Security

ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.

Redundancy

ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Availability

Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.

Capacity Planning

Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.

Secure Personnel

ThoughtSpot employees are properly vetted and trained to ensure compliance with security and privacy controls

Access

All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are reviewed.

Background Checks

ThoughtSpot conducts background checks on all employees in accordance with relevant laws and regulations, and proportional to the business requirements, the sensitivity of the information to be accessed, and the perceived risks in accordance with ThoughtSpot’s Background Check Policy.

Security Training

ThoughtSpot provides security training to help employees avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire and quarterly thereafter. ThoughtSpot retains attendance records and copies of security training materials to ensure proper completion of the training before any employee is granted access to systems.

Security of Customer Data

ThoughtSpot is vigilant about the security and privacy of your data

Encryption

All data flowing across the global network that interconnects our data centers and regions is automatically encrypted before it leaves our secured facilities. Your data is encrypted in transit and at rest to ensure that only authorized users can access it.

Data Locations

ThoughtSpot can give you the control and visibility you need to comply with regional and local data privacy laws and regulations. The design of the global infrastructure allows you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.

Row Level Security

Row level security (RLS) allows you to restrict a group’s access down to the table row. Once a rule is defined, as a group member searches, views an answer, or otherwise works with data, ThoughtSpot evaluates the user’s access against the rules and prevents the display of the restricted data. As a result, users see only the data they are permitted to see.

Secure Software Development Lifecycle

ThoughtSpot maintains secure application development policies and procedures aligned with industry-standard practices such as the OWASP Top Ten. All personnel responsible for secure application design and development receive appropriate training regarding ThoughtSpot’s secure application development practices. ThoughtSpot performs a combination of static and dynamic testing and code analysis and addresses any high priority vulnerabilities prior to each release.

Governance & Reporting

ThoughtSpot performs regular risk assessments and operates a responsible disclosure program

SSAE 18 SOC 2

ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality.

Risk Management

ThoughtSpot performs information security risk assessments as part of a risk governance program that regularly tests, assesses and evaluates the effectiveness of the security program. Such assessments recognize and assess the impact of risks and implement risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats. This risk program is audited annually by an independent third party.

Vulnerability Management

When software vulnerabilities are revealed and addressed by a vendor patch, ThoughtSpot will obtain the patch from the applicable vendor and apply it within an appropriate time frame in accordance with ThoughtSpot’s then-current vulnerability management and security patch management standard operating procedure and only after it is tested and determined to be safe for installation in all production systems.

ThoughtSpot Cloud AI Features

ThoughtSpot delivers AI-driven insights using the power of large language models (“LLMs”) that work on your business data, all while maintaining enterprise-level security, compliance, and privacy. ThoughtSpot utilizes leading LLMs from providers as disclosed on ThoughtSpot’s Sub-processors page.

Your results are verifiable

With ThoughtSpot Cloud, users can be assured that AI responses are grounded to their data. Advanced human-in-the-loop feedback ensures that your users are at the center of every interaction and they get the most relevant answers.

You manage how AI is used in ThoughtSpot Cloud

You enable AI features in ThoughtSpot Cloud as desired, using granular permissions and controls ensuring AI is used the way you want.

Your data is not used for training provider LLMs

Customer data is not and will not be used for training of provider LLMs.

Your data is not retained by provider LLMs

ThoughtSpot Cloud uses modified content and abuse monitoring which means data is not logged nor is it used for abuse monitoring or content filtering. This means provider LLMs will not store associated prompts or responses.

See FAQs below for additional information.

What Is ThoughtSpot AI-powered analytics?

ThoughtSpot AI-powered analytics takes search-driven analytics to the next level with natural language and generative AI. ThoughtSpot, together with LLMs, combines the ease of natural language with the accuracy of our patented search and the governance your business demands. Users can ask business questions in natural language to easily search for existing content across your analytics catalog, create new charts and visualizations, get AI-generated answers, get AI-powered search recommendations, and more.

What Data is Sent to the LLMs?

When using AI features, minimal data is sent as part of user queries. The following data may be sent as part of prompts:

  • Query Text/Prompt.

  • Column Names.

  • Column Descriptions.

  • Sample Data Values (three sample values for each text attribute column).

Policies & Terms

ThoughtSpot’s company policies and legal terms set
standards for its commitments to data security and privacy

Privacy Statement

ThoughtSpot is committed to protecting the privacy of others, including with regard to its use of browser cookies.

Cookies Policy

This policy describes the information we collect by automated means through the use of information gathering tools on ThoughtSpot’s website.

Subscription and License Agreements

ThoughtSpot’s obligations to subscribers and licensees are included on this page.

Data Processing Addendum

For customers making data available to ThoughtSpot under GDPR, the DPA may be countersigned to impose additional commitments on ThoughtSpot.

Commitment Against Human Trafficking and Slavery.

ThoughtSpot is committed to acting ethically, responsibly, and fighting forced labor.