ThoughtSpot Trust Center

Trust is paramount for successful business partnerships. That’s why ThoughtSpot is committed to making security, privacy, and compliance its top priority.


Customer control

Set your own policies on users and
roles, security features, and searchable
data sets.
Learn more

Maximum security architecture

ThoughtSpot Cloud’s architecture
is designed from the ground up for
maximum data security.
Learn more

Privacy & compliance

Safe customer data management
policies that are compliant with data
privacy regulations.
Learn more

Corporate security

Rest easy knowing that our procedures,
processes, and data centers keep your
data secure at all times.
Learn more

Governance & reporting

ThoughtSpot performs regular risk
assessments and operates a
responsible disclosure program.
Learn more

Policies & terms

Our policies and legal terms set
standards for our commitments to data
security and privacy.
Learn more

Customer control

ThoughtSpot Cloud features controls to enforce your data governance policies and access rules.

Data connectivity

Connect to the data warehouses of your choice to run live queries without moving your data.

Data selection

Select only relevant source data tables and columns to make available for analysis.

Privileges

Assign users, roles and privileges with differentiated access and available actions.

Content sharing

Allocate user privileges to share content, with ability to revoke access to previously shared content as needed.

Data security rules

Set granular object, column, row-level security rules to control what users are permitted to see.

Data removal

Data no longer needed on an updated pinboard or answer is proactively deleted.


Maximum security architecture

The safety of your data is our top priority.

Tenant isolation

Fully isolated tenants to prevent data leakage and
provide protection against unauthorized access.

Zero trust policies

Multiple services monitor, detect, and protect against common attack vectors.

Data encryption

Comprehensive support for data encryption at rest and in transit, leveraging AES 256-bit encryption and keys unique to each customer.

AWS cloud infrastructure

ThoughtSpot Cloud runs on the industry’s most secure cloud infrastructure in AWS.

Analytics at the source

Your data remains stored in the data warehouse of your choice, and queries are performed live, in-database. No data movement required.

Data governance

Granular object, table, column, row-level access rules control what users are permitted to see. Privileges determine what actions users can perform.

Authentication

ThoughtSpot supports multi-factored authentication, LDAP, and integrates with various identity providers via SAML.

Activity audit logs

You have access to user login and activity logs that are secured and monitored for anomalies.

Admin access

Access privileges of ThoughtSpot employees are based on job requirements using the principle of least privilege access and are revoked upon termination of employment. Entitlements are reviewed semi-annually.

Infrastructure access

Infrastructure access includes appropriate user account and authorization controls, which requires the use of secure VPN connections, two-factor authentication, complex passwords, and account lock-out rules.

Support control

ThoughtSpot is here to support you however you need. You control the level of access you want to provide to our support team, as well as the way in which you would like to engage us.

Account termination

All data along with the tenant instance is deleted upon termination or expiration of the agreement or order form.


Privacy & compliance

ThoughtSpot’s customer data management policies
are compliant with data privacy regulations.

GDPR compliance

ThoughtSpot is fully compliant with the European Union’s General Data Protection Regulation (GDPR). ThoughtSpot’s data processing addendum incorporates EU-approved transfer mechanisms, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services. More information on GDPR can be found here. A list of the sub-processors authorized to process personal data for each of the relevant ThoughtSpot SaaS applications can be found here.

Privacy Shield & international data transfers

ThoughtSpot is certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and complies with data protection requirements regarding transferring of personal data between the European Union and Switzerland to the United States.

HIPAA compliance

ThoughtSpot is HIPAA compliant and ensures access to confidential data is limited and patient information is protected. A ThoughtSpot Business Associate Addendum is available to execute as needed.

Privacy statement

ThoughtSpot maintains a privacy statement to the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

Cookies policy

ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.

We don’t sell your data

ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.

Payment Card Industry Data Security Standards

ThoughtSpot does not itself store or process any cardholder information and does not qualify as a processor, merchant, or service provider as described under Payment Card Industry Data Security Standards (PCI DSS). While ThoughtSpot does not come under the scope of PCI-DSS, our existing security program already addresses many of its concerns. As we evolve our security program and processes, we will continue to assess the benefits of obtaining compliance. As ThoughtSpot configurations and usage are your responsibility, PCI-DSS (and security and privacy overall) is a shared responsibility between ThoughtSpot and you.


Corporate security

ThoughtSpot’s procedures, processes, and data
centers keep your data secure at all times.

Secure data center

ThoughtSpot’s modern cloud data centers are designed for scale and elasticity,
while ensuring your data is protected against unauthorized breaches or data loss.

Maximum security

ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.

Redundancy

ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Availability

Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.

Capacity planning

Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.

Secure personnel

ThoughtSpot employees are properly vetted and trained to ensure
compliance with security and privacy controls

Access

All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are reviewed.

Background checks

ThoughtSpot conducts background checks on all employees in accordance with relevant laws and regulations, and proportional to the business requirements, the sensitivity of the information to be accessed, and the perceived risks in accordance with ThoughtSpot’s Background Check Policy.

Security training

ThoughtSpot provides security training to help employees avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire and quarterly thereafter. ThoughtSpot retains attendance records and copies of security training materials to ensure proper completion of the training before any employee is granted access to systems.

Security of customer data

ThoughtSpot is vigilant about the security and privacy of your data

Encryption

All data flowing across the global network that interconnects our data centers and regions is automatically encrypted before it leaves our secured facilities. AWS provides tools that let ThoughtSpot easily encrypt your data in transit and at rest to ensure that only authorized users can access it. Encryption keys are managed by AWS Key Management Service (KMS) or CloudHSM using FIPS 140-2 Level 3 validated HSMs.

Data locations

ThoughtSpot can give you the control and visibility you need to comply with regional and local data privacy laws and regulations. The design of the AWS global infrastructure allows you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.

Row level security

Row level security (RLS) allows you to restrict a group’s access down to the table row. Once a rule is defined, as a group member searches, views an answer, or otherwise works with data, ThoughtSpot evaluates the user’s access against the rules and prevents the display of the restricted data. As a result, users see only the data they are permitted to see.

Secure software development lifecycle

ThoughtSpot maintains secure application development policies and procedures aligned with industry-standard practices such as the OWASP Top Ten. All personnel responsible for secure application design and development receive appropriate training regarding ThoughtSpot’s secure application development practices. ThoughtSpot performs a combination of static and dynamic testing and code analysis and addresses any high priority vulnerabilities prior to each release.


Governance & reporting

ThoughtSpot performs regular risk assessments and operates a
responsible disclosure program.

SSAE 18 SOC 2

ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality.

Risk management

ThoughtSpot performs information security risk assessments as part of a risk governance program that regularly tests, assesses and evaluates the effectiveness of the security program. Such assessments recognize and assess the impact of risks and implement risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats. This risk program is audited annually by an independent third party.

Vulnerability management

ThoughtSpot conducts quarterly security risk evaluations to assess threats to information assets, determine potential vulnerabilities, and provide remediation. Software patches are regularly deployed to customer instances to address known vulnerabilities.

Vendor vulnerability management

When software vulnerabilities are revealed and addressed by a vendor patch, ThoughtSpot will obtain the patch from the applicable vendor and apply it within an appropriate time frame in accordance with ThoughtSpot’s then-current vulnerability management and security patch management standard operating procedure and only after it is tested and determined to be safe for installation in all production systems.

Reporting a vulnerability

Vulnerabilities or other security concerns can be emailed to [email protected] with the phrase “Security Vulnerability” in the subject line.

In order for us to most effectively and efficiently respond to your report, please provide any supporting material, as well as clear, concise steps to reproduce the issue in order to help us understand the nature and severity of the vulnerability.

ThoughtSpot is committed to being responsive and keeping you informed of our progress as we investigate and remediate your reported security concern. We will promptly acknowledge receipt of your report, and outline the next steps in the process. When the initial investigation is complete, results will be delivered to you along with a plan for resolution.

Please note that ThoughtSpot does not allow any attempts to actively penetrate, attack, or audit our infrastructure, whether by automated or manual means.


Policies & terms

ThoughtSpot’s company policies and legal terms set
standards for its commitments to data security and privacy.

Privacy statement

ThoughtSpot is committed to protecting the privacy of others, including with regard to its use of browser cookies.

Cookies policy

This policy describes the information we collect by automated means through the use of information gathering tools on ThoughtSpot’s website.

Subscription and license agreements

ThoughtSpot’s obligations to subscribers and licensees are included on this page.

Data processing addendum

For customers making data available to ThoughtSpot under GDPR, the DPA may be countersigned to impose additional commitments on ThoughtSpot.

Commitment against human trafficking and slavery

ThoughtSpot is committed to acting ethically, responsibly, and fighting forced labor.

Third-party software licenses

ThoughtSpot complies with the attribution requirements of third-party licenses.