Trust is paramount for successful business partnerships. That’s why ThoughtSpot is committed to making security, privacy, and compliance its top priority.
Set your own policies on users and roles, security features, and searchable data sets. Learn more
Maximum security architecture
ThoughtSpot Cloud’s architecture is designed from the ground up for maximum data security. Learn more
Privacy & compliance
Safe customer data management policies that are compliant with data privacy regulations. Learn more
Rest easy knowing that our procedures, processes, and data centers keep your data secure at all times. Learn more
Governance & reporting
ThoughtSpot performs regular risk assessments and operates a responsible disclosure program. Learn more
Policies & terms
Our policies and legal terms set standards for our commitments to data security and privacy. Learn more
ThoughtSpot Cloud features controls to enforce your data governance policies and access rules.
Connect to the data warehouses of your choice to run live queries without moving your data.
Select only relevant source data tables and columns to make available for analysis.
Assign users, roles and privileges with differentiated access and available actions.
Allocate user privileges to share content, with ability to revoke access to previously shared content as needed.
Data security rules
Set granular object, column, row-level security rules to control what users are permitted to see.
Data no longer needed on an updated pinboard or answer is proactively deleted.
Maximum security architecture
The safety of your data is our top priority.
Fully isolated tenants to prevent data leakage and provide protection against unauthorized access.
Zero trust policies
Multiple services monitor, detect, and protect against common attack vectors.
Comprehensive support for data encryption at rest and in transit, leveraging AES 256-bit encryption and keys unique to each customer.
AWS cloud infrastructure
ThoughtSpot Cloud runs on the industry’s most secure cloud infrastructure in AWS.
Analytics at the source
Your data remains stored in the data warehouse of your choice, and queries are performed live, in-database. No data movement required.
Granular object, table, column, row-level access rules control what users are permitted to see. Privileges determine what actions users can perform.
ThoughtSpot supports multi-factored authentication, LDAP, and integrates with various identity providers via SAML.
Activity audit logs
You have access to user login and activity logs that are secured and monitored for anomalies.
Access privileges of ThoughtSpot employees are based on job requirements using the principle of least privilege access and are revoked upon termination of employment. Entitlements are reviewed semi-annually.
Infrastructure access includes appropriate user account and authorization controls, which requires the use of secure VPN connections, two-factor authentication, complex passwords, and account lock-out rules.
ThoughtSpot is here to support you however you need. You control the level of access you want to provide to our support team, as well as the way in which you would like to engage us.
All data along with the tenant instance is deleted upon termination or expiration of the agreement or order form.
Privacy & compliance
ThoughtSpot’s customer data management policies are compliant with data privacy regulations.
ThoughtSpot is fully compliant with the European Union’s General Data Protection Regulation (GDPR). ThoughtSpot’s data processing addendum incorporates EU-approved transfer mechanisms, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services. More information on GDPR can be found here. A list of the sub-processors authorized to process personal data for each of the relevant ThoughtSpot SaaS applications can be found here.
Privacy Shield & international data transfers
ThoughtSpot is certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and complies with data protection requirements regarding transferring of personal data between the European Union and Switzerland to the United States.
ThoughtSpot is HIPAA compliant and ensures access to confidential data is limited and patient information is protected. A ThoughtSpot Business Associate Addendum is available to execute as needed.
ThoughtSpot maintains a privacy statement to the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.
ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.
We don’t sell your data
ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.
Payment Card Industry Data Security Standards
ThoughtSpot does not itself store or process any cardholder information and does not qualify as a processor, merchant, or service provider as described under Payment Card Industry Data Security Standards (PCI DSS). While ThoughtSpot does not come under the scope of PCI-DSS, our existing security program already addresses many of its concerns. As we evolve our security program and processes, we will continue to assess the benefits of obtaining compliance. As ThoughtSpot configurations and usage are your responsibility, PCI-DSS (and security and privacy overall) is a shared responsibility between ThoughtSpot and you.
ThoughtSpot’s procedures, processes, and data centers keep your data secure at all times.
Secure data center
ThoughtSpot’s modern cloud data centers are designed for scale and elasticity, while ensuring your data is protected against unauthorized breaches or data loss.
ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.
ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.
Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.
ThoughtSpot employees are properly vetted and trained to ensure compliance with security and privacy controls
All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are reviewed.
ThoughtSpot conducts background checks on all employees in accordance with relevant laws and regulations, and proportional to the business requirements, the sensitivity of the information to be accessed, and the perceived risks in accordance with ThoughtSpot’s Background Check Policy.
ThoughtSpot provides security training to help employees avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire and quarterly thereafter. ThoughtSpot retains attendance records and copies of security training materials to ensure proper completion of the training before any employee is granted access to systems.
Security of customer data
ThoughtSpot is vigilant about the security and privacy of your data
All data flowing across the global network that interconnects our data centers and regions is automatically encrypted before it leaves our secured facilities. AWS provides tools that let ThoughtSpot easily encrypt your data in transit and at rest to ensure that only authorized users can access it. Encryption keys are managed by AWS Key Management Service (KMS) or CloudHSM using FIPS 140-2 Level 3 validated HSMs.
ThoughtSpot can give you the control and visibility you need to comply with regional and local data privacy laws and regulations. The design of the AWS global infrastructure allows you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.
Row level security
Row level security (RLS) allows you to restrict a group’s access down to the table row. Once a rule is defined, as a group member searches, views an answer, or otherwise works with data, ThoughtSpot evaluates the user’s access against the rules and prevents the display of the restricted data. As a result, users see only the data they are permitted to see.
Secure software development lifecycle
ThoughtSpot maintains secure application development policies and procedures aligned with industry-standard practices such as the OWASP Top Ten. All personnel responsible for secure application design and development receive appropriate training regarding ThoughtSpot’s secure application development practices. ThoughtSpot performs a combination of static and dynamic testing and code analysis and addresses any high priority vulnerabilities prior to each release.
Governance & reporting
ThoughtSpot performs regular risk assessments and operates a responsible disclosure program.
SSAE 18 SOC 2
ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality.
ThoughtSpot performs information security risk assessments as part of a risk governance program that regularly tests, assesses and evaluates the effectiveness of the security program. Such assessments recognize and assess the impact of risks and implement risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats. This risk program is audited annually by an independent third party.
ThoughtSpot conducts quarterly security risk evaluations to assess threats to information assets, determine potential vulnerabilities, and provide remediation. Software patches are regularly deployed to customer instances to address known vulnerabilities.
Vendor vulnerability management
When software vulnerabilities are revealed and addressed by a vendor patch, ThoughtSpot will obtain the patch from the applicable vendor and apply it within an appropriate time frame in accordance with ThoughtSpot’s then-current vulnerability management and security patch management standard operating procedure and only after it is tested and determined to be safe for installation in all production systems.
Reporting a vulnerability
Vulnerabilities or other security concerns can be emailed to [email protected] with the phrase “Security Vulnerability” in the subject line.
In order for us to most effectively and efficiently respond to your report, please provide any supporting material, as well as clear, concise steps to reproduce the issue in order to help us understand the nature and severity of the vulnerability.
ThoughtSpot is committed to being responsive and keeping you informed of our progress as we investigate and remediate your reported security concern. We will promptly acknowledge receipt of your report, and outline the next steps in the process. When the initial investigation is complete, results will be delivered to you along with a plan for resolution.
Please note that ThoughtSpot does not allow any attempts to actively penetrate, attack, or audit our infrastructure, whether by automated or manual means.
Policies & terms
ThoughtSpot’s company policies and legal terms set standards for its commitments to data security and privacy.