ThoughtSpot Trust Center
Our privacy and data protection program only uses data in
ways that are consistent with current data protection laws
and your wishes as a customer.
The General Data Protection Regulation (“GDPR”) regulates the use and protection of personal data originating from the European Economic Area (“EEA”) and provides individuals rights with regard to their personal data. ThoughtSpot is committed to supporting our customers in their GDPR compliance efforts. See ThoughtSpot’s Data Processing Addendum (“DPA”).
The California Consumer Privacy Act (“CCPA”) creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. ThoughtSpot is committed to supporting its customers in their CCPA compliance efforts. The ThoughtSpot DPA addresses both GDPR and CCPA requirements.
ThoughtSpot’s robust privacy and security commitments outline how we protect user data and prioritize privacy apply equally to our use of AI. ThoughtSpot is committed to preserving our customers' privacy with ThoughtSpot Cloud AI-powered analytics and to supporting our customer’s privacy compliance efforts. See under “Enterprise-Grade AI” for more information on how ThoughtSpot utilizes AI in ThoughtSpot Cloud.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulates protecting the privacy and security of health information. ThoughtSpot can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with ThoughtSpot. For more information on how ThoughtSpot Cloud provides security controls to meet the requirements of HIPAA, please see the Security Infrastructure and HIPAA Whitepaper.
For transfers to the United States, ThoughtSpot has self-certified to, and we are participants in, the new Data Privacy Framework (“DPF”). The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. ThoughtSpot’s continued adherence to the DPF can be found at the Data Privacy Framework site and in the Data Privacy Framework Policy.
ThoughtSpot continues to use Standard Contractual Clauses (“SCCs”), which remain valid under the Schrems II decision by the European Court of Justice, as a legal mechanism for transferring personal data of its customers from the EEA to applicable jurisdictions. Our DPA includes the new EU Standard Contractual Clauses to support these transfers where applicable. We also offer ‘Supplementary Measures’ to our customers – these are technical and operational measures (including encryption controls and disclosures regarding government requests for access to data) to provide data protection controls for our EU data transfers. For more information, See our Transfer Impact Assessment Whitepaper.
ThoughtSpot has published guidelines describing our practices for responding to Third- Party Authority Requests. The ThoughtSpot Law Enforcement Guidelines describe our practices and procedures for responding to any Third-Party Authority requests.
Annually, ThoughtSpot publishes its Transparency Report, which outlines the number of requests from Third-Party Authorities that ThoughtSpot has received for customer data. Up to December 31st, 2024, ThoughtSpot has not received any Third-Party Authority Requests.
At ThoughtSpot, we create trust with our customers through transparency. We are committed to providing customers with clear information about the data we handle and how we use it. ThoughtSpot maintains a Privacy Statement detailing the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.
ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent-based cookies are files that stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file. You can read more about ThoughtSpot’s use of cookies in our Cookie Policy.
ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.
We hold our subprocessors to rigorous standards to protect privacy and personal data. ThoughtSpot has processes in place designed to verify that subprocessors have implemented appropriate technical and organizational measures to safeguard privacy. See the ThoughtSpot-authorized sub-procesors at our Sub-processors page.
We lead with transparency, ethics, deep listening
and delivering on our commitments.
Rest easy knowing that our procedures, processes, and secure cloud infrastructure keep your data secure at all times.
Learn more