At ThoughtSpot, fostering relationships with our customers based on trust is of utmost importance. We believe that privacy is a fundamental right and our customer’s privacy and security are always top priorities.
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) issued a ruling (the “Schrems II” ruling) regarding the transfer of personal data subject to the General Data Protection Regulation (“GDPR”) outside the European Economic Area (“EEA”). In Schrems II, the CJEU ruled that the EU-US and Swiss-U.S. Privacy Shield (“Privacy Shield”) was no longer a valid mechanism to transfer personal data from the EEA to the United States.
However, in the same ruling, the CJEU confirmed that organizations can continue to use Standard Contractual Clauses (“SCCs”) as a valid mechanism for transferring personal data outside the EEA.
In accordance with the decision by the CJEU in Schrems II, on July 16, 2020, we ceased relying on our Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S.
We want all ThoughtSpot customers to know that the CJEU’s decision made clear that the SCCs remain a valid mechanism to transfer personal data from the EEA. The SCCs will continue to allow our customers to legally transfer personal data from the EU and UK through ThoughtSpot’s service. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, ThoughtSpot couples its use of the SCCs with various technical and organizational safeguards as appropriate to particular transfers, such as encryption in-transit and at-rest, and row-level security. Our comprehensive security program also includes compliance with GDPR and CCPA, as well as standards such as ISO/IEC 27001, SSAE SOC 2 Type II, STAR, HIPAA, and others. ThoughtSpot contractually commits to these technical and organizational safeguards with each customer in the ThoughtSpot Cloud Program Guide found at: www.thoughtspot.com/legal.
ThoughtSpot understands the importance our customers place on safeguarding the limited information stored and transferred using ThoughtSpot, and we work hard to ensure we earn your trust in this regard. As governments and judicial bodies around the world pass new legislation and issue rulings to protect personal data, ThoughtSpot will continue to comply with all privacy laws applicable to our service, monitor changes in the law in an effort to ensure our ongoing compliance, and continually upgrade our information protection program and controls. In addition, we continue to invest in administrative control features so that each customer remains in full control of the scope of analytics performed in the data source, search suggestion indexing, user access and roles, and security rules. ThoughtSpot closely monitors the privacy landscape and the ongoing updates from various EU supervisory authorities, including the release of new SCCs from the European Commission in June 2021.
Please see below for additional answers to how ThoughtSpot remains compliant with GDPR in light of new recommendations stemming from Schrems II ruling.
On July 16, 2020, the CJEU invalidated the EU-US and Swiss-U.S. Privacy Shield framework. The Standard Contractual Clauses remain valid as a data transfer mechanism. However, the CJEU also said that additional safeguards may be required when the legal system around access to data by public authorities in the recipient country does not ensure a level of protection essentially equivalent to that guaranteed within the EEA.
No, ThoughtSpot does not rely on the EU-US or Swiss-US Privacy Shield to facilitate the lawful transfer of personal data between the EEA or Switzerland and the US.
ThoughtSpot uses the SCCs as the mechanism for international transfers of personal data. These provide contractual guarantees that the personal data will be protected to a GDPR standard outside of the EEA.
The US Department of Commerce issued guidance stating the decisions of
the CJEU and the consequent opinion of Switzerland’s Federal Data
Protection and Information Commissioner (“FDPIC”) do not relieve
participants in the EU-US and Swiss-US Privacy Shields of their
obligations to adhere to the principles and requirements of the Privacy
Shield Framework. Regardless, the US Department of Commerce continues to
administer and enforce the Privacy Shield program. While the Privacy
Shield is no longer a valid transfer mechanism, continued participation
demonstrates ThoughtSpot’s continued commitment to adhere to the Privacy
Shield principles and EU/Swiss standard of care.
Despite the CEJU decision, Privacy Shield and transatlantic data flows are a top priority for the Biden Administration. On March 25, 2021, the U.S. Secretary of Commerce and European Commissioner for Justice issued a joint statement that negotiations had intensified on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the CJEU in the Schrems II case. These negotiations show that the US and EU remain committed to privacy, data protection, and the rule of law and understand the importance of transatlantic data flows.
Yes. The Data Processing Addendum is specific to ThoughtSpot’s services
and covers the specific processes and procedures related to the way in
which the services and infrastructure work. It also includes the new
SCCs and is drafted to be consistent with the customer agreement and
other relevant documentation.
A copy of the Data Processing Addendum can be found here in a form pre-signed by ThoughtSpot. To add the obligations of the Data Processing Addendum to your ThoughtSpot Cloud Subscription Agreement, all you need to do is countersign it and return it to your ThoughtSpot Account Executive.
Yes. The ThoughtSpot Data Processing Addendum has been updated to include the new SCCs effective September 27, 2021.
ThoughtSpot maintains administrative, technical, and organizational
security measures to protect Personal Data outlined on the
ThoughtSpot Trust Center.
ThoughtSpot’s security program includes a range of technical and organizational measures, such as encryption in-transit and at-rest, that address the core deficiencies cited in the Schrems II decision—bulk Interceptions under EO 12333 and bulk surveillance under FISA § 702.
Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) is
a US statute establishing a judicial process authorizing a specific type
of data acquisition (i.e., foreign intelligence for US national security
purposes). Under FISA 702, an independent court may authorize the US
government to issue orders requiring US companies to disclose
communications data relating to specific non-US persons located outside
of the US to obtain specific types of foreign intelligence information.
Executive Order 12333 (“EO 12333”) is a general directive organizing US
intelligence activities. Unlike FISA 702, EO 12333 does not authorize
the US government to require any company to disclose data, though it may
be used to authorize clandestine intelligence activities involving
overseas access to data without the involvement of the company in
The CJEU ruled that where transfers of personal data to the US are subject to FISA 702 and EO 12333, Privacy Shield does not provide an essentially equivalent protection, because these provisions allow for government access beyond what is “necessary and proportionate” for legitimate law enforcement purposes.
ThoughtSpot has not been found by any court to be the type of entity eligible to receive process issued under FISA 702 (i.e., an "electronic communication service provider" within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition).
Even if ThoughtSpot were deemed an electronic communication service provider as to some of its services, as the U.S. government has interpreted and applied FISA 702, ThoughtSpot is not eligible to receive the type of order that was of principal concern to the CJEU in the Schrems II decision—a 702 order for "upstream" surveillance. As the U.S. Government has applied FISA 702, it uses upstream orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). ThoughtSpot does not provide such backbone services; instead, it only carries traffic involving its own customers. As a result, it is not eligible to receive the type of order principally addressed in, and deemed problematic by, the Schrems II decision.