ThoughtSpot Trust Center

Trust is paramount for successful business partnerships.
That’s why ThoughtSpot is committed to making security,
privacy, and compliance its top priority.


Customer control

Set your own policies on users and
roles, security features, and searchable
data sets.
Learn more

Maximum security architecture

ThoughtSpot Cloud’s architecture
is designed from the ground up for
maximum data security.
Learn more

Governance, risk, & compliance

ThoughtSpot is compliant with
industry-standard regulations and
performs regular risk assessments.
Learn more

Corporate security

Rest easy knowing that our procedures,
processes, and data centers keep your
data secure at all times.
Learn more

Privacy

Safe customer data management
policies that are compliant with
data privacy regulations.
Learn more

Policies & terms

Our policies and legal terms set
standards for our commitments to data
security and privacy.
Learn more

Customer control

ThoughtSpot Cloud features controls to enforce your
data governance policies and access rules.

Data connectivity

Connect to the data warehouses of your choice to run live queries without moving your data.

Data selection

Select only relevant source data tables and columns to make available for analysis.

Privileges

Assign users, roles and privileges with differentiated access and available actions.

Content sharing

Allocate user privileges to share content, with ability to revoke access to previously shared content as needed.

Data security rules

Set granular object, column, row-level security rules to control what users are permitted to see.

Data removal.

Data no longer needed on an updated pinboard or answer is proactively deleted.


Maximum security architecture

The safety of your data is our top priority.

Tenant isolation

Fully isolated tenants to prevent data leakage and provide protection against unauthorized access.

Zero trust policies

Multiple services monitor, detect, and protect against common attack vectors.

Data encryption

Comprehensive support for data encryption at rest and in transit, leveraging AES 256-bit encryption and keys unique to each customer.

AWS cloud infrastructure

ThoughtSpot Cloud runs on the industry’s most secure cloud infrastructure in AWS .

Analytics at the source

Your data remains stored in the data warehouse of your choice, and queries are performed live, in-database. No data movement required.

Data governance

Granular object, table, column, row-level access rules control what users are permitted to see. Privileges determine what actions users can perform.

Authentication

ThoughtSpot supports multi-factored authentication, LDAP, and integrates with various identity providers via SAML.

Activity audit logs

You have access to user login and activity logs that are secured and monitored for anomalies.

Admin access

Access privileges of ThoughtSpot employees are based on job requirements using the principle of least privilege access and are revoked upon termination of employment. Entitlements are reviewed semi-annually.

Infrastructure access

Infrastructure access includes appropriate user account and authorization controls, which requires the use of secure VPN connections, two-factor authentication, complex passwords, and account lock-out rules.

Support control

ThoughtSpot is here to support you however you need. You control the level of access you want to provide to our support team, as well as the way in which you would like to engage us.

Account termination

All data along with the tenant instance is deleted upon termination or expiration of the agreement or order form.


Governance, risk, & compliance

ThoughtSpot is compliant with industry-standard regulations
and performs regular risk assessments.

ISO 27001 certified

The ISO/IEC 27001:2013 certification specifies security management best practices and controls for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. It ensures that our ISMS is fine-tuned to keep pace with changes to security threats, essential in the fast-paced world of IT security. ThoughtSpot submits to a re-certification audit every third year, inclusive of an annual surveillance audit. ThoughtSpot’s certificate can be found here .

SOC 2 & SOC 3

ThoughtSpot has successfully completed the Service Organization Control (SOC) 2 Type II audit. The SOC 2 report verifies the suitability of the design and operating effectiveness of ThoughtSpot’s information security practices, policies, procedures, and operations to meet the standards for security, availability, and confidentiality.

A public facing SOC 3 report demonstrating ThoughtSpot has met the AICPA Trust Services Security, Availability, Processing Integrity, and Confidentiality Principles and Criteria is available here .

HIPAA compliance

ThoughtSpot is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and ensures access to confidential data is limited and patient information is protected. A ThoughtSpot Business Associate Addendum is available to execute as needed. To understand how the security controls available within ThoughtSpot Analytics Cloud address the security and privacy requirements of HIPAA, please read the Security Infrastructure and HIPAA White Paper .

Payment Card Industry Data Security Standards

ThoughtSpot does not itself store or process any cardholder information and does not qualify as a processor, merchant, or service provider as described under Payment Card Industry Data Security Standards (PCI DSS). While ThoughtSpot does not come under the scope of PCI-DSS, our existing security program already addresses many of its concerns. As we evolve our security program and processes, we will continue to assess the benefits of obtaining compliance. As ThoughtSpot configurations and usage are your responsibility, PCI-DSS (and security and privacy overall) is a shared responsibility between ThoughtSpot and you.

Risk management

ThoughtSpot performs information security risk assessments as part of a risk governance program that regularly tests, assesses and evaluates the effectiveness of the security program. Such assessments recognize and assess the impact of risks and implement risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats. This risk program is audited annually by an independent third party.

Vulnerability management

ThoughtSpot conducts quarterly security risk evaluations to assess threats to information assets, determine potential vulnerabilities, and provide remediation. Software patches are regularly deployed to customer instances to address known vulnerabilities.

Vendor vulnerability management

When software vulnerabilities are revealed and addressed by a vendor patch, ThoughtSpot will obtain the patch from the applicable vendor and apply it within an appropriate time frame in accordance with ThoughtSpot’s then-current vulnerability management and security patch management standard operating procedure and only after it is tested and determined to be safe for installation in all production systems.

Cloud Security Alliance (CSA) STAR Assessment

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). ThoughSpot has completed the CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), that is available for download here and will be updated periodically.

Responsible disclosure of a potential vulnerability

At ThoughtSpot, we take the security of our systems, products, and confidential information seriously. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any system, product, or asset belonging to ThoughtSpot.

Potential vulnerabilities or other security concerns can be reported to [email protected] with “Responsible Disclosure” in the subject line. In order for us to most effectively and efficiently respond to your report, please provide any supporting material, as well as clear, concise steps to reproduce the issue in order to help us understand the nature and severity of the vulnerability.

Please note that ThoughtSpot does not allow any attempts to actively penetrate, attack, or audit our infrastructure, whether by automated or manual means.

More information on responsible disclosure of potential vulnerabilities can be found here.


Corporate security

ThoughtSpot’s procedures, processes, and data
centers keep your data secure at all times.

Secure data center

ThoughtSpot’s modern cloud data centers are
designed for scale and elasticity,

Maximum security

ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.

Redundancy

ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Availability

Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.

Capacity planning

Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.

Secure personnel

ThoughtSpot employees are properly vetted and trained to ensure
compliance with security and privacy controls

Access

All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege and are reviewed.

Background checks

ThoughtSpot conducts background checks on all employees in accordance with relevant laws and regulations, and proportional to the business requirements, the sensitivity of the information to be accessed, and the perceived risks in accordance with ThoughtSpot’s Background Check Policy.

Security training

ThoughtSpot provides security training to help employees avoid creating undue risks. Employees must complete information security training within a reasonable time after initial hire and quarterly thereafter. ThoughtSpot retains attendance records and copies of security training materials to ensure proper completion of the training before any employee is granted access to systems.

Security of customer data

ThoughtSpot is vigilant about the security and privacy of your data

Encryption

All data flowing across the global network that interconnects our data centers and regions is automatically encrypted before it leaves our secured facilities. AWS provides tools that let ThoughtSpot easily encrypt your data in transit and at rest to ensure that only authorized users can access it. Encryption keys are managed by AWS Key Management Service (KMS) or CloudHSM using FIPS 140-2 Level 3 validated HSMs.

Data locations

ThoughtSpot can give you the control and visibility you need to comply with regional and local data privacy laws and regulations. The design of the AWS global infrastructure allows you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.

Row level security

Row level security (RLS) allows you to restrict a group’s access down to the table row. Once a rule is defined, as a group member searches, views an answer, or otherwise works with data, ThoughtSpot evaluates the user’s access against the rules and prevents the display of the restricted data. As a result, users see only the data they are permitted to see.

Secure software development lifecycle

ThoughtSpot maintains secure application development policies and procedures aligned with industry-standard practices such as the OWASP Top Ten. All personnel responsible for secure application design and development receive appropriate training regarding ThoughtSpot’s secure application development practices. ThoughtSpot performs a combination of static and dynamic testing and code analysis and addresses any high priority vulnerabilities prior to each release.


Privacy

Safe customer data management policies that are
compliant with data privacy regulations.

GDPR compliance

ThoughtSpot is fully compliant with the European Union’s General Data Protection Regulation (GDPR). ThoughtSpot’s data processing addendum incorporates EU-approved transfer mechanisms, namely the European Commission’s standard contractual clauses. Customers can rely on these protections to transfer EU personal data using our services. More information on GDPR can be found here. A list of the sub-processors authorized to process personal data for each of the relevant ThoughtSpot SaaS applications can be found here.

Privacy Shield

Although ThoughtSpot does not rely on the EU-US Privacy Shield as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18, ThoughtSpot remains committed to the principles of security and privacy contained within the Privacy Shield and continues to self-certify to the Privacy Shield requirements. ThoughtSpot’s continued adherence to the Privacy Shield can be found at the Data Privacy Framework website and in the Data Privacy Framework Policy .

Privacy statement

ThoughtSpot maintains a privacy statement to the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

Cookies policy

ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.

International Personal Data Transfers Post-Schrems II

In accordance with the decision by the Court of Justice of the European Union (C-311/18, also known as "Schrems II"), on July 16, 2020, we ceased relying on our EU-U.S. and Swiss-U.S. Privacy Shield certifications as a legal basis for international data transfers from the EEA or Switzerland to the U.S. We will continue to adhere to the EU-US and Swiss-US Privacy Shield principles for all personal information transferred to the US in reliance on such certifications prior to July 16, 2020.

ThoughtSpot uses Standard Contractual Clauses as its mechanism to transfer personal data subject to EU law from and to its customers and sub-processors. Consistent with the ruling in Schrems II and related guidance from EU supervisory authorities, ThoughtSpot couples its use of Standard Contractual Clauses with various technical and organizational safeguards as appropriate to particular transfers. More information on ThoughtSpot’s response to the Schrems II ruling can be found here .

We don’t sell your data

ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.


Policies & terms

ThoughtSpot’s company policies and legal terms set
standards for its commitments to data security and privacy.

Privacy statement

ThoughtSpot is committed to protecting the privacy of others, including with regard to its use of browser cookies.

Cookies policy

This policy describes the information we collect by automated means through the use of information gathering tools on ThoughtSpot’s website.

Subscription and license agreements

ThoughtSpot’s obligations to subscribers and licensees are included on this page.

Data processing addendum

For customers making data available to ThoughtSpot under GDPR, the DPA may be countersigned to impose additional commitments on ThoughtSpot.

Commitment against human trafficking and slavery

ThoughtSpot is committed to acting ethically, responsibly, and fighting forced labor.

Third-party software licenses

ThoughtSpot complies with the attribution requirements of third-party licenses.

Data Privacy Framework Policy

Describes ThoughtSpot’s commitment to the Data Privacy Framework Principles, providing for the secure transfer of Personal Data to the United States.

Candidate Privacy Notice

Provides information regarding our privacy and data handling practices to job applicants who apply for open positions with us.