ThoughtSpot Trust & Compliance Center

GDPR compliance

The General Data Protection Regulation (“GDPR”) regulates the use and protection of personal data originating from the European Economic Area (“EEA”) and provides individuals rights with regard to their personal data. ThoughtSpot is committed to supporting our customers in their GDPR compliance efforts. See ThoughtSpot’s Processing Addendum (DPA”).

CCPA Compliance

The California Consumer Privacy Act (“CCPA”) creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. ThoughtSpot is committed to supporting its customers in their CCPA compliance efforts. The ThoughtSpot DPA addresses both GDPR and CCPA requirements.

ThoughtSpot AI & Privacy

ThoughtSpot’s robust privacy and security commitments outline how we protect user data and prioritize privacy apply equally to our use of AI. ThoughtSpot is committed to preserving our customers' privacy with ThoughtSpot Cloud AI-powered analytics and to supporting our customer’s privacy compliance efforts. See below under “ThoughtSpot Cloud AI Features” for more information on how ThoughtSpot utilizes AI in ThoughtSpot Cloud.

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulates protecting the privacy and security of health information. ThoughtSpot can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with ThoughtSpot. For more information on how ThoughtSpot Cloud provides security controls to meet the requirements of HIPAA, please see the Security Infrastructure and HIPAA Whitepaper.

Data Privacy Framework

For transfers to the United States, ThoughtSpot has self-certified to, and we are participants in, the new Data Privacy Framework (“DPF”). The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

ThoughtSpot’s continued adherence to the DPF can be found at the Data Privacy Framework site and in the Data Privacy Framework Policy.

International Personal Data Transfers

ThoughtSpot continues to use Standard Contractual Clauses (“SCCs”), which remain valid under the Schrems II decision by the European Court of Justice, as a legal mechanism for transferring personal data of its customers from the EEA to applicable jurisdictions. Our DPA includes the new EU Standard Contractual Clauses to support these transfers where applicable.

We also offer ‘Supplementary Measures’ to our customers – these are technical and operational measures (including encryption controls and disclosures regarding government requests for access to data) to provide data protection controls for our EU data transfers.

For more information, See our Transfer Impact Assessment Whitepaper here.

Law Enforcement Guidelines

ThoughtSpot has published guidelines describing our practices for responding to Third- Party Authority Requests. The ThoughtSpot Law Enforcement Guidelines describe our practices and procedures for responding to any Third-Party Authority requests.

Transparency Report

Annually, ThoughtSpot publishes its Transparency Report, which outlines the number of requests from Third-Party Authorities that ThoughtSpot has received for customer data. Up to December 31st, 2023, ThoughtSpot has not received any Third-Party Authority Requests.

Privacy Statement

At ThoughtSpot, we create trust with our customers through transparency. We are committed to providing customers with clear information about the data we handle and how we use it. ThoughtSpot maintains a Privacy Statement detailing the collection, use, and disclosure of Personal Information obtained through the ThoughtSpot websites; in connection with your purchase and use of our products and related support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

Cookie Policy

ThoughtSpot uses both session‑based and persistent‑based cookies. Session‑based cookies exist only during your web session and expire when you close your internet browser. Persistent‑based cookies stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period specified by the cookie.elated support and professional services; and in connection with events hosted by us where we collect information from registrants and attendees.

We Don’t Sell Your Data

ThoughtSpot does not sell your data, and does not mine or access your data for advertising purposes. ThoughtSpot also contractually commits that ThoughtSpot employees and authorized, verified contractors will only have access to customer data on a need-to-know basis.

Maximum Security

ThoughtSpot secures its buildings and workspaces from unauthorized access to protect ThoughtSpot personnel, assets, and data. All ThoughtSpot employees, as well as contractors and third-parties, with a legitimate business need to physically access any ThoughtSpot facilities must comply with the security requirements to ensure maximum security.

Redundancy

ThoughtSpot’s data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area and there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Availability

Critical system components are backed up across multiple, isolated locations and are engineered to operate independently with high reliability. Highly resilient systems deliver the highest levels of service availability, and in the event of an outage, enable customers to achieve extremely short recovery time and recovery point objectives.

Capacity Planning

Service usage is continuously monitored to support our availability commitments and requirements, and measured at least monthly against a capacity planning model. This model supports planning of future demands and includes considerations such as information processing, telecommunications, and audit log storage.

What Is ThoughtSpot AI-powered analytics?

ThoughtSpot AI-powered analytics that takes search-driven analytics to the next level with natural language and generative AI. ThoughtSpot, together with LLMs, combines the ease of natural language with the accuracy of our patented search and the governance your business demands. Now users can ask business questions in natural language to easily search for existing content across your analytics catalog, create new charts and visualizations, get AI-generated answers, get AI-powered search recommendations, and more.

What Data is Sent to the LLMs?

Once a user submits a query using the AI features, the following data may be sent to the large language model provider:

• Query Text/Prompt.

• Column Names.

• Column Descriptions.

• Sample Data Values (maximum of three sample values for each text attribute column).

Is Data Submitted to the LLMs Stored?

No. ThoughtSpot Cloud is removed from modified content and abuse monitoring, which means that there is no data logging or abuse monitoring or content filtering. As a result, the LLMs will not store the associated request or response data.

Is Customer Data Used for Training of the LLM?Is Data Submitted to the LLMs Stored?

No. Customer data will not be used for any training of provider LLMs.

Can Customers Disable AI features?

Yes. AI features are disabled by default. If customers choose to enable the AI features, they may also disable AI features at any time and will still be able to use ThoughtSpot Cloud on a search-by-search basis.