// Trust & Security Report
Mode Analytics, Inc. (a ThoughtSpot company)
Mode is a collaborative business-intelligence platform (SQL editor, Python/R notebooks, visual explorer, dashboards, self-serve reporting, embedded analytics, custom data apps). Mode Analytics, Inc. was acquired by ThoughtSpot in 2023; Mode's analysis capabilities were absorbed into ThoughtSpot Analyst Studio (GA early 2025), while mode.com continues to operate as a distinct, actively marketed product/site as of this assessment.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on mode.com“"Mode is committed to meeting the requirements of the General Data Protection Regulation ('GDPR')." A Data Processing Addendum and a separate UK DPA are published and incorporated into the customer agreement, and international transfers from the EU/UK/Switzerland are governed by Standard Contractual Clauses.”
> Show 8 unconfirmed / not-held certifications
source: mode.comMode's own Data Processing Addendum states 'Certifications: SOC 1-3 and ISO27001 compliance through AWS' -- this attributes SOC 1-3 to AWS (Mode's cloud host), not to an independent audit of Mode's own control environment. Mode's GDPR page separately says only that 'Detailed security documentation and third-party audit reports are available upon request' without naming SOC 2. No public vendor-domain page names a Mode-specific SOC 2 report.
source: mode.comSame DPA sentence -- 'Certifications: SOC 1-3 and ISO27001 compliance through AWS' -- credits ISO 27001 to the AWS hosting infrastructure, not to Mode itself. No Mode-domain page states Mode (the company/product) holds its own ISO 27001 certificate.
source: mode.comNo public evidence. No mention of HIPAA, PHI, or a Business Associate Agreement (BAA) was found on mode.com's security, privacy, GDPR, DPA, or terms pages, or in web search results.
source: mode.comNo public evidence. No mention of PCI DSS or cardholder-data handling found on any Mode-domain legal/security page.
source: mode.comNo public evidence of Mode-specific ISO 27017/27018 certification.
source: mode.comNo public evidence. Mode's security and legal pages make no mention of ISO 42001 or an AI-specific management-system certification.
source: thoughtspot.comNo public evidence at the Mode product level. Note: parent company ThoughtSpot's trust center lists 'CSA Star Level 1' among its own certifications, but that page does not mention Mode and does not confirm Mode's infrastructure/product is in scope.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Production resources are hosted on Amazon Web Services (AWS); specific AWS region(s) are not disclosed on public Mode pages. Cross-border transfers from the EU, UK, and Switzerland are covered by Standard Contractual Clauses per the DPA.
Mode's own site does not publish an AI-training statement for its SQL/Python/R notebook product. Parent company ThoughtSpot publishes a general policy for its Spotter AI feature stating customer data is not used to train foundation models of third-party LLM providers, but that statement is specific to ThoughtSpot Analyst Studio / Spotter and is not confirmed to describe the legacy mode.com product's own AI-related behavior. Treat as unconfirmed for Mode specifically pending vendor clarification.
// Security controls
Internal access control
Multi-factor authentication required for internal systems; VPN and SSH required for production environment access; least-privilege access
mode.comPenetration testing
Vendor states it runs a penetration testing and vulnerability disclosure program; no report published publicly
mode.comIncident response
Formal incident lifecycle (discovery, verification, scope, resolution, response) described at a high level
mode.comHosting / physical security
Production hosted on AWS; physical and environmental security managed by AWS
mode.comPassword policy
Minimum 10 characters, mixed case, numbers/special characters, required annual changes
mode.com// Products & data scope
data: Connects to customer's own data warehouse/database; stores queries, notebooks, dashboards, and query results within Mode's AWS-hosted environment
Legacy standalone product, still actively marketed at mode.com with its own sign-up, pricing, and security page as of this assessment. Owned by Mode Analytics, Inc., a ThoughtSpot subsidiary since 2023.
data: Broader ThoughtSpot Cloud data estate; incorporates Mode's SQL/notebook capabilities
GA'd for ThoughtSpot Cloud customers in early 2025. Falls under ThoughtSpot's own trust center and certification program (SOC 1/2/3, ISO 27001, CSA STAR Level 1 per thoughtspot.com/trust). Scope of that program relative to legacy mode.com is not publicly confirmed.
// What to watch
- Identity/scope ambiguity: Mode Analytics, Inc. was acquired by ThoughtSpot (2023) and its capabilities were folded into ThoughtSpot Analyst Studio (GA early 2025), yet mode.com still operates as a separate, live product. Buyers should confirm which product (legacy Mode vs. Analyst Studio) they are actually evaluating before relying on any certification claim.
- Host-vs-vendor cert risk: Mode's own DPA credits 'SOC 1-3 and ISO27001 compliance' to AWS (its cloud host), not to Mode's own audited control environment. This must not be presented as Mode holding SOC 2 or ISO 27001 itself.
- Parent-vs-subsidiary cert risk: ThoughtSpot's trust center lists SOC 1/2/3, ISO 27001, and CSA STAR Level 1 for ThoughtSpot's own platform/services, but never names Mode and does not state that Mode's infrastructure is in scope of those audits.
- AI-training posture for the legacy Mode product itself is undocumented; only ThoughtSpot's separate Spotter AI feature has a published no-training-on-foundation-models statement, which is not confirmed to extend to mode.com.
- No HIPAA/BAA offering found for Mode on any public page.
- No dedicated live trust center (e.g., SafeBase/Vanta-style page with cert badges) exists for Mode; only a general security page and a whitepaper reachable via a marketing-automation redirect, plus audit reports available 'upon request.'
// At a glance
Pricing model
Tiered subscription (site references 'Compare Plans' and a free trial); specific current tier pricing was not captured in evidence and should be confirmed directly with the vendor
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mode Analytics, Inc. (a ThoughtSpot company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
mode.com