// Trust & Security Report

    Mode Analytics, Inc. (a ThoughtSpot company) logo

    Mode Analytics, Inc. (a ThoughtSpot company)

    Mode is a collaborative business-intelligence platform (SQL editor, Python/R notebooks, visual explorer, dashboards, self-serve reporting, embedded analytics, custom data apps). Mode Analytics, Inc. was acquired by ThoughtSpot in 2023; Mode's analysis capabilities were absorbed into ThoughtSpot Analyst Studio (GA early 2025), while mode.com continues to operate as a distinct, actively marketed product/site as of this assessment.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture / DPA)
    HELD

    "Mode is committed to meeting the requirements of the General Data Protection Regulation ('GDPR')." A Data Processing Addendum and a separate UK DPA are published and incorporated into the customer agreement, and international transfers from the EU/UK/Switzerland are governed by Standard Contractual Clauses.

    Verify on mode.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    Mode's own Data Processing Addendum states 'Certifications: SOC 1-3 and ISO27001 compliance through AWS' -- this attributes SOC 1-3 to AWS (Mode's cloud host), not to an independent audit of Mode's own control environment. Mode's GDPR page separately says only that 'Detailed security documentation and third-party audit reports are available upon request' without naming SOC 2. No public vendor-domain page names a Mode-specific SOC 2 report.

    source: mode.com
    ISO 27001
    NOT CONFIRMED

    Same DPA sentence -- 'Certifications: SOC 1-3 and ISO27001 compliance through AWS' -- credits ISO 27001 to the AWS hosting infrastructure, not to Mode itself. No Mode-domain page states Mode (the company/product) holds its own ISO 27001 certificate.

    source: mode.com
    HIPAA
    NOT CONFIRMED

    No public evidence. No mention of HIPAA, PHI, or a Business Associate Agreement (BAA) was found on mode.com's security, privacy, GDPR, DPA, or terms pages, or in web search results.

    source: mode.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. No mention of PCI DSS or cardholder-data handling found on any Mode-domain legal/security page.

    source: mode.com
    ISO 27017 / 27018 (cloud & PII security)
    NOT CONFIRMED

    No public evidence of Mode-specific ISO 27017/27018 certification.

    source: mode.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Mode's security and legal pages make no mention of ISO 42001 or an AI-specific management-system certification.

    source: mode.com
    CSA STAR
    NOT CONFIRMED

    No public evidence at the Mode product level. Note: parent company ThoughtSpot's trust center lists 'CSA Star Level 1' among its own certifications, but that page does not mention Mode and does not confirm Mode's infrastructure/product is in scope.

    source: thoughtspot.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found for Mode or its parent ThoughtSpot.

    source: mode.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Production resources are hosted on Amazon Web Services (AWS); specific AWS region(s) are not disclosed on public Mode pages. Cross-border transfers from the EU, UK, and Switzerland are covered by Standard Contractual Clauses per the DPA.

    Mode's own site does not publish an AI-training statement for its SQL/Python/R notebook product. Parent company ThoughtSpot publishes a general policy for its Spotter AI feature stating customer data is not used to train foundation models of third-party LLM providers, but that statement is specific to ThoughtSpot Analyst Studio / Spotter and is not confirmed to describe the legacy mode.com product's own AI-related behavior. Treat as unconfirmed for Mode specifically pending vendor clarification.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    mode.com

    Encryption at rest

    AES-256

    mode.com

    Internal access control

    Multi-factor authentication required for internal systems; VPN and SSH required for production environment access; least-privilege access

    mode.com

    Endpoint security

    Endpoint monitoring and malware detection in place

    mode.com

    Penetration testing

    Vendor states it runs a penetration testing and vulnerability disclosure program; no report published publicly

    mode.com

    Incident response

    Formal incident lifecycle (discovery, verification, scope, resolution, response) described at a high level

    mode.com

    Hosting / physical security

    Production hosted on AWS; physical and environmental security managed by AWS

    mode.com

    Password policy

    Minimum 10 characters, mixed case, numbers/special characters, required annual changes

    mode.com

    // Products & data scope

    Mode (mode.com)Collaborative BI / SQL, Python & R notebooks / dashboards

    data: Connects to customer's own data warehouse/database; stores queries, notebooks, dashboards, and query results within Mode's AWS-hosted environment

    Legacy standalone product, still actively marketed at mode.com with its own sign-up, pricing, and security page as of this assessment. Owned by Mode Analytics, Inc., a ThoughtSpot subsidiary since 2023.

    ThoughtSpot Analyst StudioEnterprise agentic BI / analytics (successor for ThoughtSpot Cloud customers)

    data: Broader ThoughtSpot Cloud data estate; incorporates Mode's SQL/notebook capabilities

    GA'd for ThoughtSpot Cloud customers in early 2025. Falls under ThoughtSpot's own trust center and certification program (SOC 1/2/3, ISO 27001, CSA STAR Level 1 per thoughtspot.com/trust). Scope of that program relative to legacy mode.com is not publicly confirmed.

    // What to watch

    • Identity/scope ambiguity: Mode Analytics, Inc. was acquired by ThoughtSpot (2023) and its capabilities were folded into ThoughtSpot Analyst Studio (GA early 2025), yet mode.com still operates as a separate, live product. Buyers should confirm which product (legacy Mode vs. Analyst Studio) they are actually evaluating before relying on any certification claim.
    • Host-vs-vendor cert risk: Mode's own DPA credits 'SOC 1-3 and ISO27001 compliance' to AWS (its cloud host), not to Mode's own audited control environment. This must not be presented as Mode holding SOC 2 or ISO 27001 itself.
    • Parent-vs-subsidiary cert risk: ThoughtSpot's trust center lists SOC 1/2/3, ISO 27001, and CSA STAR Level 1 for ThoughtSpot's own platform/services, but never names Mode and does not state that Mode's infrastructure is in scope of those audits.
    • AI-training posture for the legacy Mode product itself is undocumented; only ThoughtSpot's separate Spotter AI feature has a published no-training-on-foundation-models statement, which is not confirmed to extend to mode.com.
    • No HIPAA/BAA offering found for Mode on any public page.
    • No dedicated live trust center (e.g., SafeBase/Vanta-style page with cert badges) exists for Mode; only a general security page and a whitepaper reachable via a marketing-automation redirect, plus audit reports available 'upon request.'

    // At a glance

    Pricing model

    Tiered subscription (site references 'Compare Plans' and a free trial); specific current tier pricing was not captured in evidence and should be confirmed directly with the vendor

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mode Analytics, Inc. (a ThoughtSpot company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    mode.com

    > Browse all vendor trust reports