// Trust & Security Report

    Sprinklr, Inc. logo

    Sprinklr, Inc.

    Unified Customer Experience Management (Unified-CXM) platform, publicly traded (NASDAQ/NYSE: CXM). Four AI-native product suites: Sprinklr Insights (market/consumer research), Sprinklr Marketing (campaign orchestration), Sprinklr Social (social media engagement across 30+ channels), and Sprinklr Service (contact center / customer service, including CCaaS). Sprinklr AI+ is the cross-platform generative + predictive AI layer (Copilot, AI Agents, workflow automation) embedded across all four suites.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Sprinklr maintains SOC1 Type II, SOC2 Type II, PCI-DSS, and ISO 27001 certifications as well as FedRAMP authorization. Sprinklr is regularly audited by third-party assessments, evaluating internal controls that protect the security, confidentiality, integrity, availability, and privacy of the information entrusted to them by customers.

    Verify on sprinklr.com
    SOC 1 Type II
    HELD

    Sprinklr maintains SOC1 Type II, SOC2 Type II, PCI-DSS, and ISO 27001 certifications as well as FedRAMP authorization.

    Verify on sprinklr.com
    ISO/IEC 27001:2013
    HELD

    Sprinklr ... achieved the ISO/IEC 27001:2013 certification for its information security management system ... conformity with the requirements for the production infrastructure, development, operations, administration, security and global delivery of the Sprinklr Platform and its supporting services.

    Verify on sprinklr.com
    PCI DSS
    HELD

    Sprinklr is PCI-DSS compliant, which has been validated through third-party review with a qualified security assessor for Attestation of Compliance (AOC). Validation of compliance is performed annually.

    Verify on sprinklr.com
    FedRAMP (LI-SaaS)
    HELD

    ... as well as FedRAMP authorization." Trust portal badge lists "FedRAMP LI-SaaS" specifically under its Compliance section.

    Verify on trust.sprinklr.com
    GDPR (posture)
    HELD

    Sprinklr, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. ... following the Schrems II decision, Sprinklr relies on the Standard Contractual Clauses (SCCs) ... to safeguard data transfers out of the EU/EEA.

    Verify on sprinklr.com
    HIPAA
    HELD

    "HIPAA" is listed as an achieved item under the Compliance section badge list of Sprinklr's Security Trust Portal, alongside SOC 1/2/3, ISO 27001 and PCI DSS. No explicit statement about Business Associate Agreement (BAA) availability was found on public, non-gated pages.

    Verify on trust.sprinklr.com
    TISAX / C5 / Cyber Essentials / ENS / DORA (regional attestations)
    HELD

    Badge list on the Compliance section of the trust portal: "Cyber Essentials", "DORA", "ENS", "TISAX", "C5" (German cloud security catalog), alongside SOC/ISO/PCI marks.

    Verify on trust.sprinklr.com
    > Show 3 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence. Sprinklr's trust portal lists an "EU AI Act" compliance badge and a Responsible AI program, but does not list ISO/IEC 42001 certification anywhere on the trust center or in press releases as of verification date.

    source: trust.sprinklr.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. CSA STAR (or STAR for AI) does not appear among the certification/compliance badges listed on Sprinklr's public trust portal.

    source: trust.sprinklr.com
    ISO/IEC 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. Only ISO/IEC 27001 is listed on the trust portal and in press materials; the cloud-security (27017), PII-processing (27018), and privacy-information (27701) extension standards are not listed.

    source: trust.sprinklr.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Sprinklr hosts data in data centers located in the United States and Europe, with additional local hosting solutions in the UK/UAE; specific hosting region is determined per-customer during contracting/implementation. Cross-border transfers rely on Standard Contractual Clauses (SCCs) and the EU-U.S./UK/Swiss Data Privacy Framework.

    Vendor blog states model training uses open-source/public data sets, not customer data: 'We use open-source and public data sets, mask PII and encrypt data in transit and at rest, wherever feasible.' Third-party AI integrations (e.g. OpenAI within Sprinklr AI+) are stated to be opted out of model-improvement training, with vendor data retained only 30 days for abuse monitoring by the third-party provider. PII is described as automatically masked before being sent to third-party models. No explicit customer-facing opt-out toggle was found on public pages (masking/no-training is described as the default posture, not a customer-configurable setting) - recommend confirming exact tier-level behavior (e.g. AI+ vs core platform) directly with Sprinklr before relying on this for a regulated deployment.

    // Security controls

    Encryption in transit

    "Sensitive data is encrypted during transit." (exact mechanism/protocol version not specified on public, non-gated pages.)

    sprinklr.com

    Access control

    Role-based Access Control (RBAC), Two-Factor Authentication (2FA: SMS, email, secure key, or mobile app), Single Sign-On (SAML and OpenID Connect), and IP restriction/whitelisting.

    sprinklr.com

    Password storage

    User passwords are stored in a cryptographically protected format using one-way hashing with random salt.

    sprinklr.com

    Data center / hosting locations

    Sprinklr hosts data in data centers located in the United States and Europe; hosting location is determined per customer during contracting and implementation.

    sprinklr.com

    Incident response / detection

    Sprinklr's dedicated Detection & Response team is focused on threat detection, vulnerability management, incident response and crisis communication management.

    sprinklr.com

    Vulnerability disclosure

    Sprinklr utilizes a third-party Vulnerability Disclosure Program (VDP) for managing security vulnerabilities reported by the security community.

    sprinklr.com

    Security awareness training

    All employees, interns and eligible contractors undergo mandatory security training at time of hire and annually thereafter, plus role-specific and secure-coding training.

    sprinklr.com

    // Products & data scope

    Sprinklr InsightsMarket/consumer research and social listening

    data: Analyzes public/unstructured conversation data (millions of social/web mentions) plus customer-provided data for insight generation.

    Voice-of-customer and market intelligence suite; largely processes publicly available data.

    Sprinklr MarketingMarketing campaign orchestration

    data: Customer brand assets, campaign data, and social/digital channel data.

    Global campaign orchestration across social and digital channels.

    Sprinklr SocialSocial media management / engagement

    data: Public social conversations across 30+ digital/social channels, plus brand account credentials.

    Engagement, publishing and listening across social platforms.

    Sprinklr Service (incl. CCaaS)Customer service / contact center

    data: Higher-sensitivity scope than other suites: customer PII, call recordings/transcripts, and payment-related data (in-scope for PCI-DSS controls such as Secured Forms and Interactive Voice Recording masking).

    Contact-center and case-management suite; the primary suite likely to touch regulated/sensitive data (support for PCI-scoped payment capture; no explicit HIPAA BAA statement found publicly for healthcare deployments).

    Sprinklr AI+Cross-platform generative + predictive AI layer

    data: Operates across all four suites (Copilot, AI Agents, workflow automation); vendor states PII is masked before being sent to third-party models and that third-party providers (e.g., OpenAI) are opted out of using submitted data for model training.

    Not a standalone product but an AI layer embedded platform-wide; AI-governance claims (masking, no-training, OECD-based Responsible AI principles) apply here specifically.

    // What to watch

    • HIPAA appears only as a badge label on the SafeBase-powered trust portal (trust.sprinklr.com); no explicit BAA-availability statement or HIPAA scope description was found on public, non-gated pages. Confirm directly with Sprinklr before relying on this for a healthcare/regulated deployment.
    • FedRAMP claim is scoped to "FedRAMP LI-SaaS" (Low-Impact SaaS) per the trust portal badge, not full FedRAMP Moderate/High authorization; listing copy should not imply full FedRAMP authorization.
    • No ISO/IEC 42001 (AI management system) or CSA STAR/STAR-for-AI certification found despite Sprinklr marketing itself heavily as an 'AI-native' platform; only an 'EU AI Act' compliance badge and a general Responsible AI blog post were found. Do not credit an AI-governance certification that is not documented.
    • Deeper compliance detail (full audit reports, HIPAA scope, exact encryption specs/protocol versions) sits behind trust.sprinklr.com's gated 'Request access' / NDA flow (SafeBase portal) and could not be independently verified beyond the publicly visible badge list and page text.
    • Sprinklr is a single large public company (multiple product suites under one Trust Center); certifications appear to apply platform-wide, but suite-level scope differences (e.g., which specific SOC 2 report covers which sub-product) were not verifiable from public pages.

    // At a glance

    Pricing model

    Enterprise SaaS subscription, quote-based (not self-serve/publicly listed pricing); sold per suite/module and by seat/usage.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sprinklr, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sprinklr.com

    > Browse all vendor trust reports