// Trust & Security Report

    ThoughtSpot Inc. logo

    ThoughtSpot Inc.

    Agentic Analytics Platform (BI, AI-powered search, embedded analytics)

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 Type II
    HELD

    SOC 1 Type II, SOC 2 Type II, and SOC 3 reports

    Verify on security.thoughtspot.com
    SOC 2 Type II
    HELD

    SOC 1 Type II, SOC 2 Type II, and SOC 3 reports

    Verify on security.thoughtspot.com
    SOC 3
    HELD

    SOC 1 Type II, SOC 2 Type II, and SOC 3 reports

    Verify on security.thoughtspot.com
    ISO 27001
    HELD

    ISO/IEC 27001:2022 certification

    Verify on security.thoughtspot.com
    CSA STAR Level 1
    HELD

    We adhere to rigorous industry standards which are demonstrated through the security controls and compliance certifications we maintain, including: SOC 1, SOC 2, SOC 3, ISO 27001 and CSA Star Level 1.

    Verify on thoughtspot.com
    HIPAA
    HELD

    ThoughtSpot can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with ThoughtSpot. Trust center lists HIPAA under compliance frameworks and a dedicated HIPAA whitepaper is published.

    Verify on trust.thoughtspot.com
    GDPR
    HELD

    GDPR listed on ThoughtSpot Trust Center compliance frameworks; uses Standard Contractual Clauses for international transfers from EEA, UK, and Switzerland to the U.S.

    Verify on thoughtspot.com
    EU-US Data Privacy Framework
    HELD

    EU-US DPF listed on ThoughtSpot Trust Center

    Verify on thoughtspot.com
    Swiss-US Data Privacy Framework
    HELD

    Swiss-US DPF listed on ThoughtSpot Trust Center

    Verify on thoughtspot.com
    UK Extension to EU-US Data Privacy Framework
    HELD

    UK Extension To EU-US DPF listed on ThoughtSpot Trust Center

    Verify on thoughtspot.com
    CCPA
    HELD

    CCPA listed on ThoughtSpot Trust Center; privacy policy states 'We do not sell the Personal Data of California consumers'

    Verify on thoughtspot.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Selectable data residency regions available; ThoughtSpot Cloud hosted on AWS; customers can choose regions based on compliance requirements

    ThoughtSpot explicitly prohibits training third-party LLM providers on customer data: 'We do not allow training of third-party LLM models on customer data.' Provider LLMs (Azure OpenAI GPT, Google Vertex AI / Gemini / Anthropic Claude, Snowflake Cortex / Mistral) enforce zero-retention commitments: 'Provider LLMs do not store prompts or responses and delete data following processing.' Inputs are not used to train general-purpose AI models. Customers can also bring their own LLM (BYOLLM) to keep data fully within their own environment.

    // Security controls

    Encryption at Rest

    AES-256

    thoughtspot.com

    Encryption in Transit

    TLS (TLS 1.2 or higher)

    thoughtspot.com

    Key Management

    Dedicated KMS with secure key generation and strict access controls

    thoughtspot.com

    Access Control

    MFA, RBAC, quarterly and annual access reviews, immediate access termination, SSO via SAML and OIDC

    security.thoughtspot.com

    Row/Column/Object-Level Security

    Supported for granular data access control

    thoughtspot.com

    Bug Bounty / Vulnerability Disclosure

    Responsible Disclosure Program active ('Report a vulnerability' link on security portal). No public HackerOne or Bugcrowd listing confirmed.

    security.thoughtspot.com

    Penetration Testing

    Not explicitly detailed in public-facing pages; vulnerability management program tracks remediation on industry-leading timeframes

    thoughtspot.com

    Security Portal

    Dedicated security portal at security.thoughtspot.com powered by Wolfia; SOC 2 Type II report and ISO 27001 certificate downloadable on request

    security.thoughtspot.com

    EU AI Act Compliance

    ThoughtSpot is committed to helping customers meet EU AI Act obligations

    thoughtspot.com

    Subprocessors

    16 disclosed subprocessors including Amazon (cloud infrastructure), Cloudflare, Elastic, Google (cloud + LLM), Honeycomb; full list published on security portal

    security.thoughtspot.com

    // Products & data scope

    ThoughtSpot Analytics Cloud (SaaS)Business Intelligence / Self-Service Analytics

    data: Customer business data (structured/live queries); AI features use Azure OpenAI, Google Vertex AI, Snowflake Cortex with zero-retention commitments. Data not used to train provider models. SOC 2 Type II, ISO 27001, HIPAA (with BAA) apply.

    Pricing from $25/user/month (Essentials) to $0.10/query (Pro) to custom (Enterprise). Free trial available.

    Spotter AI AgentAI Analytics Agent / Natural Language BI

    data: Queries live business data using NLP; grounded to customer data only via patented search token technology. Responses are verifiable and transparent. Provider LLMs do not persist prompts or responses.

    Included in Pro and Enterprise tiers. AI features can be toggled on/off via granular permissions.

    ThoughtSpot Embedded AnalyticsEmbedded BI / Analytics-as-a-Product

    data: Same data pipeline as core platform; embedded into third-party apps via API/SDK. Developer tier free for 1 year (up to 10 users). Enterprise tier: custom pricing with full compliance stack.

    Distinct product line used by ISVs and SaaS companies to white-label analytics.

    ThoughtSpot Software (On-Premises)Self-Hosted Enterprise BI

    data: Customer-managed deployment; data never leaves customer infrastructure. HIPAA, SOC 2, and ISO 27001 controls apply to the software product.

    Available for large enterprise customers requiring full data sovereignty.

    // What to watch

    • Trust center page contains a typo listing 'HIPPA' instead of 'HIPAA' - the underlying compliance is confirmed via a dedicated HIPAA whitepaper (media.thoughtspot.com/pdf/ThoughtSpot-Cloud-Security-Infrastructure-and-HIPAA.pdf) and trust.thoughtspot.com/certifications/hipaa
    • HIPAA compliance requires execution of a Business Associate Agreement (BAA); HIPAA is not automatic on ThoughtSpot Cloud - enterprise customers must explicitly arrange BAA
    • Bug bounty platform is a proprietary Responsible Disclosure Program; no public HackerOne or Bugcrowd listing confirmed as of June 2026
    • Penetration testing cadence not publicly disclosed - security portal lists 'automated vulnerability scanning and code analysis' but no external pen test schedule is stated

    // At a glance

    Pricing model

    Usage-based (per-user/month or per-query) with free trial; Enterprise tier on custom pricing

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ThoughtSpot Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    thoughtspot.com

    > Browse all vendor trust reports