// Trust & Security Report
ThoughtSpot Inc.
Agentic Analytics Platform (BI, AI-powered search, embedded analytics)
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.thoughtspot.com“SOC 1 Type II, SOC 2 Type II, and SOC 3 reports”
Verify on security.thoughtspot.com“SOC 1 Type II, SOC 2 Type II, and SOC 3 reports”
Verify on thoughtspot.com“We adhere to rigorous industry standards which are demonstrated through the security controls and compliance certifications we maintain, including: SOC 1, SOC 2, SOC 3, ISO 27001 and CSA Star Level 1.”
Verify on trust.thoughtspot.com“ThoughtSpot can support HIPAA-related customer data after a Business Associate Agreement (BAA) has been properly executed with ThoughtSpot. Trust center lists HIPAA under compliance frameworks and a dedicated HIPAA whitepaper is published.”
Verify on thoughtspot.com“GDPR listed on ThoughtSpot Trust Center compliance frameworks; uses Standard Contractual Clauses for international transfers from EEA, UK, and Switzerland to the U.S.”
Verify on thoughtspot.com“EU-US DPF listed on ThoughtSpot Trust Center”
Verify on thoughtspot.com“Swiss-US DPF listed on ThoughtSpot Trust Center”
Verify on thoughtspot.com“UK Extension To EU-US DPF listed on ThoughtSpot Trust Center”
Verify on thoughtspot.com“CCPA listed on ThoughtSpot Trust Center; privacy policy states 'We do not sell the Personal Data of California consumers'”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Selectable data residency regions available; ThoughtSpot Cloud hosted on AWS; customers can choose regions based on compliance requirements
ThoughtSpot explicitly prohibits training third-party LLM providers on customer data: 'We do not allow training of third-party LLM models on customer data.' Provider LLMs (Azure OpenAI GPT, Google Vertex AI / Gemini / Anthropic Claude, Snowflake Cortex / Mistral) enforce zero-retention commitments: 'Provider LLMs do not store prompts or responses and delete data following processing.' Inputs are not used to train general-purpose AI models. Customers can also bring their own LLM (BYOLLM) to keep data fully within their own environment.
// Security controls
Access Control
MFA, RBAC, quarterly and annual access reviews, immediate access termination, SSO via SAML and OIDC
security.thoughtspot.comBug Bounty / Vulnerability Disclosure
Responsible Disclosure Program active ('Report a vulnerability' link on security portal). No public HackerOne or Bugcrowd listing confirmed.
security.thoughtspot.comPenetration Testing
Not explicitly detailed in public-facing pages; vulnerability management program tracks remediation on industry-leading timeframes
thoughtspot.comSecurity Portal
Dedicated security portal at security.thoughtspot.com powered by Wolfia; SOC 2 Type II report and ISO 27001 certificate downloadable on request
security.thoughtspot.comEU AI Act Compliance
ThoughtSpot is committed to helping customers meet EU AI Act obligations
thoughtspot.comSubprocessors
16 disclosed subprocessors including Amazon (cloud infrastructure), Cloudflare, Elastic, Google (cloud + LLM), Honeycomb; full list published on security portal
security.thoughtspot.com// Products & data scope
data: Customer business data (structured/live queries); AI features use Azure OpenAI, Google Vertex AI, Snowflake Cortex with zero-retention commitments. Data not used to train provider models. SOC 2 Type II, ISO 27001, HIPAA (with BAA) apply.
Pricing from $25/user/month (Essentials) to $0.10/query (Pro) to custom (Enterprise). Free trial available.
data: Queries live business data using NLP; grounded to customer data only via patented search token technology. Responses are verifiable and transparent. Provider LLMs do not persist prompts or responses.
Included in Pro and Enterprise tiers. AI features can be toggled on/off via granular permissions.
data: Same data pipeline as core platform; embedded into third-party apps via API/SDK. Developer tier free for 1 year (up to 10 users). Enterprise tier: custom pricing with full compliance stack.
Distinct product line used by ISVs and SaaS companies to white-label analytics.
data: Customer-managed deployment; data never leaves customer infrastructure. HIPAA, SOC 2, and ISO 27001 controls apply to the software product.
Available for large enterprise customers requiring full data sovereignty.
// What to watch
- Trust center page contains a typo listing 'HIPPA' instead of 'HIPAA' - the underlying compliance is confirmed via a dedicated HIPAA whitepaper (media.thoughtspot.com/pdf/ThoughtSpot-Cloud-Security-Infrastructure-and-HIPAA.pdf) and trust.thoughtspot.com/certifications/hipaa
- HIPAA compliance requires execution of a Business Associate Agreement (BAA); HIPAA is not automatic on ThoughtSpot Cloud - enterprise customers must explicitly arrange BAA
- Bug bounty platform is a proprietary Responsible Disclosure Program; no public HackerOne or Bugcrowd listing confirmed as of June 2026
- Penetration testing cadence not publicly disclosed - security portal lists 'automated vulnerability scanning and code analysis' but no external pen test schedule is stated
// At a glance
Pricing model
Usage-based (per-user/month or per-query) with free trial; Enterprise tier on custom pricing
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ThoughtSpot Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
thoughtspot.com