SPRINKLR SECURITY & PRIVACY

Visit our Security & Privacy Trust Portal at trust.sprinklr.com

Sprinklr has a dedicated Security Team chartered to define, supervise implementation, and monitor all relevant security and privacy policies, standards, and controls. We have a dedicated detection and response team who is tasked with 24/7 monitoring of our platform, and we abide by industry best practices, compliance regulations and all applicable laws. Periodic tests by independent third parties (such as third-party auditors, assessors, penetration testers, etc.) are organized and conducted under the guidance of the Security Team. Remediation of any material findings is tracked and validated. These tests include the validation of administrative, procedural, and technical controls.

While we continue to invest significant resources in order to ensure the continued security of our Sprinklr services and our user’s data, we also believe it’s important that Sprinklr users better understand not only the security options we offer, but also how they can best protect their devices from malware and other threats. Combined with our efforts securing Sprinklr, and users following online best practices, users can ensure the security of their information. Please see our recommended best practices here.

At Sprinklr, we recognize the importance of safeguarding the personal information we handle, including the information provided to us by customers, personal information we leverage from various sources to provide our products, as well as customer information. We are committed to protecting this data and not using it for any reason beyond what was initially agreed upon.

We use appropriate technical, organizational and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access. Our engineering teams proactively incorporate privacy into Sprinklr products and ensure the collection, use, retention, and disclosure of data is tailored and limited to the purposes necessary to provide our products to customers. We also take all reasonable precautions to ensure that our employees who have access to personal data about customers are limited and receive adequate training.

Yes. Sprinklr’s Data Processing Addendum (DPA) is available here.  Our DPA governs how Sprinklr processes and safeguards the data we process to provide you with our services. During contract negotiations, the DPA will be referenced in your Master Services Agreement (MSA) with Sprinklr and will become an addendum to the MSA. Sprinklr’s DPA is global and covers all processing activities between Sprinklr and our customers.  We make regular updates to our DPA, as needed, to ensure ongoing compliance with data protection requirements.

Sprinklr is the processor of our customer data and processes data to provide customers with the Sprinklr services. The customer is either the Controller or Processor, depending on whether the customer or a customer affiliate is signing the contract with Sprinklr. This is outlined in Section 2.1 of Sprinklr’s Data Processing Addendum.

The GDPR has a broad territorial scope and applies to the processing of EU personal data, even if the processing activity happens outside of the EU.  Given the global nature of social media channels, Sprinklr will likely process customer data, especially social data, which would be subject to the GDPR. Because Sprinklr is a processor, we do not have control over the type of data our customers collect from their consumers or users, where those individuals are located, or when customers expand their business to new markets. We ask that all customers enter into a Data Processing Addendum (DPA) which complies with GDPR requirements, such as Standard Contractual Clauses.

Sprinklr generally processes three categories of data:

1. Account Information, which we collect from users of our platform in order to create and authenticate their Sprinklr accounts;
2. Customer Content, which can include any kind of data our customers choose to process through, or upload into, the Sprinklr platform; and
3. Social Content, which includes any interactions social media users may have with customer’s social channels, as well as other publicly available webs sources such as blogs, forums, reviews, etc. 

For more information on the type of personal data processed by Sprinklr, please review our Data Protection Addendum.

Sprinklr does not request or require special categories of data in order to provide its services to our customers.  Whether or not such data may be processed by Sprinklr depends on the type of data customers choose to store or load into the Sprinklr platform, or the types of content social media users choose to make publicly available on social media channels or the web.

Sprinklr requires that all employees undergo security awareness and privacy training upon hire, and annually thereafter, and we require additional role-specific training on an ad-hoc basis across the company, as needed.  Sprinklr has privacy and security policies that provide internal guidance on employee obligations related to safeguarding the security and privacy of all data we process. Our Code of Conduct also requires that our employees treat all information as confidential.

Sprinklr hosts data in data centers located in the United States and Europe, and where each customer will be hosted is determined during the contracting and implementation process. Please note that even with a specific hosting location selected, Sprinklr may still need to leverage affiliates or vendors in other regions to provide the Sprinklr services, such as trouble ticketing or engineering support. For such transfers, we rely on Standard Contractual Clauses and contractual, technical, and organizational measures. You can find a full list of data hosting locations, as well as the locations of our subprocessors here.

Following the Schrems II decision, Sprinklr relies on the Standard Contractual Clauses (SCCs) published by the European Court of Justice on June 4, 2021, to safeguard data transfers out of the EU/EEA. Standard Contractual Clauses are legal contracts entered into between parties transferring data to third countries. The 2021 SCCs include four transfer scenarios and Sprinklr leverages Module 2 (controller to processor) and Module 3 (processor to processor) with its customers. Following the ICO’s publication of UK cross-border transfer mechanisms on March 21, 2022, Sprinklr also relies upon the UK International Data Transfer Addendum to safeguard data transfers out of the United Kingdom. Both are part of our standard Data Processing Addendum. 

Sprinklr complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit dataprivacyframework.gov. 

Following the Schrems II decision in the EU, Sprinklr is committed to helping our customers understand national legislation that may impact data transfers out of the European Economic Area. Please review Sprinklr’s White Paper on International Data Transfers, which provides customers with all information needed to complete internal data transfer impact assessments. If you still need further assistance, please work with your Sprinklr account or sales representative, or reach out to privacy@sprinklr.com.

Yes. Sprinklr engages certain third-party service providers to perform limited and specific services to support our customers on the Sprinklr platform. Sprinklr sub-processors include Sprinklr affiliates who provide customers with services such as consulting, customer success management, maintenance, technical troubleshooting, and other technical support, as well as third parties who provide data hosting solutions, enhanced consulting or implementation services, and additional product features. 

Sprinklr’s list of sub-processors is available here. Sprinklr’s data protection and security teams conduct due diligence on all sub-processors and their security and privacy programs. All sub-processors must enter into security, privacy, and confidentiality terms that are at least as restrictive as what Sprinklr has committed to with its customers, including appropriate SCCs to facilitate data transfers. Contracts with sub-processors limit their access to customers’ data only as needed to perform the services they are contracted for, and Sprinklr assesses sub-processors periodically to ensure ongoing compliance.

Sprinklr’s list of subprocessors is available here here and information about the services provided by each sub-processor and their geographic location. Customers should use the subscription tools on that site to subscribe for updates to the sub-processor list.

Sprinklr offers an in-product Privacy Center to customers, which is a module embedded in the Sprinklr platform that enables customers to handle data subject requests for access, deletion, correction, or opt-out. Sprinklr also offers a Privacy API to help customers automate GDPR requests on their end. You can find more information about this API on our Developer Portal. For data subject requests directed at Sprinklr, you can visit sprinklr.com/privacy-request.