Data Protection Compliance Overview

HOW SPRINKLR TACKLES THE EVOLVING CHANGES IN DATA PROTECTION LAW

© 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Table of contents

Data protection is more important than ever to 3

Sprinklr and our customers

Sprinklr’s role in processing personal data 4

Data protection in social media listening 5

Enabling customers’ data protection compliance:

Data subjects rights requests 6
Accountability 7
Data processing addendum 7
Sprinklr’s focus on data security 8

2 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Data protection is more important than ever to Sprinklr
and our customers
THIS DATA PROTECTION COMPLIANCE OVERVIEW HIGHLIGHTS:

• How the Sprinklr platform processes personal data We view emerging data protection laws, such as GDPR and CCPA, as an
opportunity for Sprinklr to strengthen our long-standing commitment to data
• Sprinklr’s approach to data protection
protection principles and practices.
• How we facilitate our customer’s data protection compliance. As a service provider and data processor for our customers, Sprinklr is committed
to supporting customers in their compliance with data protection requirements,
Sprinklr recognizes the importance of safeguarding the personal data we handle
including GDPR and CCPA.
on behalf of our customers. Data protection and information security are part of
the culture, values and everyday conduct at Sprinklr, and key to our strong and long-
lasting customer relationships.

3 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Sprinklr’s role in processing
personal data
SPRINKLR’S PLATFORM

Sprinklr offers the world’s most complete enterprise customer experience

management system, built to help large brands create, manage, and optimize
valuable social experiences for their customers, across 23+ social channels and
brand websites. The Sprinklr platform is a cloud based SaaS application provided
over the Internet, in a multi-tenant hosted environment.

As a service provider/processor, the Sprinklr platform collects, uses, shares and

otherwise processes personal data only on behalf of customers, to provide the
services described in our customer contracts and our standard Data Processing
Addendum (DPA).

PERSONAL DATA WE PROCESS ON BEHALF OF

SPRINKLR PLATFORM CUSTOMERS

Customer Content – Personal data that customers upload to the Sprinklr

platform may include consumer information, such as emails lists of newsletter
subscribers, etc.

Social Media Data – Content, including public posts and private messages to
the customer, that social media users send via customer’s social media profiles
(e.g., Facebook page) connected to the Sprinklr platform, and information that
users make publicly accessible on social media networks, which we collect
based on search queries defined by the customer.

More information is available in our Website Privacy Policy and the Sprinklr Social
Media Management Privacy.

4 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Data protection in social
media listening
Social media listening allows customers to perform broad keyword searches, and
search users who interact with the customer, across information that users make
publicly available via social media platforms, blogs & blog comments, mainstream
news sources, forums, photo and video sites, social network communities and
other media.

Sprinklr performs these searches in compliance with the media sources’

relevant terms.

With the caveat that Sprinklr is not a law firm and may not provide individual legal
advice to our customers, here’s how we view social media listening:

UNDER GDPR:
When media sources make user information publicly available, and available to
our customers – as they do in their terms – these media sources are responsible
for establishing a legal basis for publicizing and otherwise disclosing user
information.

Given media sources’ permission to access user data, our customers may rely
on their own “legitimate interest” to collect that user information via Sprinklr.

UNDER CCPA:
When media sources make user information publicly available, and available to our
customers – as they do in their terms – these media sources that are responsible
for providing notice and relevant choices to California users, including notice
of disclosure of their data to third parties (such as the public, our customers and
Sprinklr), and any applicable choice to limit such disclosure.

5 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Enabling customers’ data
protection compliance:
DATA SUBJECT RIGHTS REQUESTS

Sprinklr puts customers in control of their data.

Sprinklr’s Privacy Center available in the Sprinklr Platform enables customers to

comply with data subjects’ rights requests (access, rectification, deletion) real-time
and efficiently.

Customers can access and use the Sprinklr Privacy Center via the platform user
interface or an API.

The data subject rights Sprinklr supports reflect our role as a service provider/
processor – Sprinklr does not facilitate an opt-out of “sale” functionality because
we do not sell personal data.

6 | © 2020 Sprinklr, Inc. All rights reserved.

Enabling customers’ data protection compliance:
ACCOUNTABILITY DATA PROCESSING ADDENDUM

Privacy Impact Assessments Data Protection Addendum (DPA)

Customers that conduct Legitimate Interest Assessments or Data Protection Sprinklr offers customers a standard Data Processing Addendum (DPA)
Impact Assessments in connection with their use of the Sprinklr platform should
Sprinklr provides a list of sub-processors, including scope and geographical
visit our Website Privacy Policy and the Sprinklr Social Media Management Privacy
location of their data processing operations, engaged by Sprinklr. The list of sub-
Policy for detailed description of how we process personal data in connection
processors is available at sprinklr.com/legal.
with the platform.
The DPA provides for a mechanism for customers to object to proposed changes
Customers that require additional assistance may contact us at privacy@sprinklr.com.
and additions to the list of sub-processors.

Privacy-By-Design (PbD)
Cross-Border Data Transfer
To address PbD, Sprinklr considers privacy and information security when
Sprinklr is based in the U.S., and has operations in European Economic Area, UK,
developing and updating products and services that involve the processing
Australia, Brazil, Canada, India, Japan, and UAE.
of personal data.
We use Amazon Web Services (AWS) and Microsoft Azure servers located in the U.S.
We have implemented PbD throughout the development and engineering process,
and Europe to host the Sprinklr platform and to process and store customer data.
and made Sprinklr’s data protection team a key stakeholder in this process.
We offer customers the ability to host data at AWS and Azure in Europe
Employee Training
For transfers of data from the EU/EEA including for support and/or hosting, we:
Sprinklr makes every employee aware of their data protection and confidentiality
obligations. • explain in the DPA the privacy and information security protections we have
put in place
Every employee participates in mandatory data protection and information
security trainings and is formally obliged to data secrecy. • Use EU Standard Contractual Clauses as part of our DPA for transfers of
personal data

Further, we remain certified under EU-US Privacy Shield and the US Swiss Privacy
Shield frameworks.

7 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Sprinklr’s focus on
data security
INFORMATION SECURITY CONTROLS
Sprinklr’s information security program is documented in the Sprinklr Security
Manual, providing a detailed overview of Sprinklr’s security and compliance
infrastructure and is available to customers upon request.

Sprinklr’s information security controls are consistent with the types of personal
data that our platform processes – generally, consumer marketing and
engagement data such as email lists, social media posts, and publicly available
information. The platform is not intended for processing users’ government ID
information or sensitive personal data.

The Sprinklr platform is a multi-tenant SaaS product, hosted in a private virtual

cloud (PVC). This means that customer data shares the physical environment with
other Sprinklr customers but is logically isolated to provide security.

This PVC hosting environment is designed for a high availability redundant

enterprise grade installation with strong security.

Sprinklr holds a SOC 2 Type 2 security certification.

DATA SECURITY INCIDENT NOTIFICATION

Sprinklr maintain a documented professional incident management and response
system designed to comply with applicable legal requirements, including incident
notification deadlines.

8 | © 2020 Sprinklr, Inc. All rights reserved. www.sprinklr.com info@sprinklr.com

Please send any Data Protection Inquiries to
privacy@sprinklr.com