Information for You

Sprinklr chooses its subprocessors based on their ability and expertise to provide the services needed, so Sprinklr can provide the best possible products and services to you. Sprinklr puts its subprocessors through a rigorous selection and due diligence process, with the support of its procurement, legal, security, privacy, and compliance teams prior to any formal engagement or personal data sharing. Sprinklr undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of subprocessors that will or may have ancillary access to or process customer personal data. This includes the completion of a detailed security and privacy questionnaire and a review of security and privacy information and practices, including policies and procedures, to the extent appropriate. 

Sprinklr enters into contracts with all subprocessors to ensure that subprocessors are committed to terms at least as restrictive as those we commit to with our customers.  Some of the minimum terms we require our subprocessors to agree to include: 

• Requiring them to implement technical and organizational measures consistent with the measures we commit to; 
• where necessary, we leverage standard contractual clauses to safeguard any restricted transfers of data to countries without an adequate level of data protection; 
• they only have access to, and process the data, which is necessary for the purpose for which they are instructed; 
• they only process data in accordance with the instructions you have given us; 
• they are contractually committed to supporting with legal compliance, such as providing information to support data protection impact assessments, providing reasonable assistance with individual rights requests, deleting data upon request, notifying of data breaches, and permitting us to conduct audits to ensure legal and contractual compliance 
• they are required to have undergone privacy and security training and be subject to confidentiality obligations either legally or contractually; and 
• they are obliged to ensure that their personnel are reliable, trained, and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable by data protection laws. 

Sprinklr remains liable for the acts and omissions of its subprocessors to the extent that they relate to the provision of the services and in accordance with the limitations of liability in the MSA. 

Even where hosting is provided in a specific region, there will still be access to customer data from other regions.  Sprinklr has carried out it’s own assessment of the regions to which personal data is transferred, and customers can find details regarding that in our Whitepaper on International Data Transfers at Trust Center.

Sprinklr’s subprocessors may have access to limited customer data to support in delivering the services to its customers. Subprocessors are always contractually prohibited from using customer personal data for any purposes other than to support with providing the services to you. Subprocessors are not permitted to use customer data for their own purposes. Access to customer data is usually remote ancillary access via an API connection or integrated code, rather than a physical transfer (although remote access is still classed as a transfer for the purposes of data privacy law). 

Some of this personal data may be user information, such as usernames, email addresses, or other contact information of your employees. For example, if our subprocessors are engaging with your employees to troubleshoot or resolve an issue they may have access to this data. 

In addition, when providing engineering, security, or technical support, our subprocessors may have some limited access with your permission, to the production environment to resolve the issue. As a result of that limited access, your data may be visible to the subprocessor, but it would not be extracted or used for any other purpose without your permission. 

Likewise, if you are creating content within our products for publishing, the content you create may be processed by our subprocessor, to support with that service provision. 

Where you utilize our Sprinklr AI+ features, the data you input into those features is shared with our third-party generative AI providers. You control what data is fed into those features and more information about data usage and Sprinklr AI+ can be found here.

Sprinklr may update this list from time to time, and customers should subscribe to receive updates of that notice using the link above. Customers should receive notice of any changes to this list at least 30 days in advance of Sprinklr granting access to customer’s personal data to a new subprocessor (except for emergency replacements, which are sudden replacement of subprocessor where such change is outside of Sprinklr’s reasonable control, such as if the Sub-processor ceases business, abruptly discontinues services, or breaches its contractual duties). In the case of an emergency replacement, Sprinklr will inform customers of the replacement subprocessor as soon as possible and the process to formally appoint such subprocessor defined above shall be triggered.  

If, after receiving notice, customers have a legitimate, material reason to object to Sprinklr’s use of a subprocessor, notice of the objection should be provided to Sprinklr via email at privacy@sprinklr.com within fifteen (15) days after receipt of Sprinklr’s notice.  If there is an objection to a subprocessor, Sprinklr can cure the objection by: (i) aborting its plans to use the subprocessor with regard to that customer’s personal data; or (ii) taking corrective steps by in to address the issue and remove the objection and proceed to use the subprocessor; or (iii) ceasing to provide, or customer may agree not to use, (temporarily or permanently), the particular aspect of the service that would involve use of the subprocessor.  If there is no objection, the subprocessor will be agreed to by the customer in accordance with our data protection agreements.

Sprinklr engages trusted third parties to perform limited and specific services to Sprinklr, which support with Sprinklr’s product and service offering to customers. These are categorised as follows: 

1. In-product and AI/ML subprocessors:

Some of our subprocessors are built into the product suite, either through APIs or code to support the provision of specific features, which Sprinklr does not have the capability to provide natively. For example, we have subprocessors who help with dynamic image creation, font and text editing, text translation, in-product notification and guidance, and voice capabilities.  

The applicability of these third-party subprocessors depends on the products or services the customer has purchased and the specific features they are leveraging. For instance, our voice capability subprocessors are only relevant in circumstances where you are utilizing our voice capabilities that only exist within our Sprinklr Service product. If you are not using Sprinklr Service, the voice subprocessors will not be relevant to you and will not have access to your data. There may be capacity to disable some of these subprocessors so that they are not integrated with and do not have access to customer data within the platform.  However, this may impair certain product functionality, as detailed in our subprocessor list.

In circumstances where we fine tune Sprinklr's proprietary AI models to build you a custom AI model, we use automated or human labellers to tag and annotate datasets that you submit to us, based on your instructions to do so. We also use transcribers to help us label and transcribe audio recordings. This activity only occurs if the customer is having a custom voice model developed, such as automated speech recognition, intent detection, or speech to text transcription capabilities. These may be human labellers from a Sprinklr affiliate or external third-party labellers. Labelling is done via secure access to a dedicated, Sprinklr-hosted platform. No data is sent to these third parties, nor can it be copied, exported, or downloaded from this platform. Where possible, we try and mask personally identifiable information within the labelling platform so that third-party access is even more limited.

The subprocessors perform limited and specific services only for customers who are instructing Sprinklr to build a custom AI model for them. If you have not instructed us to train your model to increase accuracy and make it bespoke to you, then these subprocessors will not have access to your data. 

2. Hosting subprocessors:

Sprinklr does not have its own data storage centres, so we leverage third-party subprocessors who are equipped and able to deliver reliable infrastructure to maintain data storage. These subprocessors host the Sprinklr platform in their cloud storage centres. Customers’ chosen data hosting location is indicated on their Order Form. If no hosting is specified it will default to U.S. hosting. For customers who are engaging with PCI-DSS compliant features in Sprinklr, the processing of PCI data is facilitated through Amazon Web Services in the U.S.

3. Affiliates of Sprinklr:

As a global organization, Sprinklr has worldwide affiliates. We engage our affiliates as subprocessors to perform some activities in connection with the services we provide you. Our affiliates are integral to the services we provide to you, including the management of your account, consulting services, customer success management, service maintenance (systems and software engineering, maintenance, troubleshooting), technical support, and security. When we talk about our affiliates, we mean Sprinklr entities, other than the entity you are contracting with, and the Sprinklr personnel within those entities.

Generally, the account teams supporting you, will be local to you. For example, if you are a customer based in Europe, your primary support team will be based there. However, it may be that the Sprinklr personnel supporting your account are not all based in one location. Our support teams, including security and engineering/tech ops teams, are based in the US, UAE, Singapore and India. When we provide you with engineering, security, maintenance and troubleshooting support, those teams may require limited, permissioned, remote access to your data, for example, to resolve technical issues. The Sprinklr affiliates which may provide you with services are dependent on the location of your account team, the services purchased, the maintenance or support needs of your organisation, or the technical support required.

4. Implementation and managed service providers:

These subprocessors are engaged to perform limited and specific activities to provide Sprinklr services to customers, depending on your onboarding or specific implementation needs and additional ongoing support you may require related to your use of the Sprinklr services. Usually this will be serviced by affiliate entities, but sometimes we may use experienced third parties to provide bespoke and tailored support. Where a third party is engaged to support your needs, your Statement of Work will include information about which implementation or managed service providers will support your account. If there are no third-party implementation or managed service providers on your Statement of Work, then you can assume that none of these third parties are acting as a subprocessor, and, therefore, they will not have access to your data.

The below list includes all of Sprinklr’s subprocessors.  It details the purposes of sub-processing and the locations of Sprinklr’s subprocessors. As mentioned above, at this point in time, not all of these subprocessors may be relevant to the services being provided by Sprinklr, to every customer.  However, to allow its customers to continue to scale and flex their use of the Sprinklr platform, and avoid the need to continually notify customers of changes as they do that, and prevent multiple contractual amendments, Sprinklr asks customers to agree to the engagement of all the below subprocessors,  Subject to any specific provisions in a customer’s MSA or DPA, Sprinklr shall have its customers’ general authorization to engage any of the below subprocessors. 

Click here to see Sprinklr’s List of Subprocessors

It is important that customers read the descriptions to help them understand which subprocessors are applicable to their unique engagement with Sprinklr. As a customer’s engagement with the Sprinklr platform evolves, new subprocessors may become relevant. If customers have any questions or concerns regarding the applicability of subprocessors to the products and services they are consuming, they should contact their implementation team or account team, or email privacy@sprinklr.com.