Skip to main content
false
security

How Splunk Uses Data

Splunk provides detailed information about the data we collect and how we use it in our customer agreements, in-product communications, product documentation and in our Privacy Policy.

tools

Training and Internal Policies

It’s not enough to build secure products. Every person at an organization is responsible for making sure data is secure. We train employees on policies and procedures for secure data handling, and use physical and procedural safeguards to help keep our facilities and equipment secure.

security

Global Presence

Splunk has regional privacy offices in the Americas, EMEA and the APJC.

Region-specific privacy

 

On this page

AMER

EMEA

APAC

Additional Resources

 

AMER

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a California state law that expands the privacy rights of California residents and creates new compliance requirements for businesses that collect and process Personal Information of California residents. The California Privacy Rights Act (CPRA), which updates and amends the CCPA, took effect on January 1, 2023.

The CCPA gives California residents new rights with respect to the collection and processing of their Personal Information (broadly defined to include information that, directly or indirectly, may lead to the identification of an individual or household). These new rights include:

  1. the right to know what categories of Personal Information a business collects (generally) in the past twelve (12) months, how it’s used, with whom its shared, and why;
  2. the right to request a list of the specific pieces of Personal Information a business collected about the requestor in the past twelve (12) months, how it’s used, with whom its shared, and why;
  3. the right to request deletion of Personal Information (in certain cases); and
  4. the right to object to the sale of Personal Information.

It also places requirements on businesses that collect and process Personal Information, such as:

  1. the requirement to post on the business website every twelve (12) months information about the business’ privacy policy, including the categories of Personal Information collected, with whom shared, and why;
  2. the requirement to post on the business website a “Do Not Sell My Personal Information” link so California residents can “opt-out” of the sale of their Personal Information, if such information is sold by the business; and
  3. the requirement to facilitate rights requests as outlined above.

The CCPA applies to businesses that collect or process the Personal Information of California residents and meet any one of the following criteria:

  1. has annual gross revenues in excess of $25 million;
  2. annually buys, receives, sells or shares Personal Information of 50,000 or more consumers, households or devices; or
  3. derives 50 percent or more of their annual revenue from selling consumers’ Personal Information.

As Splunk processes the Personal Information of California residents and has gross annual revenues in excess of $25 million, the CCPA applies to Splunk.

Customers that use Splunk Cloud services to process Personal Information are “Businesses” under the CCPA. They are responsible for ensuring the lawful collection and processing of the Personal Information they send to Splunk Cloud.

Splunk is a “Service Provider” for the Personal Information its customers send to Splunk Cloud, and under the CCPA, is responsible for upholding its contractual commitment to only use the Personal Information it receives from customers for the purpose of performing the Splunk Cloud services.

Splunk does not sell the Personal Information its customers upload to Splunk Cloud.  Further, Splunk does not sell the Personal Information Splunk collects in its capacity as a “Business”, e.g., business contact information. For more information about how Splunk uses Personal Information, see Splunk's Privacy Policy.

Splunk has recently updated its DPA to include compliance to the CPRA.

Canadian Privacy Laws

Canada's federal data protection law is the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC). The OPC has the obligation to investigate privacy-related complaints and also has the authority to open investigations independently. While various provincial laws may also apply, they tend to be substantially similar, and therefore, Cloud Service Providers in Canada typically aim to achieve compliance with PIPEDA.

PIPEDA takes a principles-based approach to data protection requiring that organizations establish appropriate and reasonable measures to protect personal information.

Yes. PIPEDA applies to the handling of personal information, which is broadly defined as information about an identifiable individual. Canadian customers may ingest data into the Splunk Cloud Platform which meets this broad definition of personal information.

Under PIPEDA, Splunk is required to take appropriate technical, physical and organizational measures to secure personal information.

No. The Office of the Superintendent of Financial Institutions (OSFI) regulates banks and other financial institutions. Under OSFI Guideline B-10: Outsourcing Business Activities, Functions and Processes (“OSFI Guidelines”), only vendors that provide “material outsourcing” activities critical to the delivery of financial services are in scope. Given the nature of Splunk’s products and services, it is unlikely they apply to Splunk.

EMEA

EU Data Protection and the GDPR

The General Data Protection Regulation (GDPR) is a European data protection law that became enforceable on May 25, 2018. It applies to European Union (EU) companies, as well as non-EU companies that have employees in the EU or that offer goods or services to individuals (“data subjects”) in the EU.

The GDPR grants data subjects rights of control over the privacy of their personal data, meaning “any information relating to an identified or identifiable natural person.” Under the GDPR, companies are required to be transparent about what types of personal data they collect and how they use it, be responsible for secure data processing practices, and provide notification to customers or data subjects when breaches occur. Splunk is committed to protecting customer personal data, whether our customer is based in the EU or elsewhere around the globe.

GDPR Article 4 defines “Personal Data” to be “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

GDPR Articles 12 to 22 provide data subjects certain rights in their personal data, including the right to: (a) be informed about  its collection and use; (b) access and correct their data; (c) request their data be erased (“right to be forgotten”); (d) restrict the processing of their data; (e) port their data from one company to another; (f) object to how their data is being processed; and (g) object to any automated data profiling in certain cases (for example, hiring decisions made only on the basis of an automated resume scans).

Splunk employs technical and organizational measures to protect customer data and has certified its Splunk Cloud service to industry leading security standards, such as SOC2 Type II and ISO 27001.  Splunk also offers heightened security standards for those customers who require Splunk Cloud’s HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry) environments.  For more on this topic, see Splunk’s compliance certifications, standards and regulations.

Splunk believes in open and transparent disclosure about how we collect, use, share and transfer Personal Data and how you can opt-out of sharing Personal Data.  For detailed information about Splunk’s data collection practices, see Splunk’s Privacy Policy.

A DPA is a contract between a data controller and processor that spells out what privacy and security protections will be used during processing of data, as well as what rules the processor will follow when processing the data.  Splunk’s DPA and instructions for completion may be found here.

Splunk’s DPA meets the GDPR requirements that pertain to the services we provide, has been benchmarked against industry standards, and reflects our data privacy and security compliance programs.  It sets forth what we do and how we do it.  As such, we do not negotiate the provisions of Splunk’s DPA.

Splunk’s DPA is tailored specifically to the services we provide and the protections we offer.  Processing customer data is a high-volume activity that must be streamlined for business efficiency.  Implementing exceptions, such as using a customer’s DPA, will lead to operational inconsistencies that do not reflect the services we provide and the protections we offer.

Splunk maintains a list of its sub-processors that process Personal Data and updates this list as needed.  Splunk customers can subscribe to notifications of new sub-processors for the services we provide.  To subscribe to Splunk’s sub-processor notification listserv, click here.

No, to the contrary, the GDPR expressly allows it.  Splunk relies on standard contractual clauses, an approved transfer method, to transfer personal data from the EU to the U.S. for processing.

UK NCSC Cloud Security Principles

Splunk’s response to the UK National Cyber Security Centre’s (NCSC) Cloud Security Principles for the Splunk Cloud Platform and the Splunk Observability Cloud (Observability) is available for review here. These principles were first published as guidance for the UK public sector to evaluate cloud services. Splunk will periodically review and update the above document to reflect any applicable changes.

The EU-U.S. Data Privacy Framework

Splunk is proud to be among the first organizations to obtain certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework, and will continue to meet and exceed the requirements of these new frameworks. In July of 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF) which officially replaces the EU-US Privacy Shield Framework. This adequacy decision confirms that the U.S. ensures an adequate level of protection for personal data transferred from the EU, Iceland, Liechtenstein, and Norway to U.S. companies participating in the framework program. To learn more about Splunk’s certification, review Splunk’s Data Privacy Framework Notice or view Splunk’s certification on https://www.dataprivacyframework.gov/.

Additional details about Splunk’s EU-U.S. DPF certification can be found in Splunk’s Whitepaper on International Data Transfers & the EU-U.S. Data Privacy Framework.

APAC

Australian Privacy Laws

Australia’s federal data protection law is The Privacy Act 1988 (PA), accompanied by the Australian Privacy Principles (APP), which are enumerated in the PA. While various state/territorial laws may also apply, Splunk (like other Cloud Service Providers) aims to achieve compliance with the PA.

The PA aims to implement Australia’s international obligations under the International Covenant on Civil and Political Rights and other international documents that recognize privacy as a human right. Splunk’s approach to privacy compliance applies equally to the PA’s objectives to protect the privacy of individuals, ensure responsible and transparent handling of personal information, and provide avenues for individuals to seek redress for interference with their privacy rights.

Yes. The APPs apply to private organizations that collect, use and disclose personal information* in Australia, including foreign companies that collect or hold personal information in Australia and are “carrying on a business in Australia”. Foreign companies that market to Australians and/or conduct repeated transactions with Australian customers are likely to be considered to be “carrying on a business in Australia”.

*Personal information” is information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

Under the PA, Splunk is required to only process personal information in order to perform its obligations as set forth in any agreements or as otherwise required by law.

Financial services and banking institutions are governed by the Australian Prudential Regulation Authority (APRA) which applies Prudential Standards (PS). APRA-regulated institutions must implement a basic information security framework, and ensure that its service providers’ who manage “information assets” are compliant with its framework. The key standards are: PS CPS 231-Outsourcing and PS CPS 234-Information Security. Splunk customers subject to APRA may require that Splunk meet these additional standards.

Japan Privacy Laws

Japan’s main privacy law is the Act for the Protection of Personal Information (APPI).

The APPI regulates privacy protection issues in Japan and the Personal Information Protection Commission (PPC), a central agency, acts as the supervisory authority for privacy protection.

Yes. The APPI, like GDPR, assigns responsibility for processing personal information* based on role. Where the APPI applies to a Customer and the Customer entrusts the handling of Personal Information to a vendor like Splunk (Entrusted Persons**), Splunk is required to help ensure its secure processing.

*Personal Information is information relating to a specific, living individual, containing any description making the individual identifiable, or an individual identification code. Collecting it does not require prior consent, if not obtained via unlawful means.

**Entrusted Persons are similar to a “Data Processor” under GDPR, i.e., vendors like Splunk.

Under the APPI, Splunk is required to: (i) use the Personal Information received from Customers only for the purposes of fulfilling its contractual obligations; (ii) keep it confidential; and (iii) use reasonable efforts to prevent unauthorised disclosure to third parties, except as required to provide the service, as permitted under the APPI, or subject to the Customer’s prior written consent.

Companies in the financial services industry may also be subject to guidelines issued by the Personal Information Protection Commission (PPC). In addition, Splunk employs technical, organizational, and administrative measures to protect customer data and has certified its Splunk Cloud service to industry leading security standards, such as SOC2 Type II and ISO 27001. For additional information about how customers can secure their instance of Splunk Cloud, see Securing Splunk Cloud Platform.

Additional Resources

The Splunk Customer Trust Portal provides you with easy, on-demand access to documentation about Splunk’s global privacy, security, and compliance programs, including certifications, compliance reports, standard security questionnaires and white papers.