false

Splunk Data Privacy Framework Notice

Updated: September 2024


Splunk Data Privacy Framework Certification

Splunk LLC (“Splunk”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Splunk has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Splunk has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Data Privacy Framework Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.


Personal Data Processed by Splunk as a Controller

Splunk is committed to complying with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all personal data received from the European Union, United Kingdom (and Gibraltar) and Switzerland in reliance on the relevant part(s) of the DPF program. This Splunk Data Privacy Framework Notice supplements the Splunk Privacy Policy for personal data Splunk collects, uses or shares as a controller. The Splunk Privacy Policy is where you will find details about the types of personal data we collect, the purpose for which we collect and share personal data, and your rights with respect to our processing of your Personal Data.


  1. Purposes of Personal Data Processing
    Please review the Splunk Privacy Policy for details on the purposes of data processing for personal data where Splunk is a controller.
  2. Third Parties Who May Receive Personal Data
    Please review the Splunk Privacy Policy for details on the third parties who may receive personal data where Splunk is a controller.
  3. Rights to Access, Limit Use, and to Limit Disclosure of Personal Data
    Please review the Splunk Privacy Policy for details on rights to access, limit use, and limit disclosure of personal data where Splunk is a controller.


Personal Data Processed by Splunk as a Processor

Splunk is committed to complying with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all personal data received from the European Union, the United Kingdom (and Gibraltar) and Switzerland in reliance on the relevant part(s) of the DPF program. Splunk provides security and observability tools that our customers use to manage their security and resiliency objectives. In providing these tools, Splunk processes data our customers submit to our services or instruct us to process on their behalves. Splunk customers decide in their sole discretion what data to submit. It may include include: first and last name, title, position, employer, business contact information (e.g., company email, phone, physical business address), personal contact information (e.g., email, mobile phone, address), ID data, connection data, location data, and file and message content.


  1. Purposes of Data Processing
    Splunk processes data submitted by customers for the purpose of providing services to our customers and to comply with their processing instructions.
  2. Third Parties Who May Receive Personal Data
    Splunk uses a limited number of third-party service providers to assist us in providing our services to customers which are listed on Splunk’s website. These third party providers offer customer service and support to our customers, assist with configuration, help protect security and monitor performance, provide in-service communication, or offer hosting and infrastructure services. These third parties may access, process, or store personal data in the course of providing their services. Splunk maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and Splunk remains liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.
  3. Rights to Access, Limit Use, and to Limit Disclosure of Personal Data
    Individuals in the European Union, United Kingdom (and Gibraltar) and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. With our Data Privacy Framework self-certification, Splunk has committed to respect those rights. Because Splunk personnel have limited ability to access data our customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Splunk customer who submitted your data to our services. We will refer your request to that customer, and will support them as needed in responding to your request.
Inquiries and Dispute Resolution

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Splunk commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Splunk at: dpf@splunk.com.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Splunk commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If neither Splunk nor our dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the EU-U.S.Data Privacy Framework Principles.


U.S. Federal Trade Commission Enforcement

The Federal Trade Commission has jurisdiction over Splunk’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).


Compelled Disclosure

Splunk may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Splunk will only disclose such personal data in accordance with its Data Request Guidelines.