// Trust & Security Report
Activepieces Inc.
AI-first workflow automation platform (no-code builder + 750+ integrations, AI agents, open-source MIT-licensed self-host edition, and managed cloud with enterprise governance tier)
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: trust.activepieces.comTrust center page (trust.activepieces.com) explicitly lists 'SOC 2 Type 2 - In progress' under Compliance overview. No published report or certificate found on any vendor-domain page. OVER-CLAIM: homepage and deployment page list 'SOC 2 Type II & GDPR' implying the certification is held.
source: trust.activepieces.comNo public evidence of ISO 27001 certification on activepieces.com, the trust center, or any vendor-domain source.
source: activepieces.comPrivacy policy references GDPR Article 6.1 lawful bases and data subject rights for EEA residents. Vendor claims 'complies with data protection regulations including GDPR' on blog. No independent GDPR certification exists; no public customer-facing Data Processing Agreement (DPA) found — the /dpa URL returns HTTP 404. GDPR-aware posture but no formal certification or public DPA artifact.
source: trust.activepieces.comNo public evidence of HIPAA compliance or BAA availability on any vendor-domain page.
source: trust.activepieces.comNo public evidence of PCI DSS compliance on any vendor-domain page.
source: trust.activepieces.comNo public evidence of ISO/IEC 42001 certification on any vendor-domain page.
source: trust.activepieces.comNo public evidence of CSA STAR registration or certification on any vendor-domain page.
source: trust.activepieces.comNo public evidence of FedRAMP authorization on any vendor-domain page.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Cloud customers can select an EU or US data region (deployment page: 'EU & US data regions'). Per the engineering handbook, Hetzner provides the machines running services and DigitalOcean hosts the databases (Redis, PostgreSQL) — a functional split, not a documented region-to-provider mapping; specific data-center cities are not stated on any vendor-domain page. Privacy policy states data is transmitted to the United States to fulfill contractual obligations.
Privacy policy explicitly states: 'We do not use Google Workspace data for advertising, marketing, user profiling, analytics, or to develop, train, refine, or improve generalized or non-personalized artificial intelligence (AI) or machine learning (ML) models.' However, this restriction is scoped explicitly to Google Workspace data. The Terms of Service do not contain equivalent language covering ALL customer data for AI/ML training. The broader AI training posture for non-Google-Workspace customer data is not explicitly addressed in public documents.
// Security controls
Encryption in transit
Yes — trust center lists 'Data encrypted in-transit' as a confirmed control
trust.activepieces.comEncryption at rest
Yes — trust center lists 'Data encrypted at rest' as a confirmed control
trust.activepieces.comPenetration testing
Performed within the last 12 months; findings remediated per trust center
trust.activepieces.comRBAC
Advanced RBAC with granular role control; Custom RBAC on enterprise (Ultimate) plan
activepieces.comVulnerability management
Vulnerability scanning, remediation, and management policy established per trust center
trust.activepieces.comEndpoint security
MDM, anti-malware, device encryption, and firewall on endpoints per trust center
trust.activepieces.comCloud infrastructure
Machines running services on Hetzner; databases (Redis, PostgreSQL) on DigitalOcean, per engineering handbook. Firewall restricts public access and buckets not exposed publicly, per trust center
activepieces.comIncident response
Incident response policy established and documented per trust center
trust.activepieces.comSecurity awareness training
Conducted per trust center organizational security controls
trust.activepieces.com// Products & data scope
data: Workflow metadata, integration credentials, run history stored in vendor-managed cloud (EU or US region selectable)
Usage-based pricing at $5/active flow/month. EU and US data regions selectable. SOC 2 Type II listed in marketing but is still in-progress per trust center.
data: Same as Standard plus additional governance controls
Custom annual contract pricing. Includes SSO (SAML 2.0), SCIM, Custom RBAC, Audit Logs, Global Connections, dedicated workers. Contact sales required.
data: All data stays within customer's own network/infrastructure
MIT licensed. Deployable via Docker, Helm, or any cloud. Core features only; enterprise governance features (SSO, advanced RBAC, audit logs) require paid license. Suitable for any compliance requirement including air-gapped or regulated environments.
// What to watch
- OVER-CLAIM: Homepage and deployment page display 'SOC 2 Type II & GDPR' as if the SOC 2 Type II certification is already held. The trust center at trust.activepieces.com explicitly shows 'SOC 2 Type 2 - In progress'. The certification has not been published. Buyers relying on the homepage marketing claim may be misled.
- NO PUBLIC DPA: No customer-facing Data Processing Agreement was found. The /dpa URL returns HTTP 404. The privacy policy mentions DPAs only in reference to Activepieces' own vendor management (as a controller), not as a document customers can sign.
- AI TRAINING SCOPE GAP: The privacy policy restricts AI/ML model training only for Google Workspace data. The Terms of Service contain no equivalent restriction for all customer data. The broader AI training posture for non-Google-Workspace workflow data is unaddressed in public documents.
- HOST-VS-VENDOR: Hetzner and DigitalOcean host Activepieces' infrastructure; any certifications these providers hold (e.g., ISO 27001) are the hosts' certs, not Activepieces' own. Activepieces does not claim host certifications as its own.
- TRUST CENTER IS JS-RENDERED: The trust center at trust.activepieces.com is a JavaScript-heavy SPA (likely Sprinto-powered). Evidence was captured by the initial crawler but live re-fetch returned no content. SOC 2 status assessment relies on the crawler-captured snapshot from the evidence file.
// At a glance
Pricing model
Usage-based for Standard ($5/active flow/month, unlimited runs); custom annual contract for Ultimate/Enterprise; free Community self-hosted edition (MIT license)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Activepieces Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.activepieces.com