// Trust & Security Report

    Activepieces Inc. logo

    Activepieces Inc.

    AI-first workflow automation platform (no-code builder + 750+ integrations, AI agents, open-source MIT-licensed self-host edition, and managed cloud with enterprise governance tier)

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    Trust center page (trust.activepieces.com) explicitly lists 'SOC 2 Type 2 - In progress' under Compliance overview. No published report or certificate found on any vendor-domain page. OVER-CLAIM: homepage and deployment page list 'SOC 2 Type II & GDPR' implying the certification is held.

    source: trust.activepieces.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on activepieces.com, the trust center, or any vendor-domain source.

    source: trust.activepieces.com
    GDPR (compliance posture)
    NOT CONFIRMED

    Privacy policy references GDPR Article 6.1 lawful bases and data subject rights for EEA residents. Vendor claims 'complies with data protection regulations including GDPR' on blog. No independent GDPR certification exists; no public customer-facing Data Processing Agreement (DPA) found — the /dpa URL returns HTTP 404. GDPR-aware posture but no formal certification or public DPA artifact.

    source: activepieces.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability on any vendor-domain page.

    source: trust.activepieces.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance on any vendor-domain page.

    source: trust.activepieces.com
    ISO 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification on any vendor-domain page.

    source: trust.activepieces.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on any vendor-domain page.

    source: trust.activepieces.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any vendor-domain page.

    source: trust.activepieces.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Cloud customers can select an EU or US data region (deployment page: 'EU & US data regions'). Per the engineering handbook, Hetzner provides the machines running services and DigitalOcean hosts the databases (Redis, PostgreSQL) — a functional split, not a documented region-to-provider mapping; specific data-center cities are not stated on any vendor-domain page. Privacy policy states data is transmitted to the United States to fulfill contractual obligations.

    Privacy policy explicitly states: 'We do not use Google Workspace data for advertising, marketing, user profiling, analytics, or to develop, train, refine, or improve generalized or non-personalized artificial intelligence (AI) or machine learning (ML) models.' However, this restriction is scoped explicitly to Google Workspace data. The Terms of Service do not contain equivalent language covering ALL customer data for AI/ML training. The broader AI training posture for non-Google-Workspace customer data is not explicitly addressed in public documents.

    // Security controls

    Encryption in transit

    Yes — trust center lists 'Data encrypted in-transit' as a confirmed control

    trust.activepieces.com

    Encryption at rest

    Yes — trust center lists 'Data encrypted at rest' as a confirmed control

    trust.activepieces.com

    MFA

    Required for critical services per trust center controls

    trust.activepieces.com

    Penetration testing

    Performed within the last 12 months; findings remediated per trust center

    trust.activepieces.com

    SSO / SAML

    SAML 2.0 and Google SSO available; SCIM provisioning for enterprise tier

    activepieces.com

    RBAC

    Advanced RBAC with granular role control; Custom RBAC on enterprise (Ultimate) plan

    activepieces.com

    Audit logs

    Available on enterprise tier

    activepieces.com

    Vulnerability management

    Vulnerability scanning, remediation, and management policy established per trust center

    trust.activepieces.com

    Email security

    DMARC policy enforced per trust center

    trust.activepieces.com

    Endpoint security

    MDM, anti-malware, device encryption, and firewall on endpoints per trust center

    trust.activepieces.com

    Cloud infrastructure

    Machines running services on Hetzner; databases (Redis, PostgreSQL) on DigitalOcean, per engineering handbook. Firewall restricts public access and buckets not exposed publicly, per trust center

    activepieces.com

    Incident response

    Incident response policy established and documented per trust center

    trust.activepieces.com

    Security awareness training

    Conducted per trust center organizational security controls

    trust.activepieces.com

    // Products & data scope

    Cloud (Standard)Managed SaaS

    data: Workflow metadata, integration credentials, run history stored in vendor-managed cloud (EU or US region selectable)

    Usage-based pricing at $5/active flow/month. EU and US data regions selectable. SOC 2 Type II listed in marketing but is still in-progress per trust center.

    Cloud (Ultimate / Enterprise)Managed SaaS - Enterprise

    data: Same as Standard plus additional governance controls

    Custom annual contract pricing. Includes SSO (SAML 2.0), SCIM, Custom RBAC, Audit Logs, Global Connections, dedicated workers. Contact sales required.

    Self-Hosted (Community Edition)Open-Source Self-Hosted

    data: All data stays within customer's own network/infrastructure

    MIT licensed. Deployable via Docker, Helm, or any cloud. Core features only; enterprise governance features (SSO, advanced RBAC, audit logs) require paid license. Suitable for any compliance requirement including air-gapped or regulated environments.

    // What to watch

    • OVER-CLAIM: Homepage and deployment page display 'SOC 2 Type II & GDPR' as if the SOC 2 Type II certification is already held. The trust center at trust.activepieces.com explicitly shows 'SOC 2 Type 2 - In progress'. The certification has not been published. Buyers relying on the homepage marketing claim may be misled.
    • NO PUBLIC DPA: No customer-facing Data Processing Agreement was found. The /dpa URL returns HTTP 404. The privacy policy mentions DPAs only in reference to Activepieces' own vendor management (as a controller), not as a document customers can sign.
    • AI TRAINING SCOPE GAP: The privacy policy restricts AI/ML model training only for Google Workspace data. The Terms of Service contain no equivalent restriction for all customer data. The broader AI training posture for non-Google-Workspace workflow data is unaddressed in public documents.
    • HOST-VS-VENDOR: Hetzner and DigitalOcean host Activepieces' infrastructure; any certifications these providers hold (e.g., ISO 27001) are the hosts' certs, not Activepieces' own. Activepieces does not claim host certifications as its own.
    • TRUST CENTER IS JS-RENDERED: The trust center at trust.activepieces.com is a JavaScript-heavy SPA (likely Sprinto-powered). Evidence was captured by the initial crawler but live re-fetch returned no content. SOC 2 status assessment relies on the crawler-captured snapshot from the evidence file.

    // At a glance

    Pricing model

    Usage-based for Standard ($5/active flow/month, unlimited runs); custom annual contract for Ultimate/Enterprise; free Community self-hosted edition (MIT license)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Activepieces Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.activepieces.com

    > Browse all vendor trust reports