// Trust & Security Report

    Chili Piper, Inc. logo

    Chili Piper, Inc.

    Demand Conversion Platform (AI-led website conversion, inbound lead routing, scheduling/booking, Chat AI, Concierge, Distro)

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Chili Piper has achieved SOC 2 Type 2 and ISO 27001 accreditation.

    Verify on chilipiper.com
    ISO 27001:2013
    HELD

    Compliance: SOC 2 / ISO 27001:2013 ... Chili Piper has achieved SOC 2 Type 2 and ISO 27001 accreditation.

    Verify on trust.chilipiper.com
    GDPR
    HELD

    Chili Piper has taken the necessary measures to be GDPR compliant. Please see Exhibit A of our terms and conditions for more details on GDPR compliance.

    Verify on chilipiper.com
    CCPA
    HELD

    Compliance ... CCPA COMPLIANT

    Verify on trust.chilipiper.com
    Salesforce AppExchange Security Review
    HELD

    Chili Piper has successfully completed the Salesforce.com Security Review.

    Verify on chilipiper.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA certification or BAA offering found on the trust center or security page. The trust center lists 'Personal health information' under data categories collected, but no HIPAA attestation is claimed.

    source: trust.chilipiper.com
    Public bug bounty (HackerOne / Bugcrowd)
    NOT CONFIRMED

    No public bug bounty program found. Vulnerabilities are reported via email: 'Want to report a potential security issue?' and the trust center lists security@chilipiper.com as the contact.

    source: trust.chilipiper.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS US East, Ohio; Google Cloud Platform US Central, Council Bluffs, IA). Global business that may transfer data internationally per privacy policy Section 6.

    No explicit 'we do not train AI models on customer data' clause was found, but Chili Piper's security page makes strong contractual data-use commitments that preclude commercial reuse: 'We only use customer data to provide our Services; we do not share it with any third party nor use it for marketing purposes' and 'We don't mine or access your data for commercial purposes and only access it to provide our Services.' The privacy policy further states personal information under the Master Subscription Agreement 'will only be used and shared for the purpose of providing our Services.' Note: the marketing-site privacy policy (for website visitors/leads) does allow broader marketing/profiling use, so the strong protections apply to customer/business data processed under the MSA, not to web-visitor marketing data. Recommend buyers confirm an explicit AI/model-training clause in the DPA given the product's new AI-led positioning.

    // Security controls

    Encryption in transit

    All in-transit data encrypted with 256-bit SSL/TLS

    chilipiper.com

    Encryption at rest

    Sensitive data encrypted at rest; OAuth tokens stored in S3 with native encryption

    chilipiper.com

    Penetration testing

    Performed; 'Penetration Test Report 2025' available on the trust center; control 'Penetration testing performed' listed under Product security

    trust.chilipiper.com

    Multi-tenancy / logical isolation

    Each tenant hosted in a separate database instance on MongoDB

    chilipiper.com

    Access control

    Unique account authentication enforced; production application access restricted; encryption key access restricted; DB access limited to CTO and system admin via VPN + 2FA

    trust.chilipiper.com

    Backups / DR

    Regular backups to Google Cloud Storage; maximum 12-hour RTO and RPO; Continuity and Disaster Recovery plans established

    chilipiper.com

    Organizational controls

    Employee background checks performed; portable media encrypted; cybersecurity insurance maintained; incident response plan; secure development policy

    trust.chilipiper.com

    Vulnerability disclosure

    Email-based reporting to security@chilipiper.com (no public bounty platform)

    trust.chilipiper.com

    // Products & data scope

    AI-led Website Conversion / Chat AIAI conversion + chat agent

    data: Processes website visitor behavioral signals, firmographic enrichment, and CRM data to identify, qualify, and book visitors in real time

    Newest AI-forward positioning; relies on enrichment vendors (e.g., Clearbit referenced in marketing) and live CRM data

    Concierge (Form Concierge)Inbound form routing + scheduling

    data: Web form lead data, rep availability, CRM records; qualifies and routes inbound leads to reps

    Core flagship product since 2016

    DistroLead/record routing

    data: CRM record changes and assignment; routes leads/accounts and fires notifications

    Used with Salesforce/HubSpot; account-change notifications

    Handoff / Instant BookerOutbound scheduling

    data: Calendar availability, rep ownership, prospect contact data; SDR-to-AE meeting booking

    Built-in fairness and no-show rules

    // What to watch

    • No public bug bounty program (HackerOne/Bugcrowd); vulnerabilities reported by email only.
    • No explicit 'we do not train AI/ML models on customer data' clause despite heavy new AI-led product positioning; buyers should confirm a model-training carve-out in the DPA.
    • Trust center lists sensitive data categories collected including 'Personal health information' and 'Credit card information', but no HIPAA/PCI attestation is claimed.
    • Marketing-site privacy policy permits broad marketing/profiling use of web-visitor lead data, which is a different scope from MSA-governed customer data; do not conflate the two.
    • Data residency is US-only; no documented EU hosting region for EU customers.
    • Single primary datastore is MongoDB with DB access stated as limited to 'CTO and system administrator' (small named-admin model typical of mid-size vendor).

    // At a glance

    Pricing model

    Subscription SaaS, sales-led (per-seat; 'Book a demo' / pricing page; no public self-serve free tier surfaced)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Chili Piper, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.chilipiper.com

    > Browse all vendor trust reports