// Trust & Security Report
Chili Piper, Inc.
Demand Conversion Platform (AI-led website conversion, inbound lead routing, scheduling/booking, Chat AI, Concierge, Distro)
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on chilipiper.com“Chili Piper has achieved SOC 2 Type 2 and ISO 27001 accreditation.”
Verify on trust.chilipiper.com“Compliance: SOC 2 / ISO 27001:2013 ... Chili Piper has achieved SOC 2 Type 2 and ISO 27001 accreditation.”
Verify on chilipiper.com“Chili Piper has taken the necessary measures to be GDPR compliant. Please see Exhibit A of our terms and conditions for more details on GDPR compliance.”
Verify on chilipiper.com“Chili Piper has successfully completed the Salesforce.com Security Review.”
> Show 2 unconfirmed / not-held certifications
source: trust.chilipiper.comNo HIPAA certification or BAA offering found on the trust center or security page. The trust center lists 'Personal health information' under data categories collected, but no HIPAA attestation is claimed.
source: trust.chilipiper.comNo public bug bounty program found. Vulnerabilities are reported via email: 'Want to report a potential security issue?' and the trust center lists security@chilipiper.com as the contact.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS US East, Ohio; Google Cloud Platform US Central, Council Bluffs, IA). Global business that may transfer data internationally per privacy policy Section 6.
No explicit 'we do not train AI models on customer data' clause was found, but Chili Piper's security page makes strong contractual data-use commitments that preclude commercial reuse: 'We only use customer data to provide our Services; we do not share it with any third party nor use it for marketing purposes' and 'We don't mine or access your data for commercial purposes and only access it to provide our Services.' The privacy policy further states personal information under the Master Subscription Agreement 'will only be used and shared for the purpose of providing our Services.' Note: the marketing-site privacy policy (for website visitors/leads) does allow broader marketing/profiling use, so the strong protections apply to customer/business data processed under the MSA, not to web-visitor marketing data. Recommend buyers confirm an explicit AI/model-training clause in the DPA given the product's new AI-led positioning.
// Security controls
Encryption at rest
Sensitive data encrypted at rest; OAuth tokens stored in S3 with native encryption
chilipiper.comPenetration testing
Performed; 'Penetration Test Report 2025' available on the trust center; control 'Penetration testing performed' listed under Product security
trust.chilipiper.comMulti-tenancy / logical isolation
Each tenant hosted in a separate database instance on MongoDB
chilipiper.comAccess control
Unique account authentication enforced; production application access restricted; encryption key access restricted; DB access limited to CTO and system admin via VPN + 2FA
trust.chilipiper.comBackups / DR
Regular backups to Google Cloud Storage; maximum 12-hour RTO and RPO; Continuity and Disaster Recovery plans established
chilipiper.comOrganizational controls
Employee background checks performed; portable media encrypted; cybersecurity insurance maintained; incident response plan; secure development policy
trust.chilipiper.comVulnerability disclosure
Email-based reporting to security@chilipiper.com (no public bounty platform)
trust.chilipiper.com// Products & data scope
data: Processes website visitor behavioral signals, firmographic enrichment, and CRM data to identify, qualify, and book visitors in real time
Newest AI-forward positioning; relies on enrichment vendors (e.g., Clearbit referenced in marketing) and live CRM data
data: Web form lead data, rep availability, CRM records; qualifies and routes inbound leads to reps
Core flagship product since 2016
data: CRM record changes and assignment; routes leads/accounts and fires notifications
Used with Salesforce/HubSpot; account-change notifications
data: Calendar availability, rep ownership, prospect contact data; SDR-to-AE meeting booking
Built-in fairness and no-show rules
// What to watch
- No public bug bounty program (HackerOne/Bugcrowd); vulnerabilities reported by email only.
- No explicit 'we do not train AI/ML models on customer data' clause despite heavy new AI-led product positioning; buyers should confirm a model-training carve-out in the DPA.
- Trust center lists sensitive data categories collected including 'Personal health information' and 'Credit card information', but no HIPAA/PCI attestation is claimed.
- Marketing-site privacy policy permits broad marketing/profiling use of web-visitor lead data, which is a different scope from MSA-governed customer data; do not conflate the two.
- Data residency is US-only; no documented EU hosting region for EU customers.
- Single primary datastore is MongoDB with DB access stated as limited to 'CTO and system administrator' (small named-admin model typical of mid-size vendor).
// At a glance
Pricing model
Subscription SaaS, sales-led (per-seat; 'Book a demo' / pricing page; no public self-serve free tier surfaced)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Chili Piper, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.chilipiper.com