// Trust & Security Report

    PandaDoc Inc. logo

    PandaDoc Inc.

    Document workflow platform covering proposal/quote creation, eSignature, contract management, CPQ (configure-price-quote), Rooms (deal collaboration), payments, and forms/notary; API and CRM integrations (Salesforce, HubSpot, Pipedrive, etc.) sold as add-ons/tiers on top of the core document platform

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    "PandaDoc is SOC 2 Type II compliant. We can provide our latest SSAE 18 SOC 2 Type II report."

    Verify on pandadoc.com
    HIPAA
    HELD

    "PandaDoc is a HIPAA-compliant eSignature tool that offers the features and safeguards to protect electronic patient health information (PHI)." A Business Associate Agreement (BAA) must be separately requested and signed: "In order to transmit electronic Protected Health Information (ePHI) using PandaDoc and maintain it with HIPAA compliance, customers should sign a Business Associate Agreement (BAA)."

    Verify on pandadoc.com
    GDPR (compliance posture)
    HELD

    "PandaDoc complies with GDPR by processing personal data lawfully, transparently, and only for specific legitimate purposes." Standard DPA available and referenced from the Privacy Notice; PandaDoc acts as Processor with customer as Controller, per the Data Processing Agreement.

    Verify on pandadoc.com
    eIDAS
    HELD

    PandaDoc's SOC2/HIPAA/GDPR summary page groups eIDAS alongside its other compliance frameworks and links a dedicated eIDAS explainer; eSignatures are positioned as legally binding under eIDAS in the EU. Footer compliance badges on pandadoc.com list eIDAS alongside HIPAA, SOC 2, and GDPR.

    Verify on pandadoc.com
    CCPA
    HELD

    PandaDoc provides a "Do Not Sell My Personal Information" mechanism via OneTrust privacy portal linked in the site footer, and its blog/compliance material lists CCPA among supported frameworks alongside SOC 2, HIPAA, and GDPR.

    Verify on pandadoc.com
    > Show 5 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    PandaDoc's own Security Practices page attributes this cert to its infrastructure providers, not itself: "Any third-party cloud service provider that PandaDoc utilizes to host and Process Customer Content will have at a minimum, industry standard physical security precautions in place and conform to ISO 27001 or equivalent certification standards." No PandaDoc-domain page claims PandaDoc itself holds an ISO 27001 certificate; only AWS (the host) is described as conforming to it. Third-party aggregator sites claim "PandaDoc is ISO 27001 compliant" but this is not corroborated by any pandadoc.com page and appears to conflate the host's certification with the vendor's.

    source: pandadoc.com
    PCI DSS
    NOT CONFIRMED

    PandaDoc does not claim its own PCI DSS certification; it integrates with certified third-party processors: "PandaDoc integrates with PCI-DSS compliant payment processors to offer payment processing via credit cards." This is the payment processor's certification, not PandaDoc's own.

    source: pandadoc.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found on any pandadoc.com page of an ISO/IEC 42001 AI-governance certification.

    source: pandadoc.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any pandadoc.com page of CSA STAR registration or certification.

    source: pandadoc.com
    FedRAMP
    NOT CONFIRMED

    FedRAMP is referenced only as an AWS infrastructure-level authorization in PandaDoc's compliance page discussion of its cloud host, not as a PandaDoc-held authorization: no public evidence PandaDoc itself is FedRAMP authorized.

    source: pandadoc.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Customer-selectable regional hosting: US or EU (Frankfurt, Germany), per PandaDoc's own Data Residency page: "PandaDoc offers a choice of data center locations. Our Customers may choose between regional versions of our SaaS application, within the US or within the EU." Support/customer-service interactions and some third-party integrations can still move data to the US regardless of the chosen region. Accounts cannot be migrated between the US and EU data centers after creation.

    PandaDoc's own AI Addendum (a binding legal document on pandadoc.com) grants PandaDoc a broad license over AI-feature outputs for training: "Customer hereby grants PandaDoc a perpetual, irrevocable, non-exclusive, sublicensable, worldwide, fully paid right and license, to use, host, reproduce, display, perform, and modify AI Output to create AI Improvement Data for PandaDoc's AI Training." The Addendum defines 'AI Improvement Data' as derived only from 'anonymized and aggregated AI Output or Usage Data' (i.e. outputs of AI features such as summaries/suggestions, not raw uploaded documents verbatim). Customers may opt out, but only prospectively: "Customers may, at any time, and on a go-forward basis, elect to opt-out of using PandaDoc AI Services" -- the Addendum does not describe retroactive deletion of already-used AI Improvement Data. This contradicts secondary marketing/press claims circulating that PandaDoc 'does not use customer contract data to train AI models'; the vendor's own legal terms describe a narrower but real anonymized/aggregated training right with forward-only opt-out. Buyers should be pointed to the AI Addendum directly rather than marketing summaries.

    // Security controls

    Encryption at rest

    AES-256: "All data in each location is encrypted at rest with AES-256 and sophisticated encryption keys management."

    pandadoc.com

    Encryption in transit

    "PandaDoc will encrypt Customer Content in-transit and at rest and will only allow encrypted connections to the Service."

    pandadoc.com

    Penetration testing

    "PandaDoc uses external security experts to conduct penetration testing of the Services at least annually and maintains a year-round bug bounty program."

    pandadoc.com

    Vulnerability disclosure / bug bounty

    Public responsible-disclosure program run via HackerOne.

    pandadoc.com

    SSO

    Single sign-on offered for granular document and workspace permissions (per homepage feature summary; plan-tier gating not independently confirmed).

    pandadoc.com

    Cloud hosting / physical security

    Hosted on Amazon AWS; physical data-center security delegated to AWS controls (badging, 24/7 staff, two-factor access).

    pandadoc.com

    Incident notification

    "PandaDoc will notify Customer in writing without undue delay upon PandaDoc becoming aware of confirmed Security Breach."

    pandadoc.com

    Sub-processor transparency

    Published, updated sub-processor list with customer notice requirements.

    pandadoc.com

    // Products & data scope

    Documents / eSignature coreDocument creation and eSignature

    data: Document content, signer PII, audit trail/activity metadata

    Core product across all paid tiers; drag-and-drop editor, signing order, identity verification, notarization add-on.

    CPQ (Configure, Price, Quote)Sales quoting

    data: Product catalog data, pricing rules, quote/proposal content

    Upsell module layered on top of core documents; pulls data from connected CRM/product catalog.

    RoomsDeal collaboration workspace

    data: Shared deal documents, buyer/seller collaboration activity

    Positioned as an enterprise-leaning collaboration surface distinct from single-document signing.

    API / Developer platformEmbeddable document workflow API

    data: All document, template, and workspace data exposed programmatically

    Separate developer terms (Developer Agreement) and security reference documentation apply; used to embed PandaDoc inside customer products.

    PaymentsEmbedded payment collection

    data: Payment method tokens routed to PCI-DSS-certified third-party processors, not stored by PandaDoc directly per available evidence

    PandaDoc integrates with PCI-DSS-compliant processors rather than holding its own PCI certification.

    // What to watch

    • TRUST CENTER GAP: No dedicated trust-center subdomain (e.g. trust.pandadoc.com) was found; compliance evidence is spread across /security/, /security/compliance/, /legal/security-practices/, and /hipaa/ pages instead of a single hub. This makes self-service verification harder for buyers and is noted in listing guidance.
    • ISO 27001 HOST-VS-VENDOR CONFLATION RISK: PandaDoc's own Security Practices page attributes ISO 27001 conformance to its third-party cloud hosting providers (AWS), not to PandaDoc itself. Third-party aggregator sites nonetheless describe PandaDoc as 'ISO 27001 compliant.' AIFOXX must not display ISO 27001 as a PandaDoc-held certification.
    • AI TRAINING OPT-OUT IS FORWARD-ONLY: The AI Addendum's opt-out clause only stops future use ('on a go-forward basis'); it does not describe retroactive deletion of AI Improvement Data already derived from a customer's AI feature usage. Marketing/press summaries claiming PandaDoc 'does not train on customer data' oversimplify the actual AI Addendum terms, which grant PandaDoc a broad license to use anonymized/aggregated AI Output for training absent an opt-out.
    • PCI DSS is the payment processor's certification (per PandaDoc's own wording), not PandaDoc's; graded held=false to avoid over-claiming.
    • SOC 2 report itself is gated behind an NDA request form, not publicly downloadable -- the compliance claim is verifiable via PandaDoc's own text but the underlying report is not independently public.

    // At a glance

    Pricing model

    Tiered SaaS subscription (Starter/Business/Enterprise-style tiers implied by site navigation) plus paid add-ons (API, CPQ, Rooms, notary); exact tier names/pricing not captured in this evidence set.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on PandaDoc Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pandadoc.com

    > Browse all vendor trust reports