// Trust & Security Report
PandaDoc Inc.
Document workflow platform covering proposal/quote creation, eSignature, contract management, CPQ (configure-price-quote), Rooms (deal collaboration), payments, and forms/notary; API and CRM integrations (Salesforce, HubSpot, Pipedrive, etc.) sold as add-ons/tiers on top of the core document platform
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pandadoc.com“"PandaDoc is SOC 2 Type II compliant. We can provide our latest SSAE 18 SOC 2 Type II report."”
Verify on pandadoc.com“"PandaDoc is a HIPAA-compliant eSignature tool that offers the features and safeguards to protect electronic patient health information (PHI)." A Business Associate Agreement (BAA) must be separately requested and signed: "In order to transmit electronic Protected Health Information (ePHI) using PandaDoc and maintain it with HIPAA compliance, customers should sign a Business Associate Agreement (BAA)."”
Verify on pandadoc.com“"PandaDoc complies with GDPR by processing personal data lawfully, transparently, and only for specific legitimate purposes." Standard DPA available and referenced from the Privacy Notice; PandaDoc acts as Processor with customer as Controller, per the Data Processing Agreement.”
Verify on pandadoc.com“PandaDoc's SOC2/HIPAA/GDPR summary page groups eIDAS alongside its other compliance frameworks and links a dedicated eIDAS explainer; eSignatures are positioned as legally binding under eIDAS in the EU. Footer compliance badges on pandadoc.com list eIDAS alongside HIPAA, SOC 2, and GDPR.”
Verify on pandadoc.com“PandaDoc provides a "Do Not Sell My Personal Information" mechanism via OneTrust privacy portal linked in the site footer, and its blog/compliance material lists CCPA among supported frameworks alongside SOC 2, HIPAA, and GDPR.”
> Show 5 unconfirmed / not-held certifications
source: pandadoc.comPandaDoc's own Security Practices page attributes this cert to its infrastructure providers, not itself: "Any third-party cloud service provider that PandaDoc utilizes to host and Process Customer Content will have at a minimum, industry standard physical security precautions in place and conform to ISO 27001 or equivalent certification standards." No PandaDoc-domain page claims PandaDoc itself holds an ISO 27001 certificate; only AWS (the host) is described as conforming to it. Third-party aggregator sites claim "PandaDoc is ISO 27001 compliant" but this is not corroborated by any pandadoc.com page and appears to conflate the host's certification with the vendor's.
source: pandadoc.comPandaDoc does not claim its own PCI DSS certification; it integrates with certified third-party processors: "PandaDoc integrates with PCI-DSS compliant payment processors to offer payment processing via credit cards." This is the payment processor's certification, not PandaDoc's own.
source: pandadoc.comNo public evidence found on any pandadoc.com page of an ISO/IEC 42001 AI-governance certification.
source: pandadoc.comNo public evidence found on any pandadoc.com page of CSA STAR registration or certification.
source: pandadoc.comFedRAMP is referenced only as an AWS infrastructure-level authorization in PandaDoc's compliance page discussion of its cloud host, not as a PandaDoc-held authorization: no public evidence PandaDoc itself is FedRAMP authorized.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Customer-selectable regional hosting: US or EU (Frankfurt, Germany), per PandaDoc's own Data Residency page: "PandaDoc offers a choice of data center locations. Our Customers may choose between regional versions of our SaaS application, within the US or within the EU." Support/customer-service interactions and some third-party integrations can still move data to the US regardless of the chosen region. Accounts cannot be migrated between the US and EU data centers after creation.
PandaDoc's own AI Addendum (a binding legal document on pandadoc.com) grants PandaDoc a broad license over AI-feature outputs for training: "Customer hereby grants PandaDoc a perpetual, irrevocable, non-exclusive, sublicensable, worldwide, fully paid right and license, to use, host, reproduce, display, perform, and modify AI Output to create AI Improvement Data for PandaDoc's AI Training." The Addendum defines 'AI Improvement Data' as derived only from 'anonymized and aggregated AI Output or Usage Data' (i.e. outputs of AI features such as summaries/suggestions, not raw uploaded documents verbatim). Customers may opt out, but only prospectively: "Customers may, at any time, and on a go-forward basis, elect to opt-out of using PandaDoc AI Services" -- the Addendum does not describe retroactive deletion of already-used AI Improvement Data. This contradicts secondary marketing/press claims circulating that PandaDoc 'does not use customer contract data to train AI models'; the vendor's own legal terms describe a narrower but real anonymized/aggregated training right with forward-only opt-out. Buyers should be pointed to the AI Addendum directly rather than marketing summaries.
// Security controls
Encryption at rest
AES-256: "All data in each location is encrypted at rest with AES-256 and sophisticated encryption keys management."
pandadoc.comEncryption in transit
"PandaDoc will encrypt Customer Content in-transit and at rest and will only allow encrypted connections to the Service."
pandadoc.comPenetration testing
"PandaDoc uses external security experts to conduct penetration testing of the Services at least annually and maintains a year-round bug bounty program."
pandadoc.comVulnerability disclosure / bug bounty
Public responsible-disclosure program run via HackerOne.
pandadoc.comSSO
Single sign-on offered for granular document and workspace permissions (per homepage feature summary; plan-tier gating not independently confirmed).
pandadoc.comCloud hosting / physical security
Hosted on Amazon AWS; physical data-center security delegated to AWS controls (badging, 24/7 staff, two-factor access).
pandadoc.comIncident notification
"PandaDoc will notify Customer in writing without undue delay upon PandaDoc becoming aware of confirmed Security Breach."
pandadoc.comSub-processor transparency
Published, updated sub-processor list with customer notice requirements.
pandadoc.com// Products & data scope
data: Document content, signer PII, audit trail/activity metadata
Core product across all paid tiers; drag-and-drop editor, signing order, identity verification, notarization add-on.
data: Product catalog data, pricing rules, quote/proposal content
Upsell module layered on top of core documents; pulls data from connected CRM/product catalog.
data: Shared deal documents, buyer/seller collaboration activity
Positioned as an enterprise-leaning collaboration surface distinct from single-document signing.
data: All document, template, and workspace data exposed programmatically
Separate developer terms (Developer Agreement) and security reference documentation apply; used to embed PandaDoc inside customer products.
data: Payment method tokens routed to PCI-DSS-certified third-party processors, not stored by PandaDoc directly per available evidence
PandaDoc integrates with PCI-DSS-compliant processors rather than holding its own PCI certification.
// What to watch
- TRUST CENTER GAP: No dedicated trust-center subdomain (e.g. trust.pandadoc.com) was found; compliance evidence is spread across /security/, /security/compliance/, /legal/security-practices/, and /hipaa/ pages instead of a single hub. This makes self-service verification harder for buyers and is noted in listing guidance.
- ISO 27001 HOST-VS-VENDOR CONFLATION RISK: PandaDoc's own Security Practices page attributes ISO 27001 conformance to its third-party cloud hosting providers (AWS), not to PandaDoc itself. Third-party aggregator sites nonetheless describe PandaDoc as 'ISO 27001 compliant.' AIFOXX must not display ISO 27001 as a PandaDoc-held certification.
- AI TRAINING OPT-OUT IS FORWARD-ONLY: The AI Addendum's opt-out clause only stops future use ('on a go-forward basis'); it does not describe retroactive deletion of AI Improvement Data already derived from a customer's AI feature usage. Marketing/press summaries claiming PandaDoc 'does not train on customer data' oversimplify the actual AI Addendum terms, which grant PandaDoc a broad license to use anonymized/aggregated AI Output for training absent an opt-out.
- PCI DSS is the payment processor's certification (per PandaDoc's own wording), not PandaDoc's; graded held=false to avoid over-claiming.
- SOC 2 report itself is gated behind an NDA request form, not publicly downloadable -- the compliance claim is verifiable via PandaDoc's own text but the underlying report is not independently public.
// At a glance
Pricing model
Tiered SaaS subscription (Starter/Business/Enterprise-style tiers implied by site navigation) plus paid add-ons (API, CPQ, Rooms, notary); exact tier names/pricing not captured in this evidence set.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on PandaDoc Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pandadoc.com