// Trust & Security Report

    Salesforce, Inc. logo

    Salesforce, Inc.

    Salesforce Marketing Cloud Account Engagement (formerly Pardot) — B2B marketing automation, part of the Salesforce Marketing Cloud / Customer 360 platform

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    SOC 2 Report - Marketing Cloud Account Engagement (fka Pardot)

    Verify on compliance.salesforce.com
    SOC 1
    HELD

    SOC 1 Report - Corporate Services (2026-06-05) listed among the 60 certification/attestation entries for the Marketing Cloud Account Engagement service

    Verify on compliance.salesforce.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 Certificate — Marketing Cloud Account Engagement is covered under Salesforce's ISO/IEC 27001:2022 certification

    Verify on compliance.salesforce.com
    ISO/IEC 27017:2015
    HELD

    ISO/IEC 27017:2015 Certificate (2026-04-18) listed for the Marketing Cloud Account Engagement service

    Verify on compliance.salesforce.com
    UK Cyber Essentials / Cyber Essentials Plus
    HELD

    UK Cyber Essentials Certificate (2026-06-22) and UK Cyber Essentials Plus Certificate (2026-06-22) listed for the Marketing Cloud Account Engagement service

    Verify on compliance.salesforce.com
    Spain ENS High
    HELD

    Spain ENS High - Corporate Services (2026-06-09) listed for the Marketing Cloud Account Engagement service

    Verify on compliance.salesforce.com
    EU/UK Binding Corporate Rules (Processor)
    HELD

    Salesforce EU Processor Binding Corporate Rules (2026-05-06) and Salesforce UK Processor Binding Corporate Rules (2026-05-06) listed for the service

    Verify on compliance.salesforce.com
    HIPAA
    HELD

    Not confirmed for the Account Engagement (Pardot) service specifically in the verified compliance listing; HIPAA support varies by Salesforce cloud/edition and was historically not offered for Pardot. Procurement should request a BAA scope confirmation.

    Verify on compliance.salesforce.com
    PCI DSS
    HELD

    Not surfaced in the verified Account Engagement service certification list reviewed; Salesforce holds PCI attestations for some clouds but scope for this specific service was not confirmed.

    Verify on compliance.salesforce.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multi-region; Salesforce operates on Hyperforce and AWS with data-residency options across US, EU, UK, Japan, Australia and others depending on the instance/edition.

    Salesforce's Einstein Trust Layer enforces a zero-data-retention architecture with third-party LLM providers (OpenAI, Anthropic, etc.), and generative AI features (Agentforce, Einstein Copilot) are contractually excluded from being used to train third-party or global models. HOWEVER, by default the org-level 'Opt Out of Customer Data Access' setting is NOT opted out, meaning Salesforce may use customer data on an aggregate basis to train global predictive AI (Einstein) models and improve services unless the admin opts out. This default behavior is configurable per org. For core Marketing Cloud Account Engagement (Pardot) marketing data the predictive-model sharing is the relevant control. Reviewers should confirm the opt-out state for their tenant.

    // Security controls

    Bug bounty program

    Yes — public HackerOne program (hackerone.com/salesforce) plus invite-only internal 'Hackforce' platform; over $18.9M paid across ~30,600 reported vulnerabilities

    hackerone.com

    Responsible / vulnerability disclosure policy

    Yes — published Vulnerability Reporting Policy with safe-harbor clause

    salesforce.com

    Penetration testing

    Yes — ongoing internal and third-party testing implied by SOC 2 / ISO 27001 programs and continuous bug bounty triage (sub-5-hour triage SLA)

    security.salesforce.com

    Encryption

    Encryption in transit (TLS; Salesforce recommends TLS 1.3) and at rest; optional Salesforce Shield Platform Encryption for additional at-rest controls

    security.salesforce.com

    Status / availability transparency

    Public real-time status page covering Marketing > Account Engagement

    status.salesforce.com

    MFA

    MFA required for Salesforce product access

    security.salesforce.com

    // Products & data scope

    Marketing Cloud Account Engagement (Pardot)B2B marketing automation

    data: Stores prospect/lead PII, marketing engagement data, email activity, and CRM-linked records; processor of customer data under Salesforce DPA and BCRs

    The product this slug refers to. Enterprise SaaS, multi-tenant, governed by Salesforce MSA + DPA. SOC 2 report exists specifically for this service (fka Pardot).

    Marketing Cloud Engagement (on Hyperforce) / Marketing Cloud GrowthB2C / cross-channel marketing

    data: Separate marketing data plane with its own SOC 2 report; distinct from Account Engagement

    Different product within the same Marketing Cloud family; has its own SOC 2 (Marketing Cloud Engagement on Hyperforce + Marketing Cloud Growth) — compliance scope is per-service.

    Einstein / Agentforce AI layerAI features

    data: Generative AI features governed by the Einstein Trust Layer (zero-retention with third-party LLMs); predictive Einstein models may use aggregate customer data unless org opts out

    AI data-use policy differs from base marketing automation; relevant when AI/Agentforce features are enabled on the org.

    // What to watch

    • Default org setting allows Salesforce to use customer data on an aggregate basis to train global predictive Einstein AI models unless the admin explicitly opts out — surprising default worth highlighting for privacy-sensitive buyers.
    • HIPAA and PCI DSS scope for the Account Engagement (Pardot) service specifically was not confirmed in the verified compliance listing; buyers needing those should request scope confirmation and a BAA.
    • Vendor home URL in source data points to generic Marketing Cloud and returned an Access Denied edge response; verification relied on Salesforce's own trust/compliance/security domains.

    // At a glance

    Pricing model

    Subscription / per-edition (Growth, Plus, Advanced, Premium tiers) annual contract; enterprise sales-led, no free tier

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Salesforce, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.salesforce.com

    > Browse all vendor trust reports