// Trust & Security Report
Salesforce, Inc.
Salesforce Marketing Cloud Account Engagement (formerly Pardot) — B2B marketing automation, part of the Salesforce Marketing Cloud / Customer 360 platform
Certifications held
9
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on compliance.salesforce.com“SOC 2 Report - Marketing Cloud Account Engagement (fka Pardot)”
Verify on compliance.salesforce.com“SOC 1 Report - Corporate Services (2026-06-05) listed among the 60 certification/attestation entries for the Marketing Cloud Account Engagement service”
Verify on compliance.salesforce.com“ISO/IEC 27001:2022 Certificate — Marketing Cloud Account Engagement is covered under Salesforce's ISO/IEC 27001:2022 certification”
Verify on compliance.salesforce.com“ISO/IEC 27017:2015 Certificate (2026-04-18) listed for the Marketing Cloud Account Engagement service”
Verify on compliance.salesforce.com“UK Cyber Essentials Certificate (2026-06-22) and UK Cyber Essentials Plus Certificate (2026-06-22) listed for the Marketing Cloud Account Engagement service”
Verify on compliance.salesforce.com“Spain ENS High - Corporate Services (2026-06-09) listed for the Marketing Cloud Account Engagement service”
Verify on compliance.salesforce.com“Salesforce EU Processor Binding Corporate Rules (2026-05-06) and Salesforce UK Processor Binding Corporate Rules (2026-05-06) listed for the service”
Verify on compliance.salesforce.com“Not confirmed for the Account Engagement (Pardot) service specifically in the verified compliance listing; HIPAA support varies by Salesforce cloud/edition and was historically not offered for Pardot. Procurement should request a BAA scope confirmation.”
Verify on compliance.salesforce.com“Not surfaced in the verified Account Engagement service certification list reviewed; Salesforce holds PCI attestations for some clouds but scope for this specific service was not confirmed.”
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Multi-region; Salesforce operates on Hyperforce and AWS with data-residency options across US, EU, UK, Japan, Australia and others depending on the instance/edition.
Salesforce's Einstein Trust Layer enforces a zero-data-retention architecture with third-party LLM providers (OpenAI, Anthropic, etc.), and generative AI features (Agentforce, Einstein Copilot) are contractually excluded from being used to train third-party or global models. HOWEVER, by default the org-level 'Opt Out of Customer Data Access' setting is NOT opted out, meaning Salesforce may use customer data on an aggregate basis to train global predictive AI (Einstein) models and improve services unless the admin opts out. This default behavior is configurable per org. For core Marketing Cloud Account Engagement (Pardot) marketing data the predictive-model sharing is the relevant control. Reviewers should confirm the opt-out state for their tenant.
// Security controls
Bug bounty program
Yes — public HackerOne program (hackerone.com/salesforce) plus invite-only internal 'Hackforce' platform; over $18.9M paid across ~30,600 reported vulnerabilities
hackerone.comResponsible / vulnerability disclosure policy
Yes — published Vulnerability Reporting Policy with safe-harbor clause
salesforce.comPenetration testing
Yes — ongoing internal and third-party testing implied by SOC 2 / ISO 27001 programs and continuous bug bounty triage (sub-5-hour triage SLA)
security.salesforce.comEncryption
Encryption in transit (TLS; Salesforce recommends TLS 1.3) and at rest; optional Salesforce Shield Platform Encryption for additional at-rest controls
security.salesforce.comStatus / availability transparency
Public real-time status page covering Marketing > Account Engagement
status.salesforce.com// Products & data scope
data: Stores prospect/lead PII, marketing engagement data, email activity, and CRM-linked records; processor of customer data under Salesforce DPA and BCRs
The product this slug refers to. Enterprise SaaS, multi-tenant, governed by Salesforce MSA + DPA. SOC 2 report exists specifically for this service (fka Pardot).
data: Separate marketing data plane with its own SOC 2 report; distinct from Account Engagement
Different product within the same Marketing Cloud family; has its own SOC 2 (Marketing Cloud Engagement on Hyperforce + Marketing Cloud Growth) — compliance scope is per-service.
data: Generative AI features governed by the Einstein Trust Layer (zero-retention with third-party LLMs); predictive Einstein models may use aggregate customer data unless org opts out
AI data-use policy differs from base marketing automation; relevant when AI/Agentforce features are enabled on the org.
// What to watch
- Default org setting allows Salesforce to use customer data on an aggregate basis to train global predictive Einstein AI models unless the admin explicitly opts out — surprising default worth highlighting for privacy-sensitive buyers.
- HIPAA and PCI DSS scope for the Account Engagement (Pardot) service specifically was not confirmed in the verified compliance listing; buyers needing those should request scope confirmation and a BAA.
- Vendor home URL in source data points to generic Marketing Cloud and returned an Access Denied edge response; verification relied on Salesforce's own trust/compliance/security domains.
// At a glance
Pricing model
Subscription / per-edition (Growth, Plus, Advanced, Premium tiers) annual contract; enterprise sales-led, no free tier
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Salesforce, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.salesforce.com