// Trust & Security Report

    Pipedream, Inc. (acquired by Workday, deal signed Nov 2025) logo

    Pipedream, Inc. (acquired by Workday, deal signed Nov 2025)

    Low-code integration and workflow automation platform for connecting APIs, AI agents, and databases; includes core Workflows (event-driven code + no-code steps), Pipedream Connect (embedded managed-auth SDK/API for 3,000+ apps), Pipedream MCP servers (tool-use for AI agents), and the sibling String.com AI app builder.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Pipedream has demonstrated SOC 2 compliance and can provide a SOC 2 Type 2 report upon request (please submit a support ticket)... We use Drata to continuously monitor our infrastructure's compliance with standards like SOC 2... Pipedream performs annual pen tests with a third-party security firm.

    Verify on pipedream.com
    SOC 2 Type I (Confidentiality & Availability)
    HELD

    SOC 2 Type II report covering Security controls, and a SOC 2 Type I report for Confidentiality and Availability.

    Verify on pipedream.com
    GDPR (compliance posture / DPA)
    HELD

    Pipedream is considered both a Controller and a Processor as defined by the GDPR... includes a Data Protection Addendum as part of our standard Terms of Service. The Pipedream Data Protection Addendum includes the Standard Contractual Clauses (SCCs).

    Verify on pipedream.com
    HIPAA (BAA available)
    HELD

    Pipedream can sign Business Associate Addendums (BAAs) for Business customers intending to pass PHI to Pipedream... you must have a Business Associate Agreement (BAA) in place with Pipedream before passing PHI to Pipedream. Eligible services: Workflows, Event sources, Data stores, Destinations, and Pipedream Connect; v1 workflows and File stores are explicitly excluded.

    Verify on pipedream.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence that Pipedream itself holds ISO 27001. The only ISO 27001 mention on Pipedream's own docs is: 'KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.' -- this is AWS KMS (Pipedream's cloud host/subprocessor), not Pipedream, Inc.

    source: pipedream.com
    ISO 27017 / 27018
    NOT CONFIRMED

    Same AWS KMS quote as above -- these ISO certifications belong to Pipedream's AWS host/subprocessor, not to Pipedream itself. No public evidence Pipedream holds these directly.

    source: pipedream.com
    PCI DSS
    NOT CONFIRMED

    No public evidence on Pipedream's own domain. A third-party aggregator (Nudge Security profile) lists Pipedream as 'PCI Compliant' but cites no vendor source or documentation link, so this claim is not corroborated and is treated as unverified.

    source: pipedream.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on Pipedream's own domain. Same unverified third-party aggregator badge as PCI DSS above; not corroborated by any vendor-domain page.

    source: pipedream.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on Pipedream's own domain. Same unverified third-party aggregator badge; not corroborated by any vendor-domain page.

    source: pipedream.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    no public evidence / not mentioned anywhere on Pipedream's own docs, privacy, or homepage pages captured or fetched.

    source: pipedream.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Hosted on AWS in the us-east-1 region by default; Pipedream VPCs offer dedicated, isolated networks with static outbound egress IP addresses unique to a workspace.

    No explicit public statement found on whether Pipedream trains its own AI models on customer data (it primarily integrates third-party AI models, e.g. Anthropic/OpenAI, rather than shipping its own foundation model). Relevant vendor-confirmed control: 'Pipedream does not store or log request payloads or response bodies when you use Connect via API or MCP... we do not persist any of the request payload or response body.' This limits retained data available for any downstream training use, but is not itself an explicit no-training pledge -- record as unknown/null rather than assumed.

    // Security controls

    Encryption in transit

    TLS/HTTPS for web app and HTTP interfaces; certificates issued and renewed via AWS Certificate Manager.

    pipedream.com

    Encryption at rest

    Customer data, OAuth grants, and credentials encrypted at rest using AWS KMS-managed 256-bit AES-GCM keys, rotated annually; database backups also encrypted.

    pipedream.com

    Execution isolation

    Each workflow/source version runs in its own isolated AWS virtual machine ('worker') with dedicated RAM and disk, isolated from other users' code.

    pipedream.com

    Penetration testing

    Annual third-party penetration test; report available to customers on request via support ticket.

    pipedream.com

    Vulnerability disclosure

    Dedicated security@pipedream.com contact and published PGP key for encrypted vulnerability reports.

    pipedream.com

    Incident response

    Documented incident response process; public status page at status.pipedream.com plus @PipedreamStatus for incident notifications; breach notification per the DPA.

    pipedream.com

    Access control

    Least-privilege employee system access, reviewed quarterly and on role change; MFA required for GitHub/AWS access; only authorized employees can deploy to production.

    pipedream.com

    Personnel security

    Background checks on all new hires; annual security training for all staff plus separate secure-development training for engineers; hardened, encrypted, anti-malware-protected workstations.

    pipedream.com

    Network monitoring

    AWS WAF, GuardDuty, CloudTrail, CloudWatch, and Datadog used to monitor and block suspected attacks, including DDoS.

    pipedream.com

    Email authenticity

    SPF and DMARC DNS records implemented to guard against email spoofing.

    pipedream.com

    // Products & data scope

    WorkflowsLow-code/event-driven automation (iPaaS)

    data: Full account data, third-party OAuth grants/API keys, and environment variables; user code executes in an isolated per-version VM.

    Core product; HIPAA-eligible service on the Business plan with a signed BAA.

    Pipedream ConnectEmbedded/managed authentication SDK & API

    data: Manages end-user OAuth tokens/API keys on behalf of the customer's app or agent; per vendor docs, request payloads and response bodies are not stored or logged when used via API or MCP.

    Used to add third-party integrations directly inside a customer's own product or AI agent.

    Pipedream MCPAI agent tool-use / MCP servers

    data: Exposes 3,000+ apps / 10,000+ tools to AI agents through Connect's managed auth; same no-persistence-of-payload behavior as Connect.

    Marketed for adding agent tool-use in minutes; relies on the same security controls as Connect/Workflows.

    String.comAI app builder (sibling product, linked from Pipedream's own site nav)

    Flagged as an area needing separate verification if AIFOXX lists it distinctly from core Pipedream.

    // What to watch

    • Pipedream was acquired by Workday (deal signed Nov 2025, reported to close around Jan 31, 2026); as of this assessment the compliance documentation is still published under the Pipedream brand and was not re-verified for any post-acquisition changes to legal entity or compliance program.
    • ISO 27001 / 27017 / 27018 references on Pipedream's own security docs page belong to AWS KMS (Pipedream's cloud host/subprocessor), not to Pipedream, Inc. itself -- do not list Pipedream as ISO 27001 certified.
    • A third-party aggregator (Nudge Security profile) badges Pipedream as PCI DSS, FedRAMP, ISO 27001, and CSA STAR Level 1 'compliant' with no vendor source citations; these could not be corroborated on Pipedream's own domain and were graded held=false rather than trusted.
    • HIPAA support is scoped to Business-tier customers with a signed BAA and specific eligible services (Workflows, Event sources, Data stores, Destinations, Connect); v1 workflows and File stores are explicitly excluded from PHI use. The homepage's plain 'HIPAA Compliant' badge does not surface this scoping.
    • Could not directly load the vendor's live Drata-hosted Security Report (linked from the docs page) to independently confirm report currency; relied on the docs page's own description of it.

    // At a glance

    Pricing model

    Freemium, credit-based usage tiers: Free, Basic (~$29/mo), Advanced (~$49/mo), and a custom-priced Business/Enterprise tier that gates compliance features (HIPAA BAA, SOC 2 Type II report access, dedicated support, higher SLA). Tier pricing sourced from third-party pricing trackers, not independently verified against the vendor's own pricing page (which did not render for automated fetch).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pipedream, Inc. (acquired by Workday, deal signed Nov 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pipedream.com

    > Browse all vendor trust reports