// Trust & Security Report
Pipedream, Inc. (acquired by Workday, deal signed Nov 2025)
Low-code integration and workflow automation platform for connecting APIs, AI agents, and databases; includes core Workflows (event-driven code + no-code steps), Pipedream Connect (embedded managed-auth SDK/API for 3,000+ apps), Pipedream MCP servers (tool-use for AI agents), and the sibling String.com AI app builder.
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pipedream.com“Pipedream has demonstrated SOC 2 compliance and can provide a SOC 2 Type 2 report upon request (please submit a support ticket)... We use Drata to continuously monitor our infrastructure's compliance with standards like SOC 2... Pipedream performs annual pen tests with a third-party security firm.”
Verify on pipedream.com“SOC 2 Type II report covering Security controls, and a SOC 2 Type I report for Confidentiality and Availability.”
Verify on pipedream.com“Pipedream is considered both a Controller and a Processor as defined by the GDPR... includes a Data Protection Addendum as part of our standard Terms of Service. The Pipedream Data Protection Addendum includes the Standard Contractual Clauses (SCCs).”
Verify on pipedream.com“Pipedream can sign Business Associate Addendums (BAAs) for Business customers intending to pass PHI to Pipedream... you must have a Business Associate Agreement (BAA) in place with Pipedream before passing PHI to Pipedream. Eligible services: Workflows, Event sources, Data stores, Destinations, and Pipedream Connect; v1 workflows and File stores are explicitly excluded.”
> Show 6 unconfirmed / not-held certifications
source: pipedream.comNo public evidence that Pipedream itself holds ISO 27001. The only ISO 27001 mention on Pipedream's own docs is: 'KMS has achieved SOC 1, 2, 3, and ISO 9001, 27001, 27017, 27018 compliance. Copies of these certifications are available from Amazon on request.' -- this is AWS KMS (Pipedream's cloud host/subprocessor), not Pipedream, Inc.
source: pipedream.comSame AWS KMS quote as above -- these ISO certifications belong to Pipedream's AWS host/subprocessor, not to Pipedream itself. No public evidence Pipedream holds these directly.
source: pipedream.comNo public evidence on Pipedream's own domain. A third-party aggregator (Nudge Security profile) lists Pipedream as 'PCI Compliant' but cites no vendor source or documentation link, so this claim is not corroborated and is treated as unverified.
source: pipedream.comNo public evidence on Pipedream's own domain. Same unverified third-party aggregator badge as PCI DSS above; not corroborated by any vendor-domain page.
source: pipedream.comNo public evidence on Pipedream's own domain. Same unverified third-party aggregator badge; not corroborated by any vendor-domain page.
source: pipedream.comno public evidence / not mentioned anywhere on Pipedream's own docs, privacy, or homepage pages captured or fetched.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Hosted on AWS in the us-east-1 region by default; Pipedream VPCs offer dedicated, isolated networks with static outbound egress IP addresses unique to a workspace.
No explicit public statement found on whether Pipedream trains its own AI models on customer data (it primarily integrates third-party AI models, e.g. Anthropic/OpenAI, rather than shipping its own foundation model). Relevant vendor-confirmed control: 'Pipedream does not store or log request payloads or response bodies when you use Connect via API or MCP... we do not persist any of the request payload or response body.' This limits retained data available for any downstream training use, but is not itself an explicit no-training pledge -- record as unknown/null rather than assumed.
// Security controls
Encryption in transit
TLS/HTTPS for web app and HTTP interfaces; certificates issued and renewed via AWS Certificate Manager.
pipedream.comEncryption at rest
Customer data, OAuth grants, and credentials encrypted at rest using AWS KMS-managed 256-bit AES-GCM keys, rotated annually; database backups also encrypted.
pipedream.comExecution isolation
Each workflow/source version runs in its own isolated AWS virtual machine ('worker') with dedicated RAM and disk, isolated from other users' code.
pipedream.comPenetration testing
Annual third-party penetration test; report available to customers on request via support ticket.
pipedream.comVulnerability disclosure
Dedicated security@pipedream.com contact and published PGP key for encrypted vulnerability reports.
pipedream.comIncident response
Documented incident response process; public status page at status.pipedream.com plus @PipedreamStatus for incident notifications; breach notification per the DPA.
pipedream.comAccess control
Least-privilege employee system access, reviewed quarterly and on role change; MFA required for GitHub/AWS access; only authorized employees can deploy to production.
pipedream.comPersonnel security
Background checks on all new hires; annual security training for all staff plus separate secure-development training for engineers; hardened, encrypted, anti-malware-protected workstations.
pipedream.comNetwork monitoring
AWS WAF, GuardDuty, CloudTrail, CloudWatch, and Datadog used to monitor and block suspected attacks, including DDoS.
pipedream.comEmail authenticity
SPF and DMARC DNS records implemented to guard against email spoofing.
pipedream.com// Products & data scope
data: Full account data, third-party OAuth grants/API keys, and environment variables; user code executes in an isolated per-version VM.
Core product; HIPAA-eligible service on the Business plan with a signed BAA.
data: Manages end-user OAuth tokens/API keys on behalf of the customer's app or agent; per vendor docs, request payloads and response bodies are not stored or logged when used via API or MCP.
Used to add third-party integrations directly inside a customer's own product or AI agent.
data: Exposes 3,000+ apps / 10,000+ tools to AI agents through Connect's managed auth; same no-persistence-of-payload behavior as Connect.
Marketed for adding agent tool-use in minutes; relies on the same security controls as Connect/Workflows.
Flagged as an area needing separate verification if AIFOXX lists it distinctly from core Pipedream.
// What to watch
- Pipedream was acquired by Workday (deal signed Nov 2025, reported to close around Jan 31, 2026); as of this assessment the compliance documentation is still published under the Pipedream brand and was not re-verified for any post-acquisition changes to legal entity or compliance program.
- ISO 27001 / 27017 / 27018 references on Pipedream's own security docs page belong to AWS KMS (Pipedream's cloud host/subprocessor), not to Pipedream, Inc. itself -- do not list Pipedream as ISO 27001 certified.
- A third-party aggregator (Nudge Security profile) badges Pipedream as PCI DSS, FedRAMP, ISO 27001, and CSA STAR Level 1 'compliant' with no vendor source citations; these could not be corroborated on Pipedream's own domain and were graded held=false rather than trusted.
- HIPAA support is scoped to Business-tier customers with a signed BAA and specific eligible services (Workflows, Event sources, Data stores, Destinations, Connect); v1 workflows and File stores are explicitly excluded from PHI use. The homepage's plain 'HIPAA Compliant' badge does not surface this scoping.
- Could not directly load the vendor's live Drata-hosted Security Report (linked from the docs page) to independently confirm report currency; relied on the docs page's own description of it.
// At a glance
Pricing model
Freemium, credit-based usage tiers: Free, Basic (~$29/mo), Advanced (~$49/mo), and a custom-priced Business/Enterprise tier that gates compliance features (HIPAA BAA, SOC 2 Type II report access, dedicated support, higher SLA). Tier pricing sourced from third-party pricing trackers, not independently verified against the vendor's own pricing page (which did not render for automated fetch).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pipedream, Inc. (acquired by Workday, deal signed Nov 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pipedream.com