// Trust & Security Report
Pipedrive
Sales CRM and pipeline management (web app, mobile apps, REST API, Marketplace integrations, and the Pipedrive AI / Pipedrive Nova agentic AI suite)
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pipedrive.com“Successfully transitioned to the new ISO/IEC 27001:2022 standard”
Verify on pipedrive.com“Successfully renewed certification under ISO/IEC 27701:2019”
Verify on trustcenter.pipedrive.com“Trust Center lists 'SOC 2 Type 2' as an available compliance report; newsroom confirms 'Pipedrive has successfully renewed its SOC 2 Type II and SOC 3 Type II audits'”
Verify on trustcenter.pipedrive.com“Trust Center lists 'SOC 3' as a downloadable report; 'Pipedrive's ISO certifications and SOC 3 audit report are available in the company's Trust Center'”
Verify on trustcenter.pipedrive.com“Trust Center lists 'EU-US Data Privacy Framework (DPF)' and 'UK Extension to EU-US DPF'”
Verify on trustcenter.pipedrive.com“Trust Center lists 'GDPR'; homepage states 'DSGVO-konform und sicher' (GDPR-compliant and secure)”
Verify on trustcenter.pipedrive.com“No HIPAA certification or BAA offering found on Pipedrive's trust center or security documentation. HIPAA is not listed.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Hosted on AWS across EU (Frankfurt), EU (Dublin), UK (London), US East, US West, CA (Montreal), and ASPAC (Sydney). New sign-ups are routed by origin: EU clients to EU; non-EU European/IN/EMEA to UK; APAC (except IN) to ASPAC; Canada to CA; rest of world to US.
Pipedrive states it does not use Client Data to train or improve AI models without permission, and does not permit third-party AI providers to use Client Data to train their models. Privacy Notice (updated Jan 5, 2026): 'We use artificial intelligence and machine learning (together - the AI) to improve Pipedrive Operations, enhance security, and automate certain processes... We may also use third-party AI services to support these activities.' Pipedrive AI / Pipedrive Nova is powered by third-party model providers disclosed in the sub-processor list: AWS (Bedrock), Anthropic PBC, OpenAI Ireland Limited, and Recall.ai for meeting intelligence. EXCEPTION to note: the Terms of Service allow Pipedrive to use Client Data, including Input, to train or refine AI capabilities WHEN a customer opts into AI-involving Beta Services, solely to provide those Beta Services. So default GA behavior = no training on customer data; Beta opt-in = limited training scope.
// Security controls
Penetration testing
Independent application penetration testing performed; '2026 Penetration Testing Report is now available for download' and 'Application Penetration Testing' listed as a downloadable trust-center document.
trustcenter.pipedrive.comVulnerability disclosure / bug bounty
Operates a Responsible Disclosure / Pipedrive Vulnerability Disclosure Program (PVDP) with reports accepted at security@pipedrive.com. No evidence of a public, paid bug-bounty program on HackerOne or Bugcrowd; reported HackerOne access appears invite-only at most. Treat as a VDP, not a public bounty.
trustcenter.pipedrive.comEncryption
Trust center documents Data Security, Secret Management, Data Backups, and Disk Encryption (endpoint). Encryption in transit and at rest is part of the documented security program.
trustcenter.pipedrive.comOperational resilience
Trust center lists DORA (Digital Operational Resilience Act) and EU Data Act readiness alongside data backups and infrastructure on AWS + Cloudflare.
trustcenter.pipedrive.comAccess controls
Granular user permissions and visibility settings, SSO and Google sign-in supported for account access.
pipedrive.com// Products & data scope
data: Stores Client Data (contacts, deals, activities, emails, custom fields) for sales teams. Hosted on AWS in the client's assigned region. Covered by ISO 27001/27701, SOC 2/3, GDPR, DPA.
Core product. Tiered plans from startup to enterprise; large teams get dedicated account managers and advanced security controls.
data: Exposes Client Data via REST API. Marketplace apps may route data through embedded iPaaS sub-processor Paragon (Forge Technology). Data scope depends on which apps/integrations the client enables.
500+ integrations. Per-integration data sharing is client-controlled.
data: Processes Client Data through AI sub-processors: AWS, Anthropic PBC, OpenAI Ireland Ltd. Nova meeting capture and Recall.ai process audio/video/metadata from meetings, including personal data discussed. AI features are opt-in / feature-gated.
Default stance: no training of models on Client Data without permission. Beta AI features carry a Terms exception allowing limited training to provide the beta. Customers handling sensitive meeting content should review the Nova/Recall.ai data flow.
data: Each enables additional sub-processors: Bird (Live Chat), Tet SIA (Campaigns hosting), Dealfront (Web Visitors), Surfe/Growster (data enrichment, acts as independent controller), Twilio SendGrid (Smart Email BCC).
Distinct compliance scope per feature. Surfe acting as an independent data controller for enrichment is worth flagging for procurement review.
// What to watch
- Bug-bounty is a Vulnerability Disclosure Program (security@pipedrive.com), not a public paid bounty on HackerOne/Bugcrowd. Do not display as 'bug bounty' without qualification.
- AI training: default is no-training, but Terms of Service carve out an exception allowing training on Client Data for opt-in AI Beta Services. Nuance worth surfacing for AI-sensitive buyers.
- Pipedrive Nova meeting intelligence routes meeting audio/video through Recall.ai and AI providers (AWS/Anthropic/OpenAI); relevant for orgs with strict meeting-recording policies.
- Surfe (Growster SAS) acts as an independent data controller for the data-enrichment feature, not merely a processor.
- No HIPAA / BAA offering found; not suitable as a system of record for PHI without further vendor confirmation.
- Live trust/security/compliance subdomains require login; certification verification relied on the public Trust Center summary, Pipedrive newsroom posts, and the public sub-processor page.
// At a glance
Pricing model
Subscription SaaS, per-seat tiered plans (Essential/Advanced/Professional/Power/Enterprise) plus paid add-ons; 14-day free trial, no card required
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pipedrive's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.pipedrive.com