// Trust & Security Report

    Pipedrive logo

    Pipedrive

    Sales CRM and pipeline management (web app, mobile apps, REST API, Marketplace integrations, and the Pipedrive AI / Pipedrive Nova agentic AI suite)

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Successfully transitioned to the new ISO/IEC 27001:2022 standard

    Verify on pipedrive.com
    ISO/IEC 27701:2019 (Privacy Information Management)
    HELD

    Successfully renewed certification under ISO/IEC 27701:2019

    Verify on pipedrive.com
    SOC 2 Type II
    HELD

    Trust Center lists 'SOC 2 Type 2' as an available compliance report; newsroom confirms 'Pipedrive has successfully renewed its SOC 2 Type II and SOC 3 Type II audits'

    Verify on trustcenter.pipedrive.com
    SOC 3
    HELD

    Trust Center lists 'SOC 3' as a downloadable report; 'Pipedrive's ISO certifications and SOC 3 audit report are available in the company's Trust Center'

    Verify on trustcenter.pipedrive.com
    EU-US Data Privacy Framework (incl. UK Extension)
    HELD

    Trust Center lists 'EU-US Data Privacy Framework (DPF)' and 'UK Extension to EU-US DPF'

    Verify on trustcenter.pipedrive.com
    GDPR compliance posture
    HELD

    Trust Center lists 'GDPR'; homepage states 'DSGVO-konform und sicher' (GDPR-compliant and secure)

    Verify on trustcenter.pipedrive.com
    HIPAA
    HELD

    No HIPAA certification or BAA offering found on Pipedrive's trust center or security documentation. HIPAA is not listed.

    Verify on trustcenter.pipedrive.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Hosted on AWS across EU (Frankfurt), EU (Dublin), UK (London), US East, US West, CA (Montreal), and ASPAC (Sydney). New sign-ups are routed by origin: EU clients to EU; non-EU European/IN/EMEA to UK; APAC (except IN) to ASPAC; Canada to CA; rest of world to US.

    Pipedrive states it does not use Client Data to train or improve AI models without permission, and does not permit third-party AI providers to use Client Data to train their models. Privacy Notice (updated Jan 5, 2026): 'We use artificial intelligence and machine learning (together - the AI) to improve Pipedrive Operations, enhance security, and automate certain processes... We may also use third-party AI services to support these activities.' Pipedrive AI / Pipedrive Nova is powered by third-party model providers disclosed in the sub-processor list: AWS (Bedrock), Anthropic PBC, OpenAI Ireland Limited, and Recall.ai for meeting intelligence. EXCEPTION to note: the Terms of Service allow Pipedrive to use Client Data, including Input, to train or refine AI capabilities WHEN a customer opts into AI-involving Beta Services, solely to provide those Beta Services. So default GA behavior = no training on customer data; Beta opt-in = limited training scope.

    // Security controls

    Penetration testing

    Independent application penetration testing performed; '2026 Penetration Testing Report is now available for download' and 'Application Penetration Testing' listed as a downloadable trust-center document.

    trustcenter.pipedrive.com

    Vulnerability disclosure / bug bounty

    Operates a Responsible Disclosure / Pipedrive Vulnerability Disclosure Program (PVDP) with reports accepted at security@pipedrive.com. No evidence of a public, paid bug-bounty program on HackerOne or Bugcrowd; reported HackerOne access appears invite-only at most. Treat as a VDP, not a public bounty.

    trustcenter.pipedrive.com

    Encryption

    Trust center documents Data Security, Secret Management, Data Backups, and Disk Encryption (endpoint). Encryption in transit and at rest is part of the documented security program.

    trustcenter.pipedrive.com

    Operational resilience

    Trust center lists DORA (Digital Operational Resilience Act) and EU Data Act readiness alongside data backups and infrastructure on AWS + Cloudflare.

    trustcenter.pipedrive.com

    Access controls

    Granular user permissions and visibility settings, SSO and Google sign-in supported for account access.

    pipedrive.com

    // Products & data scope

    Pipedrive CRM (web + mobile apps)Sales CRM / pipeline management

    data: Stores Client Data (contacts, deals, activities, emails, custom fields) for sales teams. Hosted on AWS in the client's assigned region. Covered by ISO 27001/27701, SOC 2/3, GDPR, DPA.

    Core product. Tiered plans from startup to enterprise; large teams get dedicated account managers and advanced security controls.

    Pipedrive API + Marketplace integrationsDeveloper API / iPaaS

    data: Exposes Client Data via REST API. Marketplace apps may route data through embedded iPaaS sub-processor Paragon (Forge Technology). Data scope depends on which apps/integrations the client enables.

    500+ integrations. Per-integration data sharing is client-controlled.

    Pipedrive AI / Pipedrive Nova (agentic AI CRM)GenAI sales assistant / meeting intelligence

    data: Processes Client Data through AI sub-processors: AWS, Anthropic PBC, OpenAI Ireland Ltd. Nova meeting capture and Recall.ai process audio/video/metadata from meetings, including personal data discussed. AI features are opt-in / feature-gated.

    Default stance: no training of models on Client Data without permission. Beta AI features carry a Terms exception allowing limited training to provide the beta. Customers handling sensitive meeting content should review the Nova/Recall.ai data flow.

    LeadBooster, Campaigns, Web Visitors, Smart Email BCC (feature add-ons)Marketing / lead-gen add-ons

    data: Each enables additional sub-processors: Bird (Live Chat), Tet SIA (Campaigns hosting), Dealfront (Web Visitors), Surfe/Growster (data enrichment, acts as independent controller), Twilio SendGrid (Smart Email BCC).

    Distinct compliance scope per feature. Surfe acting as an independent data controller for enrichment is worth flagging for procurement review.

    // What to watch

    • Bug-bounty is a Vulnerability Disclosure Program (security@pipedrive.com), not a public paid bounty on HackerOne/Bugcrowd. Do not display as 'bug bounty' without qualification.
    • AI training: default is no-training, but Terms of Service carve out an exception allowing training on Client Data for opt-in AI Beta Services. Nuance worth surfacing for AI-sensitive buyers.
    • Pipedrive Nova meeting intelligence routes meeting audio/video through Recall.ai and AI providers (AWS/Anthropic/OpenAI); relevant for orgs with strict meeting-recording policies.
    • Surfe (Growster SAS) acts as an independent data controller for the data-enrichment feature, not merely a processor.
    • No HIPAA / BAA offering found; not suitable as a system of record for PHI without further vendor confirmation.
    • Live trust/security/compliance subdomains require login; certification verification relied on the public Trust Center summary, Pipedrive newsroom posts, and the public sub-processor page.

    // At a glance

    Pricing model

    Subscription SaaS, per-seat tiered plans (Essential/Advanced/Professional/Power/Enterprise) plus paid add-ons; 14-day free trial, no card required

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pipedrive's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.pipedrive.com

    > Browse all vendor trust reports