// Trust & Security Report

    Qualified.com, Inc. logo

    Qualified.com, Inc.

    Agentic marketing / conversational ABM platform built around Piper, an AI SDR agent; sub-products (Qualified AI Chatbots, AI Conversations, AI Meetings, AI Offers, AI Signals) are feature modules of the same core platform, not separately compliance-scoped products.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Compliance Reports: 'Qualified SOC 2 Type 2 Report 2025'; Compliance section lists 'SOC 2 Type II'. Newsroom: 'Today, Qualified announced it achieved SOC2 Type II Certification.'

    Verify on trust.qualified.com
    GDPR (compliance posture)
    HELD

    "Qualified is fully committed to compliance with the GDPR." Trust center also lists GDPR under Compliance, and the privacy policy states use of European Commission-approved Standard Contractual Clauses for EU/UK/Swiss transfers.

    Verify on qualified.com
    CCPA
    HELD

    Trust center Compliance section shows 'CCPA' tagged 'COMPLIANT'; privacy policy states Qualified acts as a Service Provider under the CCPA.

    Verify on trust.qualified.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    "AWS's data center operations have been accredited under: ISO 27001" - this is the cloud host's (AWS) accreditation, not Qualified's own. No page attributes an ISO 27001 certificate to Qualified itself.

    source: qualified.com
    PCI DSS
    NOT CONFIRMED

    PCI Level 1 is listed only as an AWS data-center accreditation. Qualified's own materials state: "Qualified does not store credit card information, Social Security Numbers, or any other highly sensitive PII," indicating PCI DSS is out of scope for Qualified directly.

    source: qualified.com
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned on trust.qualified.com or qualified.com/trust. Note: the trust center's 'Data collected' list does include 'Personal health information' as a tracked category, but no HIPAA certification or BAA program is claimed anywhere.

    source: trust.qualified.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification; not referenced on the trust center or trust page.

    source: trust.qualified.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or attestation referenced on vendor materials.

    source: trust.qualified.com
    FedRAMP
    NOT CONFIRMED

    "FISMA Moderate" appears only as an AWS data-center accreditation, not a Qualified authorization. No FedRAMP marketplace listing or ATO found for Qualified.

    source: qualified.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US-East (AWS, Northern Virginia); trust page states "Qualified does not have any data storage options in the EU at this time." International transfers use EU Commission-approved Standard Contractual Clauses (SCCs).

    Privacy policy states: "Your information is not used to develop, improve, or train generalized AI and/or ML models and will not be stored by our AI service providers." Consistent with this, the subprocessors list shows several generative-AI providers (Azure OpenAI Service, OpenAI, Amazon Bedrock/Anthropic, Google Cloud AI, Tavus) used for runtime inference to power Piper, not for model training. No opt-out toggle is needed since training is stated not to occur; buyers relying on B2B contact/firmographic data should still review the DPA and subprocessor list for AI-vendor data flows.

    // Security controls

    Encryption in transit

    TLS, with regular updates to ciphersuites and configurations

    qualified.com

    Encryption at rest

    AES-256, block-level storage encryption

    qualified.com

    Penetration testing

    Independent third-party black-box penetration testing at least annually; trust center lists an 'AI SDR Penetration Test - October 2025' and a 'Web, API App Pentest - 2025' report

    trust.qualified.com

    SSO

    SAML/SSO supported via Google, Okta, JumpCloud, and OneLogin (setup guides listed in trust center)

    trust.qualified.com

    Cloud infrastructure

    Hosted on AWS (US-East, Northern Virginia); production application access restricted; unique account authentication enforced; firewall access restricted

    trust.qualified.com

    Subprocessors

    AWS, Twilio, Daily (voice/video), Sendgrid, Sentry, Salesforce, Clearbit, Demandbase, Datadog, ClickHouse, Azure OpenAI Service, OpenAI, Amazon Bedrock (Anthropic), Google Cloud AI, Tavus - all listed as US-based

    qualified.com

    // Products & data scope

    Qualified Platform (Piper AI SDR Agent, AI Chatbots, AI Conversations, AI Meetings, AI Offers, AI Signals)B2B agentic marketing / conversational sales platform

    data: Website visitor identification (IP, and where available name/business email), CRM and marketing-automation synced contact and firmographic data (Salesforce, HubSpot, Marketo, Eloqua, etc.), chat/voice/video conversation transcripts, buyer-intent signals

    One product family sold to mid-market/enterprise B2B marketing and sales teams; no free consumer tier. Company explicitly states it does not store credit card data or SSNs; a 'Personal health information' data category is listed generically in the trust center's data-collection controls but the product is not marketed or certified for handling regulated health data.

    // What to watch

    • ISO 27001 / PCI DSS / FISMA Moderate / SOX appear on Qualified's own trust page ONLY as AWS's data-center accreditations, not Qualified's own certifications. A generic web search summary incorrectly attributed these directly to Qualified before the vendor's own trust page was checked verbatim - a clear host-vs-vendor conflation risk. AIFOXX should never list ISO 27001/PCI/FedRAMP as Qualified's own certs.
    • Trust center lists 'Personal health information' as a data category under its Controls > Data collected section, yet Qualified holds no HIPAA certification or BAA program. Flag for any buyer considering routing PHI through the product.
    • No EU/UK data residency option despite an active GDPR compliance commitment; EU customers rely solely on SCCs for cross-border transfer, not local storage.
    • Do not confuse this vendor (qualified.com, the AI SDR/agentic marketing platform, maker of 'Piper') with the similarly named qualified.io (a technical hiring/assessment platform) - they are unrelated companies with separate privacy policies and compliance postures.
    • Detailed trust center resources (SOC 2 report itself, SIG Lite, pentest reports, policies) are gated behind a 'Request access' NDA portal; only the summary compliance badges and controls list are publicly verifiable.

    // At a glance

    Pricing model

    Enterprise B2B SaaS, sold via demo/quote (not self-serve tiered pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Qualified.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.qualified.com

    > Browse all vendor trust reports