// Trust & Security Report
Qualified.com, Inc.
Agentic marketing / conversational ABM platform built around Piper, an AI SDR agent; sub-products (Qualified AI Chatbots, AI Conversations, AI Meetings, AI Offers, AI Signals) are feature modules of the same core platform, not separately compliance-scoped products.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.qualified.com“Compliance Reports: 'Qualified SOC 2 Type 2 Report 2025'; Compliance section lists 'SOC 2 Type II'. Newsroom: 'Today, Qualified announced it achieved SOC2 Type II Certification.'”
Verify on qualified.com“"Qualified is fully committed to compliance with the GDPR." Trust center also lists GDPR under Compliance, and the privacy policy states use of European Commission-approved Standard Contractual Clauses for EU/UK/Swiss transfers.”
Verify on trust.qualified.com“Trust center Compliance section shows 'CCPA' tagged 'COMPLIANT'; privacy policy states Qualified acts as a Service Provider under the CCPA.”
> Show 6 unconfirmed / not-held certifications
source: qualified.com"AWS's data center operations have been accredited under: ISO 27001" - this is the cloud host's (AWS) accreditation, not Qualified's own. No page attributes an ISO 27001 certificate to Qualified itself.
source: qualified.comPCI Level 1 is listed only as an AWS data-center accreditation. Qualified's own materials state: "Qualified does not store credit card information, Social Security Numbers, or any other highly sensitive PII," indicating PCI DSS is out of scope for Qualified directly.
source: trust.qualified.comNo public evidence. HIPAA is not mentioned on trust.qualified.com or qualified.com/trust. Note: the trust center's 'Data collected' list does include 'Personal health information' as a tracked category, but no HIPAA certification or BAA program is claimed anywhere.
source: trust.qualified.comNo public evidence of ISO/IEC 42001 certification; not referenced on the trust center or trust page.
source: trust.qualified.comNo public evidence of a CSA STAR registry entry or attestation referenced on vendor materials.
source: qualified.com"FISMA Moderate" appears only as an AWS data-center accreditation, not a Qualified authorization. No FedRAMP marketplace listing or ATO found for Qualified.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US-East (AWS, Northern Virginia); trust page states "Qualified does not have any data storage options in the EU at this time." International transfers use EU Commission-approved Standard Contractual Clauses (SCCs).
Privacy policy states: "Your information is not used to develop, improve, or train generalized AI and/or ML models and will not be stored by our AI service providers." Consistent with this, the subprocessors list shows several generative-AI providers (Azure OpenAI Service, OpenAI, Amazon Bedrock/Anthropic, Google Cloud AI, Tavus) used for runtime inference to power Piper, not for model training. No opt-out toggle is needed since training is stated not to occur; buyers relying on B2B contact/firmographic data should still review the DPA and subprocessor list for AI-vendor data flows.
// Security controls
Penetration testing
Independent third-party black-box penetration testing at least annually; trust center lists an 'AI SDR Penetration Test - October 2025' and a 'Web, API App Pentest - 2025' report
trust.qualified.comSSO
SAML/SSO supported via Google, Okta, JumpCloud, and OneLogin (setup guides listed in trust center)
trust.qualified.comCloud infrastructure
Hosted on AWS (US-East, Northern Virginia); production application access restricted; unique account authentication enforced; firewall access restricted
trust.qualified.comSubprocessors
AWS, Twilio, Daily (voice/video), Sendgrid, Sentry, Salesforce, Clearbit, Demandbase, Datadog, ClickHouse, Azure OpenAI Service, OpenAI, Amazon Bedrock (Anthropic), Google Cloud AI, Tavus - all listed as US-based
qualified.com// Products & data scope
data: Website visitor identification (IP, and where available name/business email), CRM and marketing-automation synced contact and firmographic data (Salesforce, HubSpot, Marketo, Eloqua, etc.), chat/voice/video conversation transcripts, buyer-intent signals
One product family sold to mid-market/enterprise B2B marketing and sales teams; no free consumer tier. Company explicitly states it does not store credit card data or SSNs; a 'Personal health information' data category is listed generically in the trust center's data-collection controls but the product is not marketed or certified for handling regulated health data.
// What to watch
- ISO 27001 / PCI DSS / FISMA Moderate / SOX appear on Qualified's own trust page ONLY as AWS's data-center accreditations, not Qualified's own certifications. A generic web search summary incorrectly attributed these directly to Qualified before the vendor's own trust page was checked verbatim - a clear host-vs-vendor conflation risk. AIFOXX should never list ISO 27001/PCI/FedRAMP as Qualified's own certs.
- Trust center lists 'Personal health information' as a data category under its Controls > Data collected section, yet Qualified holds no HIPAA certification or BAA program. Flag for any buyer considering routing PHI through the product.
- No EU/UK data residency option despite an active GDPR compliance commitment; EU customers rely solely on SCCs for cross-border transfer, not local storage.
- Do not confuse this vendor (qualified.com, the AI SDR/agentic marketing platform, maker of 'Piper') with the similarly named qualified.io (a technical hiring/assessment platform) - they are unrelated companies with separate privacy policies and compliance postures.
- Detailed trust center resources (SOC 2 report itself, SIG Lite, pentest reports, policies) are gated behind a 'Request access' NDA portal; only the summary compliance badges and controls list are publicly verifiable.
// At a glance
Pricing model
Enterprise B2B SaaS, sold via demo/quote (not self-serve tiered pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Qualified.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.qualified.com