// Trust & Security Report

    Salesloft, Inc. (merged with Clari, Inc.; combined entity operating as "Clari/Salesloft" since the merger completed in December 2025) logo

    Salesloft, Inc. (merged with Clari, Inc.; combined entity operating as "Clari/Salesloft" since the merger completed in December 2025)

    AI-powered sales engagement and revenue orchestration platform (Cadence, Rhythm, Conversations, Deals, Analytics, Forecast) plus the Drift conversational marketing/chatbot product acquired earlier by Salesloft; now part of the combined Clari/Salesloft "Predictive Revenue System" following the December 2025 merger

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    The Salesloft and Drift platform services undergo SOC 2 Type 2 examinations, which test our security controls against the AICPA-defined standards

    Verify on salesloft.com
    ISO 27001
    HELD

    Our entire information security program is aligned with the ISO 27001 framework, which is audited and re-certified annually.

    Verify on salesloft.com
    ISO 27701
    HELD

    Salesloft is certified compliant with the ISO 27701 standard.

    Verify on salesloft.com
    GDPR (compliance posture)
    HELD

    Salesloft is committed to privacy and ensuring ongoing compliance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA).

    Verify on salesloft.com
    CCPA/CPRA (compliance posture)
    HELD

    the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA) [badge shown: CCPA]

    Verify on trust.salesloft.com
    EU-U.S. / UK / Swiss-U.S. Data Privacy Framework
    HELD

    Salesloft has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles ... from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF ... Salesloft has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles

    Verify on salesloft.com
    > Show 5 unconfirmed / not-held certifications
    CSA STAR
    NOT CONFIRMED

    No verifiable public evidence: a "CSA" badge appears in the trust.salesloft.com badge set (CCPA, CSA, EU-US DPF, GDPR, ISO 27001, ISO 27701, SOC 2 Type II, UK-US DPF), but the trust center states no STAR level (Level 1 self-assessment vs Level 2 third-party attestation), provides no CSA STAR attestation document, and no Salesloft entry was found in the public CSA STAR registry. A bare self-declared badge is not a direct attestation of the certification, so this is graded not held pending a verifiable STAR listing.

    source: trust.salesloft.com
    HIPAA
    NOT CONFIRMED

    No public evidence: Salesloft's official Security & Compliance page enumerates SOC 2, ISO 27001, ISO 27701, GDPR/CCPA and its encryption controls, but does not mention HIPAA or a Business Associate Agreement anywhere on the page.

    source: salesloft.com
    PCI DSS
    NOT CONFIRMED

    No public evidence: PCI DSS is not listed on Salesloft's Security & Compliance page or among the trust.salesloft.com badge set.

    source: salesloft.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence: not among the trust center's badge list (CCPA, CSA, EU-US DPF, GDPR, ISO 27001, ISO 27701, SOC 2 Type II, UK-US DPF); the trust center's quick summary notes only "Has an AI policy", not an ISO 42001 certification.

    source: trust.salesloft.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of a FedRAMP authorization on any vendor-domain page reviewed.

    source: salesloft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US and EU; vendor states the platform is hosted on Amazon (AWS) and Google (GCP) data centers in both regions

    Vendor states: "The Sub-processors Salesloft utilizes to provide its generative AI-powered services do not use customer data to train their AI models, except where a customer has given permission or instructions to do so, including for customer-specific models" (help.salesloft.com), and admins can disable generative AI features via self-service settings. Caveat: the separate Platform Privacy Notice states interaction data is also collected for general "research and development" purposes to improve services, with no explicit opt-out described for that broader use -- a narrower guarantee than a blanket 'never trains on your data' claim.

    // Security controls

    Encryption in transit

    All connections, including the UI and APIs, go through standard secure web protocols (HTTPS/TLS 1.2+)

    salesloft.com

    Encryption at rest

    Strong symmetric (AES-256-GCM) encryption for all data at rest at the storage layer, in addition to the IaaS providers' disk-level encryption

    salesloft.com

    Hosting / data centers

    Platform hosted at Amazon and Google data centers, running on AWS and GCP, in the US and EU

    salesloft.com

    Third-party penetration testing

    Trust center quick summary confirms annual third-party penetration testing

    trust.salesloft.com

    Disaster recovery

    Trust center quick summary confirms the vendor has a disaster recovery plan

    trust.salesloft.com

    Subprocessor transparency

    Public subprocessor list maintained and updated with dated change announcements (e.g., 1Mind added May 2026, Ada Chatbot added March 2026, Confluent Cloud Kafka added February 2026)

    trust.salesloft.com

    Vulnerability disclosure / bug bounty

    Trust center quick summary confirms a bug bounty or vulnerability disclosure program, plus a "Report a Vulnerability" quick link

    trust.salesloft.com

    Identity & access management

    Trust center quick summary confirms use of a centralized IAM solution (SSO) to manage employee access

    trust.salesloft.com

    Status transparency

    Public platform status page maintained

    trust.salesloft.com

    Cyber insurance

    Trust center quick summary confirms the vendor carries cyber insurance

    trust.salesloft.com

    2025 security incident (material disclosure)

    A threat actor accessed Salesloft's GitHub account (Mar-Jun 2025), then Drift's AWS environment, stealing OAuth tokens used to access data via Drift's third-party integrations (including Salesforce). Mandiant was engaged for investigation and remediation; Drift was taken offline Sept 5, 2025 and restored Sept 16, 2025 after credential rotation, MFA hardening, and infrastructure lockdown. Mandiant "has not identified ongoing compromise" and verified technical segmentation between Drift and the core Salesloft application.

    trust.salesloft.com

    // Products & data scope

    Salesloft platform (Cadence, Rhythm, Conversations, Deals, Analytics, Forecast)Sales engagement / revenue orchestration

    data: CRM records, email/call/meeting engagement data, sales activity and buyer-intent signals

    Core platform in scope for the SOC 2 Type II and ISO 27001/27701 program described on the trust center.

    DriftConversational marketing / website chatbot

    data: Website visitor chat transcripts, OAuth integration tokens connecting to CRM/marketing systems

    Suffered a major security incident (Aug-Sept 2025): threat actor stole OAuth tokens via Drift's AWS environment and used them to access data in downstream integrations (independent reporting cites roughly 700 affected organizations via the Salesforce integration path). Publicly disclosed and remediated per Mandiant-verified trust center updates; Drift now runs under the same shared trust center as core Salesloft.

    Clari (sibling brand, separate AIFOXX listing)Revenue intelligence / forecasting

    data: Not assessed under this slug

    Following the Dec 2025 merger, Clari and Salesloft share the same Conveyor-powered trust portal (branded "Clari/Salesloft Trust Center"), but Clari is a distinct product line and should be assessed/listed separately if AIFOXX carries it.

    // What to watch

    • Material 2025 security incident: Salesloft's Drift product suffered an OAuth-token theft breach (Mar-Sept 2025) that was used to access data in downstream integrations across a large number of customer organizations. Fully disclosed and remediated per the vendor's own trust center and a Mandiant-verified investigation, but it is recent enough (concluded Sept 2025) that any AIFOXX listing should surface it as a caveat, especially for the Drift sub-product.
    • Identity-conflation risk flagged and avoided: a third-party blog (paubox.com) references a 'SalesLoft' page claiming HIPAA, PCI, FDCPA/FCRA and SSAE16 compliance. SSAE16 was retired industry-wide around 2017 and none of this appears on salesloft.com's current live Security & Compliance page, suggesting either a stale/cached page or confusion with a differently-spelled, unrelated site (e.g. salesloft.net). This source was NOT used as evidence; HIPAA and PCI DSS are graded held=false based on the vendor's current official page showing no mention of either.
    • CSA STAR is graded not held: the trust.salesloft.com badge set includes a self-declared 'CSA' badge, but it specifies no STAR tier (Level 1 self-assessment vs Level 2 third-party attestation), links no STAR attestation document, and no Salesloft entry was found in the public CSA STAR registry. A bare Conveyor badge is not a verifiable attestation, so the certification cannot be substantiated on the vendor's domain.
    • Company underwent a corporate merger with Clari (announced Aug 2025, completed Dec 2025); the trust center is now jointly branded 'Clari/Salesloft' and the cert scope may shift further as the combined company harmonizes its security program -- re-verify at next review cycle.
    • The AI-training 'no training without permission' guarantee is scoped to generative-AI sub-processors specifically; a separate Platform Privacy Notice permits broader use of interaction data for general 'research and development' with no stated opt-out, which is a narrower promise than a blanket no-training claim.

    // At a glance

    Pricing model

    Enterprise B2B SaaS; custom/seat-based pricing via sales contact, no public self-serve pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Salesloft, Inc. (merged with Clari, Inc.; combined entity operating as "Clari/Salesloft" since the merger completed in December 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.salesloft.com

    > Browse all vendor trust reports