// Trust & Security Report
Salesloft, Inc. (merged with Clari, Inc.; combined entity operating as "Clari/Salesloft" since the merger completed in December 2025)
AI-powered sales engagement and revenue orchestration platform (Cadence, Rhythm, Conversations, Deals, Analytics, Forecast) plus the Drift conversational marketing/chatbot product acquired earlier by Salesloft; now part of the combined Clari/Salesloft "Predictive Revenue System" following the December 2025 merger
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on salesloft.com“The Salesloft and Drift platform services undergo SOC 2 Type 2 examinations, which test our security controls against the AICPA-defined standards”
Verify on salesloft.com“Our entire information security program is aligned with the ISO 27001 framework, which is audited and re-certified annually.”
Verify on salesloft.com“Salesloft is committed to privacy and ensuring ongoing compliance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA).”
Verify on trust.salesloft.com“the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA) [badge shown: CCPA]”
Verify on salesloft.com“Salesloft has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles ... from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF ... Salesloft has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles”
> Show 5 unconfirmed / not-held certifications
source: trust.salesloft.comNo verifiable public evidence: a "CSA" badge appears in the trust.salesloft.com badge set (CCPA, CSA, EU-US DPF, GDPR, ISO 27001, ISO 27701, SOC 2 Type II, UK-US DPF), but the trust center states no STAR level (Level 1 self-assessment vs Level 2 third-party attestation), provides no CSA STAR attestation document, and no Salesloft entry was found in the public CSA STAR registry. A bare self-declared badge is not a direct attestation of the certification, so this is graded not held pending a verifiable STAR listing.
source: salesloft.comNo public evidence: Salesloft's official Security & Compliance page enumerates SOC 2, ISO 27001, ISO 27701, GDPR/CCPA and its encryption controls, but does not mention HIPAA or a Business Associate Agreement anywhere on the page.
source: salesloft.comNo public evidence: PCI DSS is not listed on Salesloft's Security & Compliance page or among the trust.salesloft.com badge set.
source: trust.salesloft.comNo public evidence: not among the trust center's badge list (CCPA, CSA, EU-US DPF, GDPR, ISO 27001, ISO 27701, SOC 2 Type II, UK-US DPF); the trust center's quick summary notes only "Has an AI policy", not an ISO 42001 certification.
source: salesloft.comNo public evidence of a FedRAMP authorization on any vendor-domain page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US and EU; vendor states the platform is hosted on Amazon (AWS) and Google (GCP) data centers in both regions
Vendor states: "The Sub-processors Salesloft utilizes to provide its generative AI-powered services do not use customer data to train their AI models, except where a customer has given permission or instructions to do so, including for customer-specific models" (help.salesloft.com), and admins can disable generative AI features via self-service settings. Caveat: the separate Platform Privacy Notice states interaction data is also collected for general "research and development" purposes to improve services, with no explicit opt-out described for that broader use -- a narrower guarantee than a blanket 'never trains on your data' claim.
// Security controls
Encryption in transit
All connections, including the UI and APIs, go through standard secure web protocols (HTTPS/TLS 1.2+)
salesloft.comEncryption at rest
Strong symmetric (AES-256-GCM) encryption for all data at rest at the storage layer, in addition to the IaaS providers' disk-level encryption
salesloft.comHosting / data centers
Platform hosted at Amazon and Google data centers, running on AWS and GCP, in the US and EU
salesloft.comThird-party penetration testing
Trust center quick summary confirms annual third-party penetration testing
trust.salesloft.comDisaster recovery
Trust center quick summary confirms the vendor has a disaster recovery plan
trust.salesloft.comSubprocessor transparency
Public subprocessor list maintained and updated with dated change announcements (e.g., 1Mind added May 2026, Ada Chatbot added March 2026, Confluent Cloud Kafka added February 2026)
trust.salesloft.comVulnerability disclosure / bug bounty
Trust center quick summary confirms a bug bounty or vulnerability disclosure program, plus a "Report a Vulnerability" quick link
trust.salesloft.comIdentity & access management
Trust center quick summary confirms use of a centralized IAM solution (SSO) to manage employee access
trust.salesloft.comCyber insurance
Trust center quick summary confirms the vendor carries cyber insurance
trust.salesloft.com2025 security incident (material disclosure)
A threat actor accessed Salesloft's GitHub account (Mar-Jun 2025), then Drift's AWS environment, stealing OAuth tokens used to access data via Drift's third-party integrations (including Salesforce). Mandiant was engaged for investigation and remediation; Drift was taken offline Sept 5, 2025 and restored Sept 16, 2025 after credential rotation, MFA hardening, and infrastructure lockdown. Mandiant "has not identified ongoing compromise" and verified technical segmentation between Drift and the core Salesloft application.
trust.salesloft.com// Products & data scope
data: CRM records, email/call/meeting engagement data, sales activity and buyer-intent signals
Core platform in scope for the SOC 2 Type II and ISO 27001/27701 program described on the trust center.
data: Website visitor chat transcripts, OAuth integration tokens connecting to CRM/marketing systems
Suffered a major security incident (Aug-Sept 2025): threat actor stole OAuth tokens via Drift's AWS environment and used them to access data in downstream integrations (independent reporting cites roughly 700 affected organizations via the Salesforce integration path). Publicly disclosed and remediated per Mandiant-verified trust center updates; Drift now runs under the same shared trust center as core Salesloft.
data: Not assessed under this slug
Following the Dec 2025 merger, Clari and Salesloft share the same Conveyor-powered trust portal (branded "Clari/Salesloft Trust Center"), but Clari is a distinct product line and should be assessed/listed separately if AIFOXX carries it.
// What to watch
- Material 2025 security incident: Salesloft's Drift product suffered an OAuth-token theft breach (Mar-Sept 2025) that was used to access data in downstream integrations across a large number of customer organizations. Fully disclosed and remediated per the vendor's own trust center and a Mandiant-verified investigation, but it is recent enough (concluded Sept 2025) that any AIFOXX listing should surface it as a caveat, especially for the Drift sub-product.
- Identity-conflation risk flagged and avoided: a third-party blog (paubox.com) references a 'SalesLoft' page claiming HIPAA, PCI, FDCPA/FCRA and SSAE16 compliance. SSAE16 was retired industry-wide around 2017 and none of this appears on salesloft.com's current live Security & Compliance page, suggesting either a stale/cached page or confusion with a differently-spelled, unrelated site (e.g. salesloft.net). This source was NOT used as evidence; HIPAA and PCI DSS are graded held=false based on the vendor's current official page showing no mention of either.
- CSA STAR is graded not held: the trust.salesloft.com badge set includes a self-declared 'CSA' badge, but it specifies no STAR tier (Level 1 self-assessment vs Level 2 third-party attestation), links no STAR attestation document, and no Salesloft entry was found in the public CSA STAR registry. A bare Conveyor badge is not a verifiable attestation, so the certification cannot be substantiated on the vendor's domain.
- Company underwent a corporate merger with Clari (announced Aug 2025, completed Dec 2025); the trust center is now jointly branded 'Clari/Salesloft' and the cert scope may shift further as the combined company harmonizes its security program -- re-verify at next review cycle.
- The AI-training 'no training without permission' guarantee is scoped to generative-AI sub-processors specifically; a separate Platform Privacy Notice permits broader use of interaction data for general 'research and development' with no stated opt-out, which is a narrower promise than a blanket no-training claim.
// At a glance
Pricing model
Enterprise B2B SaaS; custom/seat-based pricing via sales contact, no public self-serve pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Salesloft, Inc. (merged with Clari, Inc.; combined entity operating as "Clari/Salesloft" since the merger completed in December 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.salesloft.com