// Trust & Security Report
Tipalti Inc.
Finance automation suite covering AP Automation, Mass Payments, Procurement, Expense Management, Treasury, Corporate Cards, and Tipalti AI (agents and assistant) for mid-market and enterprise payers
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.tipalti.com“Trust center lists 'SOC 2 Type 2' under Compliance and documents section shows 'Tipalti Solution Ltd._SOC2 Type II_2025_Final Report' and 'SOC2_Bridge_Letter_February_2026'”
Verify on trust.tipalti.com“Trust center lists 'SOC 1 Type 2' under Compliance and documents section shows 'Tipalti Solutions_SOC1 Type II_2025_Final Report' and 'SOC1_Bridge_Letter_February_2026'”
Verify on tipalti.com“Tipalti publishes a Data Processing Addendum: 'by entering into this DPA, Customer and Tipalti are deemed to have signed the EU SCCs, which form part of this DPA and will apply to any transfers from the European Economic Area (EEA) to countries outside the EEA'”
Verify on tipalti.com“Tipalti, Inc. and Tipalti Payments Inc. have self-certified their commitment to comply with the EU-U.S. DPF Principles”
Verify on tipalti.com“Tipalti, Inc. and Tipalti Payments Inc. have self-certified their commitment to comply with the EU-U.S. DPF Principles and rely on the European Commission's adequacy decision for the EU-U.S. DPF to receive personal data transfers from the European Union/European Economic Area, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.”
Verify on tipalti.com“FAQ states: 'Tipalti receives and maintains a third-party audit certification for AICPA SSAE 16 SOC and ISAE 3402 Type II' — now superseded by the SOC 1 Type 2 report”
> Show 6 unconfirmed / not-held certifications
source: trust.tipalti.comNot listed in Tipalti's own trust center (trust.tipalti.com). The DPA references AWS's ISO 27001 for hosting infrastructure only — that is the host's cert, not Tipalti's. Third-party comparison sites claim ISO 27001 but no vendor-domain evidence found. Unknown / no public vendor-domain evidence.
source: tipalti.comNo vendor-domain claim of Tipalti holding PCI DSS certification found. The Cards Schedule imposes PCI-DSS obligations on customers: 'Customer represents and warrants...it and its service providers will comply with the PCI-DSS.' This is a customer requirement, not Tipalti's own cert. Unknown / no public vendor-domain evidence of Tipalti's own PCI DSS certification.
source: trust.tipalti.comUnknown / no public vendor-domain evidence. HIPAA is not referenced in the trust center, privacy policy, or legal agreements. A healthcare customer (Lenus) is listed in customer stories, but Tipalti does not claim HIPAA compliance on its own domain.
source: trust.tipalti.comUnknown / no public vendor-domain evidence. FedRAMP is not referenced on Tipalti's trust center, privacy policy, or legal pages.
source: trust.tipalti.comUnknown / no public vendor-domain evidence. Not listed in Tipalti's trust center compliance section.
source: trust.tipalti.comUnknown / no public vendor-domain evidence. No AI-specific governance certification found on Tipalti's domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary production on AWS in United States. Processing also occurs in Canada, Israel, UK, and EU as noted in privacy policy. Data center location listed as USA in trust center.
Tipalti explicitly states: 'We do not use your personal information to train generalized large language models.' The AI product page further states: 'Tipalti does not use customer data to train or fine-tune third-party AI models' and 'Tipalti does not use data from one customer's instance to train, fine-tune, or improve AI models or features for other customers.' Customers can disable all AI features. Note: OpenAI is listed as a subprocessor — third-party model providers may process customer data to generate outputs, but Tipalti states contractual controls are in place.
// Security controls
Authentication options
Username/Password, Multi-Factor Authentication (MFA), Single Sign-On (SSO)
trust.tipalti.comCloud infrastructure
Amazon Web Services (AWS) in the United States for production servers and databases
tipalti.comExternal security rating
B grade (791/950) per UpGuard. Known gaps: DNSSEC not enabled, DMARC set to non-enforcement (p=none), not on HSTS preload list.
upguard.comSubprocessors of note
Amazon AWS, OpenAI, Google, Stripe, Salesforce, Datadog, MongoDB Atlas, Rossum Ltd., Marqeta, LexisNexis, Intercom, Mixpanel, Zendesk (full list at trust center)
trust.tipalti.com// Products & data scope
data: Invoice data, supplier PII, financial records, ERP integration data
End-to-end payables automation with invoice ingestion, PO matching, approval workflows, and ERP sync. Core product for mid-market.
data: Payee PII (tax forms, bank details), payment transaction data, KYC/AML data
Global payouts to 200+ countries in 120 currencies via 50+ payment methods. Includes tax compliance (W-9, W-8, VAT). Licensed money transmitter.
data: Purchase orders, vendor contracts, supplier data
Procurement workflow automation with vendor onboarding and PO management.
data: Employee expense receipts, cardholder data, reimbursement records
Integrated with corporate cards; expense capture and approval workflows.
data: Financial data processed by AI agents; invoices, tax forms, ERP records; may route to OpenAI/Anthropic/Amazon/Meta/Google model providers
Agentic AI including Tax Form Scan Agent, ERP Sync Resolution Agent, Reporting Agent. Tipalti explicitly disavows training on customer data. Customers can disable all AI features.
data: Card transaction data, cardholder PII
UK and EU-specific issuer terms apply. Customers required to be PCI-DSS compliant for card data handling.
data: Bank account data, cash flow records
Optional add-on for managing cash positions and treasury operations.
// What to watch
- ISO 27001 UNCERTAINTY: Multiple third-party comparison sites claim Tipalti holds ISO 27001 but this cert is not listed in Tipalti's own trust center (which only shows SOC 1 and SOC 2 under Compliance). DPA references AWS ISO 27001 — that is the hosting provider's cert, not Tipalti's own. Grade held=false pending vendor confirmation.
- PCI DSS UNCERTAINTY: Tipalti is a licensed payment platform but no vendor-domain claim of holding PCI DSS certification was found. The Cards Schedule only imposes PCI compliance on customers. Third-party sites claim PCI DSS for Tipalti but without a vendor-domain source this cannot be confirmed.
- HIPAA UNCONFIRMED: Healthcare customers (Lenus) listed in customer stories, but no HIPAA compliance claim or BAA offering found on vendor domain.
- OPENAI AS SUBPROCESSOR: OpenAI is listed as a subprocessor in the trust center. Tipalti's AI features may route financial and personal data to OpenAI's models. Tipalti states contractual controls are in place and prohibit training on customer data.
- PENETRATION TEST STALENESS: Most recent penetration test date on trust center is 08/02/2024 — over 18 months ago. Frequency of testing is not disclosed.
- HOST VS VENDOR CERT (ISO 27001): DPA explicitly mentions 'Amazon Web Services (AWS)...employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001.' This is AWS's cert, not Tipalti's — must not be conflated.
- DNSSEC / DMARC GAPS: UpGuard notes DNSSEC not enabled and DMARC is in non-enforcement mode (p=none). For a financial platform handling sensitive payment data, these are notable email and domain security gaps.
// At a glance
Pricing model
Custom / enterprise pricing (demo required); subscription-based. Tipalti does not publish list pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tipalti Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.tipalti.com