Pipedrive is Now SOC 2 Certified

Pipedrive SOC 2 Certification

We take the protection of our customers’ data very seriously. While this has traditionally meant putting great security systems in place and ensuring that we partner with industry leading service providers, we realize that some of you have a need for us to go beyond just giving you our word, so we went out and got some certification.

We already follow globally recognized best-practices, which means you can rest assured that your intellectual property, customer lists, product information, deal information, in fact, all your sales information is in great hands.

Now we are proud to say that Pipedrive is also a SOC 2 Certified Service Provider. If that sounds like we just randomly threw some numbers and letters together, read on.

The technical stuff

The SOC 2® Type I report is performed by an independent auditing firm and is intended to provide you with proof that, when it comes to protecting your data, we’re not all talk. Thanks to a company-wide effort we managed to get certified in the following areas:

  • Security: All parts of the system are protected against unauthorized access.
  • Availability: Pipedrive is available for operation and use as committed or agreed
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in Pipedrive’s privacy policy.

The relationship we have with you is built on trust, and this certification is our way to bolster that trust and work towards earning rather than expecting it.

At Pipedrive we believe your privacy and the security of your information is a fundamental right. Our culture ensures that every member of our team preserves and respects what has been entrusted to us by you, our customers,” – Pipedrive Information Security Manager Jesse Wojtkowiak.

What’s next?

Of course, safety is an ever evolving concept in the digital world. We are currently making preparations to complete SOC 2 Type II keeping pace for GDPR compliance and ISO 27001 certification, and once that is done we will look at improving even further. Behind the scenes, we will keep examining how we build and run Pipedrive to ensure that we always have an eye on protecting you and your data.

Happy closing!

Join Pipedrive CTA

Martin Henk

Co-Founder, Head of Product Management

  • Ann Missy Brooks Drummond

    This is great news. Do you have any plans of becoming HiPAA certified/compliant?

    • Joel Jesus

      Hey Ann!

      It’s not in our plans at the moment I’m afraid.


      • Spencer

        We would be very interested in this as well.

      • Lauren

        Are there any current interfaces with Pipedrive through third party vendors (Zapier) to HIPAA compliant documentation sites that you’re aware of?

  • Jed Keenan

    When is global GDPR compliance scheduled? I would like to use the service but am based in the EU with laws governing data collection and use that differ from US law and do note that we are transferring our Client Data and Personal Data to the United States for storage and processing. And that by providing any information, including Client Data and Personal Data, on or to the Service, we have consented to such transfer, storage, and processing.

    • Christopher

      Hi Jed,

      I want to assure you that we take data privacy very seriously and, having an office also in the EU, are well informed of the implications of the GDPR. We’re currently in the process of mapping and addressing any gaps we may have in GDPR compliance and we intend to get the bulk of the work done by May next year.

      With regard to data transfers, I wanted to clarify that EU customers will be contracting with our EU entity based in Estonia which has an agreement with our US hosting provider based on the EU Commission’s Standard Contractual Clauses to ensure adequate protection of personal data.

      • Vesa Kivistö

        GDPR is pushing everyone to make strategic and long term platform choices. Compliance with current regulation is important. Platform suitability towards upcoming & possible global privacy framework changes is even more important.

        Standard Contractual Clauses are already being challenged in courts. They could go the way of earlier EU-US Safe Harbor agreement, which was deemed null and void by EU courts.

        Is Pipedrive planning to utilize BCR (Binding Corporate Rules) privacy mechanisms? Or better yet, actually hosting and administrating EU customer accounts physically within EU/ETA area?

        • Christopher

          Hi Vesa,

          We plan to host EU customer data inside of the EU.
          There will be an announcement on that in the near future.

          • Vesa Kivistö

            Awesome. Thanks Christopher 🙂

          • Andy Bargery

            Hi Christopher,

            Good to hear you are planning to hold EU data within the EU. Please could you confirm if this has been delivered now, or if not, a timeframe for when this will be completed please.


          • Christopher

            Hi Andy,

            This has now been delivered.
            European customers are being migrated to the European data centre 🙂

          • Krystal Jevons

            Hi, where can the fact that European customer data is being stored in Estonia? Has this been updated in a privacy policy or your terms and conditions which can be saved with our due diligence?

          • Christopher

            Hi Krystal,

            The data centre is located in Germany.
            The centre hosts new European customers and we are in the process of migrating existing users.

            Once this is completed, we will update our Terms of Service and Privacy Policy accordingly.

  • Jed Keenan

    Are you right to write certified?
    There’s no such thing as a “SOC2 Certification”..
    The SOC2 (or 1) is an audit/report on the effectiveness of operating controls in a given environment, as audited against selected Systrust principles and the policies/procedures in place for the audited organization, by a third-part Auditor.
    The Report is just that – a report on the outcome of the audit, showing whether deviations were found for each control by the auditor..
    Neither the AICPA nor the SOC auditor issues a Certificate, because it is not a Certification exercise.

    • Christopher

      Hi Jed,

      Thanks for bringing this up.
      We used the word certified because we received a certification which states that the audit was passed.

  • Sean Mares

    Our company does a lot with Federal accounts. Is the data encrypted at rest? Also does the data reside in the US?