Trust center

Your data is stored in a secure and segmented environment with access controls and encryption mechanisms in place to protect confidentiality and integrity.

We implement a comprehensive set of security controls including access controls, encryption, monitoring, and regular security assessments to verify that the overall security program is effectively safeguarding your data.

Yes, we utilize encryption protocols to encrypt your data both when it's in transit over the network and when it's stored on our servers.

Access to your data is restricted to authorized personnel only, and access rights are based on the principle of least privilege, ensuring that only those who need access can obtain it.

We employ a multi-layered approach to security, including strong authentication mechanisms, access controls, intrusion detection systems, and regular security audits to prevent unauthorized access.

We conduct regular security audits and assessments throughout the year. There is an internal audit team that verifies we are following our own security and privacy policies. Annually, we engage with outside experts to evaluate, test and provide a professional opinion on our accordance with industry best practices.

Our platform adheres to the industry-recognized ISO 27001 standard and maintains a certification. Alongwith ISO, we follow SOC 2, and GDPR to ensure the highest levels of data security and compliance.

We maintain robust backup and disaster recovery procedures to ensure the availability and integrity of your data in the event of unforeseen incidents or disasters.

We have established incident response procedures that outline the steps to be taken in the event of a security incident or breach, including containment, investigation, remediation and communication with any impacted parties, including customers.

Yes, you can request the deletion of your data from our platform, and we have procedures in place to securely delete data in compliance with applicable data protection regulations.

We carefully vet and select third-party services or subcontractors based on their adherence to security best practices and compliance with relevant standards. We also require them to sign agreements that outline their security responsibilities and obligations.

Our employees undergo regular security training and awareness programs to ensure they are knowledgeable about security best practices, current threats, and how to safeguard sensitive data.

We conduct thorough security assessments and testing of integrations with other platforms or services to ensure they meet our security standards and do not introduce vulnerabilities into our system.

Yes, we support two-factor authentication (2FA) as an additional layer of security for accessing your account, which helps prevent unauthorized access even if login credentials are compromised.

Yes, the platform provides access to audit logs or reports that provide visibility into activity related to your account and data.

We implement strict access controls, monitoring systems, and employee awareness programs to detect and prevent insider threats, along with regular reviews of access privileges to minimize the risk of unauthorized actions.

Data encryption keys are managed using industry-standard cryptographic protocols and stored securely with restricted access, ensuring that only authorized users can access and decrypt sensitive data.

Yes, we conduct penetration testing and manage a public ‘bug bounty’ program to identify and address potential vulnerabilities in our system, ensuring that we maintain a robust security posture against evolving threats.

We have a proactive policy for deploying security patches and updates promptly to address known vulnerabilities and mitigate potential security risks to our platform and your data.

As a company born in Europe, Pipedrive is very much up to speed with the implications that the EU General Data Protection Regulation (GDPR) has for businesses. We appreciate the privacy needs of Pipedrive users, as well as their customers and, as such, have implemented and will continue to improve measures in line with the GDPR to safeguard the personal data processed by Pipedrive.

For more information on Pipedrive’s GDPR-related efforts, please see this article in our Knowledge Base: https://support.pipedrive.com/article/pipedrive-and-gdpr

As regards the data processed by our clients in the Pipedrive Service (such as leads, contacts, etc.), our clients act as data controllers (or a comparable role such as a “business” in certain jurisdictions) and Pipedrive functions as the data processor (or a comparable role such as a “service provider” in certain jurisdictions). In such case, the obligations of the parties are specified in Pipedrive’s Data Processing Addendum (DPA), which is available here.

Conversely, Pipedrive assumes the role of data controller for the personal data collected directly from users during signup, billing, or other interactions where users choose to provide their data to Pipedrive or where such data is collected automatically during the use of the Pipedrive Service. In such case, Pipedrive's Privacy Notice explains how personal data is processed. Pipedrive’s Privacy Notice can be found here.

For detailed insights into these roles and responsibilities, please refer to Section 2 of our Privacy Notice.

Pipedrive’s Privacy Notice can be found here.

Yes, Pipedrive's Data Protection Officer is Mr Juan Martin Sanchez. If you have any concerns or complaints about the processing of your personal data, you may contact him by email at [email protected].

We currently host our data in the following AWS regions:

EU (Stockholm)
EU (Frankfurt)
EU (Dublin)
UK (London)
US East
US West

For optimized performance and compliance, new sign-ups originating from specific regions will primarily be hosted in specific data centers:

EU: for EU clients
UK: for non-EU European and EMEA clients
USA: rest of the world.

Note: Due to external conditions (i.e. IP mappings) company accounts can be hosted in different data centers. In case you would like to know exactly where your company's data is hosted please reach out to our Support team.

It’s important to note that while Pipedrive maintains data centers in Europe, we cannot guarantee that data will remain exclusively within the EU due to the following reasons:

- Pipedrive uses U.S.-based sub-processors to provide the service. Please note we have in place the latest Standard Contactual Clauses (SCCs) with our U.S.-based sub-processors (including Pipedrive, Inc.). Please note that, in some cases, the use of sub-processors and resulting data transfers will depend on your use of Pipedrive features. You can find the full list of sub-processors, the services they offer, the transfer mechanism, and their location here.

- Additionally, Pipedrive has employees in different locations around the world (including in the U.S.). In an effort to provide 24/7 Support services, Pipedrive employs a distributed Support team that covers all time zones. Therefore, when you contact our Support, you may be placed in contact with a Support representative based in the U.S. To assist you and depending on the issue you have reported, they will access your data and this can be considered as data being transferred to the US.


Please note that the data will not be stored there.

Pipedrive is committed to protecting the personal data entrusted to it and has a broad corporate governance structure regarding information security in place. Pipedrive is audited by a recognized independent auditing firm on ISO27001 and SOC2&3 frameworks. The certificates can be found in our Trust Center under the "Resources" section. The description of the technical and organizational security measures implemented by Pipedrive to safeguard the data processed by our clients in Pipedrive Services can be found in Annex 3 of our Data Processing Addendum (DPA).

Yes. You can find a copy of Pipedrive’s Data Processing Addendum (DPA) here. The DPA has been pre-signed on behalf of the applicable Pipedrive entity.

Unfortunately, we are unable to sign individual Data Processing Addendums (DPAs) from clients. Given our extensive global client base of over 100,000, managing thousands of unique DPAs is not feasible. Instead, we invite you to review and sign our standard DPA, which is drafted in accordance with best market practices and GDPR requirements, including also juridsiction-specific requirements for the UK and Switzerland, ensuring comprehensive coverage of your data protection needs. You can access our DPA here.

Pipedrive does engage sub-processors to assist in delivering services ordered by a client. You can access our current list of sub-processors here. This resource offers essential details about the identity, location, and function of each sub-processor, as well as the data transfer mechanisms established with each. Please note that, in some cases, the use of sub-processors will depend on your use of Pipedrive features.

We adhere to applicable data privacy laws and regulations when transferring data between regions or countries, including implementing appropriate safeguards, such as data encryption and contractual agreements (DPAs, SCCs when applicable) to ensure compliance and protect our clients' data privacy.

Pipedrive participates and complies with the EU-U.S. Data Privacy Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data of individuals in the European Union. For more information please see Section 7 in our Privacy Notice.

Pipedrive maintains robust data protection practices, including the implementation of Standard Contractual Clauses (SCCs) Module 3 with all our sub-processors based outside the EEA and other jurisdictions recognized as adequate by the European Commission.
We have conducted Transfer Impact Assessments (TIAs) for all our sub-processors who process personal data outside the EEA and other jurisdictions recognized as adequate by the European Commission. However, it is our policy not to publicly share our TIAs. We can provide information on the basis of which these assessments were conducted upon request. For further details, please contact us at [email protected].

You can learn more about the cookies used on our websites from our Cookie Notice here.

When using Pipedrive lead generation features, like Chatbot and Web Forms and our paid add-on Web Visitors, certain cookies are used to provide the best experience for you and your customers. You can learn more about those cookies here.

You can configure your marketing preferences and understand how Pipedrive uses your data for marketing purposes by navigating to Company Settings -> My Account -> Notifications. Under the "Notifications" tab, you can choose your marketing preferences. If you need assistance with this process, please contact our Support team for help.

Pipedrive is not designed for and should not be used to handle Sensitive Data, as outlined and defined in our Terms of Service. You can find the definition of what constitutes Sensitive Data in the "Definitions" Section and further details in Section 7.4 of the Terms of Service.

If you wish to have the data on your Pipedrive account completely deleted, you have several options available. For more detailed information, please check our Knowledge Base article on this topic here.

To delete a user in Pipedrive, the user must first be deactivated. If you wish to remove a user from your Pipedrive account, an individual with account settings permissions can do so by navigating to the "Deactivated Users" tab and selecting “Delete User” next to the desired user. For more detailed instructions, please refer to our Knowledge Base article here.

When a paid Pipedrive account is closed, the account and the data within that account are scheduled for permanent deletion within 180 days of the date of closure. In case of free trial accounts, it happens within 60 days of the date of closure. For more information please see Section 9 of our Privacy Notice.