Drift

ISO/IEC 27701:2019 Privacy Information Management System certification demonstrating compliance with privacy management requirements. Third-party audited by Schellman with Statement of Applicability published June 2025 covering personal data processing controls.

Annual SOC 2 Type 2 attestation report validating security, availability, and confidentiality controls through independent assessment. 2024 report published June 2025 with bridge letter extending coverage through July 2025 until new 2025 report availability.

Acceptable-Use Standard (STND-300) defining prohibited uses of platforms and services including illegal, harmful, or offensive activities. Policy protects platform integrity and user security with enforcement mechanisms for violations.

Formal Business-Continuity and Disaster-Recovery Policy (POL-400) with geographically diverse teams ensuring regional events don't disrupt critical functions. All personnel can work remotely, effectively testing BC capabilities continuously.

High-availability architecture utilizing multi-AZ configuration with near-real-time data replication across data centers. Recovery Point Objective (RPO) of 60 minutes or less with automated CI/CD deployment enabling transparent disaster recovery.

Dedicated incident response team with formal Incident Response Standard (STND-206) defining detection, analysis, containment, and recovery procedures. Includes security breach notification protocols and escalation processes updated June 2025.

Comprehensive Information Security Policy (POL-200) establishing governance framework for security objectives, risk management, and mandatory controls across organizational functions. Policy updated June 2025 incorporating defense-in-depth approach and ISO 27001 alignment.

Detailed privacy framework including Privacy Notice, Platform Privacy Notice, and Data Privacy Framework Privacy Notice covering GDPR, CCPA/CPRA compliance. Outlines data collection, processing, security measures, and data subject rights with DPF certification for EU-US transfers.

Formal Vulnerability Disclosure Program (VDP) allowing responsible disclosure of security vulnerabilities with clear submission process and response timelines. Policy establishes coordinated vulnerability management approach for security researchers.

Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CAIQ) v4.0.2 self-assessment completed February 2025. Published in Trust Portal demonstrating alignment with CSA security best practices for cloud service providers.

Active bug bounty program operated through HackerOne platform enabling independent security researchers to identify and responsibly disclose vulnerabilities. Program includes ongoing security testing with defined scope, submission guidelines, and response expectations.

Active cybersecurity insurance coverage with Certificate of Insurance (COI) published in Trust Portal. 2025-26 insurance certificate updated June 2025 providing financial protection against security incidents and data breach liability.

Storage-layer encryption using AES-256-GCM for all customer data at rest in addition to hardware-layer full-disk encryption from IaaS providers. Application-layer encryption applied for select sensitive data elements per Cryptographic Standard (STND-203).

Comprehensive Data Processing Addendum (DPA) establishing Salesloft's obligations as processor of personal data under GDPR, CCPA/CPRA, and applicable privacy regulations. Includes Standard Contractual Clauses for international transfers and data subject rights.

Designated Data Protection Officer (DPO) with formal policy (PRIV-004) establishing DPO responsibilities for GDPR compliance, privacy program oversight, and data subject request management. Updated June 2025 with privacy governance framework.

Salesloft platform offers US or EU hosting region choice with in-region data residency maintained. Drift currently offers US hosting only. Each region operates independently with geographic isolation: US (AWS us-east-1, GCP us-central1), EU (GCP europe-west3 Frankfurt).

Self-service data retention with customer-controlled deletion through UI, APIs, or CRM synchronization rules. Conversations recordings retention configurable by customers. 30-day post-termination retention period before automatic data deletion per Master Subscription Agreement.

Background checks performed for all employees prior to onboarding including employment/educational history verification and criminal checks as permitted by jurisdiction. Credit checks performed for senior financial positions with confidentiality agreements required.

Identity Provider/SSO solution enforcing multi-factor authentication (MFA), device trust, and re-authentication requirements. Support for Okta, SAML, Google OpenID Connect, Salesforce IDP, OneLogin, and Microsoft Azure (Entra) integrations.

Zero-trust model with least-privilege access provisioning and segregation of duties. Automated workflow from HRMS to IdP/SSO with role-based access provisioning and automatic revocation upon job changes or termination. Quarterly access reviews performed.

Mandatory security and privacy awareness training during onboarding and annually thereafter covering phishing, social engineering, confidentiality, and GDPR. Automated phishing-test campaigns conducted monthly with web-based training platform tracking completion.

SIEM solution with 24x7x365 monitoring by security vendor performing Tier 1 triage and analysis. Critical alerts escalated to Salesloft Security team with after-hours on-call rotation and automated escalations to additional personnel.

All connections use HTTPS/TLS encryption with support for TLS 1.2 and higher protocols. Qualys SSL Labs testing available for accounts.salesloft.com, app.salesloft.com, start.drift.com, and app.drift.com demonstrating strong cipher suite configurations.

Vulnerability Management Standard (STND-208) establishing risk-based prioritization and tracking through dispensation. Daily infrastructure scanning with cloud-native security tools, EDR/XDR, PAM solution, and automated alerting for identified vulnerabilities.

Web Application Firewall (WAF) protecting against application-layer vulnerabilities and attempted exploits. Integrated with DDoS protection and cloud-native security tools from GCP and AWS infrastructure providers.

Annual third-party penetration testing performed by CREST-certified vendor following OWASP methodology. 2024-2025 Letter of Assessment published June 2025 covering Drift platform web application, mobile app, and infrastructure security assessments.