.svg%3Fauto%3Dwebp&w=3840&q=75){kind=icon}
.svg%3Fauto%3Dwebp&w=3840&q=75){kind=icon}
.svg%3Fauto%3Dwebp&w=3840&q=75){kind=icon}
.svg%3Fauto%3Dwebp&w=3840&q=75){kind=icon}
Security & Compliance
We take security and compliance seriously at Salesloft. Managing Customer Data is more than just a responsibility to be met, it’s something our company is truly passionate about. We believe our customer’s trust is something that must be earned every day. To achieve that, we do more than just follow policies and check boxes: we instill awareness and best practices in our culture so that security and data privacy are ingrained when designing our applications, managing our hosting environments, and conducting daily business operations.
For information about platform administration privileges, setting role permissions, configuring integrations and more, visit our Governance page. For additional information and documentation on Salesloft’s security program and controls, including certifications and attestation reports, visit the Salesloft Trust Portal. For additional information on platform features, visit the Salesloft Help Center
How we store, process, and secure your data
Data Centers
The Salesloft platform is hosted at Amazon and Google data centers, running on Amazon Web Service (AWS) and Google Cloud Platform (GCP) technology, in the US and the EU. The Drift platform is hosted on AWS in the US. These data centers provide 24x365 physical security, environmental controls, redundant utilities with uninterruptible power supplies and backup power generation, and redundant, diverse telecommunication connections to ensure the services remain available and your data is secure.
Data Encryption
The Salesloft+Drift platforms are web-based SaaS solutions with all connections, including the UI and APIs, being through standard secure web protocols (HTTPS/TLS 1.2+), and the platforms employ strong symmetric (AES-256-GCM) encryption for all data at rest at the storage layer in addition to the IaaS providers’ disk-level encryption and encryption applied at the application or database layers, with encryption keys managed and automatically rotated by the IaaS providers' key-management services.
System Security
We’re relentlessly updating our systems to protect your data. We regularly replace our virtual systems with new ones that have patches and updates applied. We maintain system consistency using a combination of configuration management, up-to-date images, and an automated continuous-integration / continuous-delivery (CI/CD) process.
Security Team & Operations
Salesloft’s Information Security team, led by the SVP of Information Security, is composed of Security Engineering, Security Operations, and Governance, Risk, and Compliance (GRC) teams. Salesloft’s security stack for the platforms includes a web-application firewall (WAF), a software composition and dependency scanner, a log-aggregation system, EDR/XDR, a PAM platform, and a SIEM with a security partner performing 24x365 monitoring, triage, and analysis. Critical alerts are escalated to the Security Operations team, with after-hours alerts handled on an on-call basis with automated escalations to additional Security team members.
Restricted Access
Salesloft follows the principle of “least access required”. Access to the production hosting environments is controlled by a privileged-access management (PAM) platform with pre-defined role-based permissions and approval groups, time-limited sessions, and multi-factor authentication (MFA).
Security Testing
The Salesloft+Drift platforms were designed to be secure, but we don’t just trust – we verify: automated tooling scans our source code and systems to identify potential vulnerabilities; our bug-bounty program entails penetration testing by independent security professionals on an ongoing basis; and security assessments are performed on a project basis at least annually by a reputable independent security-consulting firm. Reported vulnerabilities are assessed, prioritized based on risk, and tracked through dispensation.
Operational Monitoring
As a SaaS provider, Salesloft is responsible for all aspects of the platform's operations, including development, testing, implementation, monitoring, maintenance, and troubleshooting. Salesloft’s technology and engineering teams monitor the operating environment using automated tooling and alerting to quickly identify, troubleshoot, and address operational issues. Salesloft publishes its operating status and historical uptime statistics on the Salesloft Status Page.
Availability, Data Backups, & BC/DR
The Salesloft+Drift platforms employ a containerized microservices architecture and utilize high-availability services to replicate systems and data across geographically diverse data centers, so even if there is an interruption to one system – or an entire data center - the rest of our services remain available. As an XaaS-only business, Salesloft does not have any dependencies on Salesloft facilities. Even so, Salesloft performs data backups and has BC & DR plans, which are reviewed periodically, to ensure the availability of the services.
Application Security
All Salesloft application-development personnel are required to complete secure-development training, during onboarding and periodically thereafter, and comply with secure-development requirements. Salesloft’s automated CI/CD process incorporates automatic code scans and requires peer reviews and QA approvals prior to code deployment.
Corporate IT Security
We protect our own systems to protect your data. Salesloft is an XaaS-only business employing a zero-trust model with access controlled by a corporate IdP/SSO solution enforces multi-factor authentication. Our employee workstations and laptops are centrally managed and protected with full-disk encryption, endpoint detection and response (EDR), and a web-based proxy.
SOC 2 Type 2
The Salesloft and Drift platform services undergo SOC 2 Type 2 examinations, which test our security controls against the AICPA-defined standards, conducted by a third-party audit firm annually to ensure the security of our platforms, hosting environments, and related operations. The SOC 2 reports are published in the Salesloft Trust Portal.
ISO 27001
ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). Our entire information security program is aligned with the ISO 27001 framework, which is audited and re-certified annually. Salesloft’s ISO certification is published in the Salesloft Trust Portal.
Privacy Compliance
Salesloft is committed to privacy and ensuring ongoing compliance with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA). Salesloft’s Master Subscription Agreement (MSA) incorporates our Data Processing Addendum (DPA), which includes Standard Contractual Clauses (SCCs), and Salesloft is certified compliant with the ISO 27701 standard.
Personnel Security
Salesloft performs background checks on all employees and requires all personnel to sign confidentiality agreements prior to onboarding. All personnel are required to complete Security and Privacy Awareness training during onboarding and at least annually thereafter, and we continually publicize security alerts and updates through internal communications.
Third-Party Risk Management (TPRM)
Salesloft performs, for all partners involved in the delivery of the services, due diligence that includes reviewing the vendor’s security, privacy, and compliance programs and controls prior to onboarding and during periodic surveillance reviews. Salesloft’s agreements with the vendors include requirements and obligations, as applicable for the data and services in scope, that are at least equivalent to those included in Salesloft’s customer agreements.