.svg)
The General Data Protection Regulation (GDPR) requires companies to store data securely and within Europe. Pipedrive places great importance on GDPR compliance, and this post explains how it works in detail.
Pipedrive as Data Processor and Data Controller
Within the GDPR context, Pipedrive acts as the data processor according to customer instructions and is therefore also the data controller.
You can find the Data Processing Addendum (DPA) here.
All EU customers have a contractual relationship with Pipedrive’s EU entity based in Estonia. Data stored in Pipedrive is hosted in the EU (Frankfurt, Stockholm, Dublin) or processed in GDPR-compliant regions. A list of sub-processors is available here.
Pipedrive users themselves are responsible for ensuring GDPR-compliant usage.
Technical and Organizational Measures
High security standards are demonstrated by ISO/IEC 27001 and SOC 2/3 certifications. A full description can be found in the article Privacy and Security at Pipedrive.
Data is encrypted both in transit (TLS) and at rest (AES-256).
Access is monitored, and Pipedrive regularly sends admin users monitoring overviews. Regular internal and external audits are conducted to ensure data protection standards are upheld.
User profiles can be assigned different access rights so that sensitive data is not visible or modifiable by everyone.
GDPR-Compliant Use of Pipedrive Features
Certain guidelines must be followed by users themselves, as they depend on how Pipedrive is used and which features are needed. Specifically, this concerns the optional use of web forms, email and web visitor tracking, and AI tools.
Consent Statements in Web Forms
Pipedrive’s web forms can include consent statements. Details on how to set this up can be found in the article How to Create a GDPR-Compliant Web Form in Pipedrive. Since all form submissions are logged in Pipedrive, consent can be proven at any time.
Email Tracking
Email tracking is optional and can be enabled each time an email is sent. Tracking generally requires the recipient’s consent. Typically, this consent is obtained separately, after which the use of tracking is permitted.
You can find more details on how to handle email tracking in the article GDPR-Compliant Email Tracking.
Web Visitor Tracking
A less frequently used but still optional feature is web tracking. Pipedrive offers the option to track website visitors via HTML code embedded on your website. This method must be integrated by the user before it can be used.
Pipedrive does not track data about the visitor directly, as in demographics or IP address, but rather provides information on the company the visitor is probably associated with. To get to actual people, you'd need to use Pipedrive's Prospector feature, which scans Pipedrive's company repositories for possible contact people within the company. Prospector is a paid add-on and so is Web Visitors feature.
For more information on how to use this feature, see the article Web Visitors.
AI Tools
Since 2024, Pipedrive has integrated several AI tools, all of which are optional. Because the data protection regulations surrounding these tools are not yet fully clarified, it’s advisable to keep these features disabled for now.
AI features in Pipedrive can be deactivated for the entire company.
Rights of Data Subjects
A full description of data protection rights can be found in the article Privacy Notice. In summary:
- Right of Access: Users can request and export their personal data.
- Right to Rectification: Users can correct or update their stored data.
- Right to Erasure (“Right to Be Forgotten”): Users can request the deletion of personal data.
- Data Portability: Personal data can be exported in a machine-readable format.
- Right to Object: Users can withdraw consent and restrict data processing.
Conclusion
By proactively implementing GDPR guidelines, Pipedrive offers users a secure platform for customer relationship management. Nonetheless, companies should continuously review and adjust their internal processes to ensure full compliance.
