Introduction to Security & Privacy at Drift

Managing our customer data is more than just a responsibility to be met, it’s something our company is truly passionate about. We believe our customer’s trust is something that must be earned every day. To achieve that, we do more than just follow policies and check boxes, we instill awareness and best practices in our culture so that security and data privacy are top of mind when designing our application, managing our networks, and conducting daily business operations.


Drift performs a variety of audits and assessments to provide ourselves and our customers with independent, third-party assurance that we are adhering to our commitment to protect our systems and our customer’s data.

SOC II Type 2

Drift undergoes this industry recognized audit of our security program on an annual basis and makes our report available to all prospective customers.

Privacy Shield Certified

Drift adheres to the Privacy Shield principles of notice, choice, accountability, security, data integrity and purpose limitation, access and recourse, and are certified by the U.S. Department of Commerce.

Learn More ›
Cloud Security Alliance

Drift knows that our customers want to know about how we secure their data. As a Cloud Security Alliance STAR registrant, Drift’s security practices are conveniently and immediately available for review, no need to send us a survey.

Learn More ›

Top Security & Privacy Features

Physical Security

Drift is exclusively hosted on AWS who provides robust, physical data center security and environmental controls. Drift’s corporate offices all require badge access for entry, maintain video surveillance, and require all visitors to sign in and be accompanied when present.

Network Security

Drift controls access to our production networks through the use of strictly defined rules and requires multi-factor authentication and encrypted connections. We also utilize intrusion detection systems in our production network and advanced email filtering in our corporate network to identify potential security threats.

Application Security

Drift employs both internal and external testing of our product. We regularly scan source code and systems for vulnerabilities and perform necessary patching and updates based on those results. On an annual basis we utilize a nationally recognized firm to test our application and network to provide ourselves and our customers assurance that data is being robustly protected.

Training and Awareness

Drift requires all employees and contractors to sign a confidentiality agreement prior to commencement. During the onboarding process, security awareness training is delivered to all new hires and we continually publicize security alerts through our internal communication channels.

Backup and Disaster Recovery

Drift utilizes geographically separate environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Drift maintains daily backups, meaning that the RPO is no greater than 24 hours.

Data Protection

Drift encrypts data in transit and at rest on our servers utilizing recognized encryption protocols. At end-of-life, AWS destroys disks per NIST 800-88 standards.

Drift and the EU General Data Protection Regulation (GDPR)

Drift is committed to helping our users understand the rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018.

To learn more about our GDPR compliance, please read our GDPR Policy.

Learn More

Frequently Asked Questions

How does Drift comply with global privacy laws, and in particular, the General Data Protection Regulation or GDPR?

At Drift, we have aligned our policies and practices with the General Data Protection Regulation (GDPR). Drift complies with GDPR and helps its customers comply with GDPR through the mechanisms below:

Appropriate Safeguards?

Per Article 32 of the GDPR, we have in place appropriate technical and organizational measures to keep your data secure. All data is securely stored in Amazon Web Services.

Collecting Consents?

You can configure Drift to collect consents via chat prior to collecting email address or additional personal data.

Drift is able to read the consent flag passed from your Consent Management Platform (CMP) and act accordingly.


We have in place the appropriate Data Processing Agreements (DPAs) with all vendors and sub-processors that process data on our behalf. Check out the Sub-processor section below for more information on how we vet and contract with our sub-processors.

Honoring Data Subject Rights?

We have processes in place to honor data subject requests. Drift will export, correct, or delete Contact Data upon request by the Customer. If we receive a request directly from a Data Subject, we will work with the Customer to honor the request.

Does Drift have a dedicated Security Team?

At Drift, we consider every single employee to be a member of the security team, and are dedicated to keeping all of our data and our customers’ data secure. That said, we do have a dedicated Security Team, including a Chief Security Officer who holds the following credentials: CISSP, CIA, CFE, CCEP, CIPP/US, ISO 27001 Lead Implementer and is a licensed attorney and investigator.

Do Drift systems undergo regular penetration testing?

Yes. Drift undergoes annual application and network penetration tests conducted by nationally recognized firms.

Does Drift use any third parties in the process of providing services to customers?

Drift has four sub-processors, available at All Customer Data is stored in AWS. The other sub-processors may or may not see a particular Customer’s data depending on which Drift products and services that customer is using.

How often does Drift conduct vulnerability scans?

Drift continuously scans and monitors our production environment to detect possible intrusion and performs static and dynamic code analysis on a regular basis.

How can I report a security issue?

You can contact us via chat or email us at You can also submit a bug through our bounty program here.

Who at Drift will have access to customer data?

Only employees who need to access data in order to help perform the services will access customer data.

Can Customer delete their data from Drift or get their data out of Drift?

Absolutely. Data can be deleted or we can deliver all data collected and stored on behalf of a customer to that customer.

When deleting data from the system, is it fully deleted or is it held such that it can be retrieved?

Data is completely wiped according to NIST 800-88 standards, such that data cannot be retreived in part or whole after deletion.

Where is customer data hosted?

Drift is a SaaS platform that is 100% cloud-based in Amazon Web Services. We do not operate our own physical servers, routers, load balancers, or DNS servers. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from reaching our internal network. Customer data is stored in either our Drift North American data center or our Drift EU data center, depending on the customer’s contract.

Can Drift help customers with requests from Data Subjects under the GDPR?

Yes! We have processes in place to honor data subject requests. Drift will export, correct, or delete Contact Data upon request by the Customer. If we receive a request directly from a Data Subject, we will work with the Customer to honor the request.

Is Customer Data encrypted?

Whether data is being transferred or stored, all customer data is secured with the latest encryption algorithms and technologies.

How is Customer Data encrypted at rest?

At rest, all data lives within our Amazon Web Services (AWS) infrastructure located in US-EAST datacenters. Resting data is encrypted using AWS provided technologies, which use a symmetric AES-GCM encryption algorithm with 256 bit encryption keys. Encryption keys are stored separately from encrypted data using AWS’ Key Management System (KMS).

How is Customer Data encrypted during transit?

During transit, either externally or internally between Drift services, data is encrypted using TLS 1.2 with AES 256 bit encryption to ensure data protection at all times. Drift SSL certificates are issued through AWS, and when Drift sends data to third-party systems data is encrypted by leveraging the SSL certificates owned by our partners. Drift is certified under the EU/Swiss-U.S. Privacy Shield Framework and all our agreements with sub-processors require that data only be transferred pursuant to Privacy Shield Certifications or mutually executed Standard Contractual Clauses.

Is Customer Data backed up? Does Drift have a disaster recovery plan?

Drift utilizes geographically separate environments to ensure data availability and uptime. In the unlikely event of simultaneous failure of both environments, Drift maintains daily backups, meaning that the RPO is no greater than 24 hours.

Who owns the data that Customers collect and store through Drift? Does Drift use Customer Data for purposes other than performing the services?

The Customer owns all the data they have collected and stored using Drift. Drift does not use Personal Data collected on behalf of a customer for any purpose other than to perform the services. Drift will perform some analytics on aggregate usage information which we use to improve our services and enable our customers to be successful with Drift.

What transfer mechanism does Drift use for cross-border transfers of data?

Drift participates in the EU-U.S. Privacy Shield framework (“Framework”) as set forth by the U.S. Department of Commerce, regarding the processing of personally identifiable information transferred from the EU and European Economic Area (“EEA”) to the U.S. Drift has certified that it adheres to the Privacy Shield Principles. To learn more about the Framework and to view our certification page, please visit

Drift will also enter into Standard Contractual clauses for cross-border data transfers.

What types of Personal Data do customers collect and store through Drift?

Check out our GDPR page for details on this.

Does Drift sell data collected or stored on behalf of its customers?

Absolutely not.

Does Drift have any security certifications?

Yes! Drift is SOC II Type 2 certified and Privacy Shield Certified.

Is Drift a Data Controller or Data Processor?

With respect to the data collected and stored by our Customers, the Customer is the Data Controller, and Drift is the Data Processor. We will enter into a Data Processing Agreement or DPA with any Customer that requests one.

Does Drift conduct due diligence around the data privacy and security practices of potential vendors, data processors and/or sub-processors?

Yes. Every new vendor must be vetted by the Legal and Security teams. This process includes completion of a detailed questionnaire, analysis of whether the vendor will have access to personal data, and submission of their penetration tests and security certifications.

Does Drift have a bug bounty program?

Yes. You can submit a bug here.

Join Businesses That Are Using Drift to Connect With Their Customers NOW

Get a Demo