Pipedrive Cards for Miro

Security & Compliance

At Pipedrive Cards, we understand that your sales pipeline contains sensitive business intelligence. We have designed our application with a security-first mindset, leveraging enterprise-grade infrastructure and strict data privacy protocols to ensure your information remains protected.

1. Infrastructure Security

We do not manage physical servers. Instead, our application runs on a fully managed, globally distributed serverless architecture provided by a leading cloud infrastructure vendor.

  • Certified Environment: Our backend infrastructure provider Cloudflare maintains ISO 27001 certification and SOC 2 Type II compliance, ensuring physical and environmental security standards are met.

  • Network Security: All application traffic is routed through a global edge network that provides built-in DDoS protection and web application firewall (WAF) capabilities.

  • Sandboxing: The application interface runs within the secure Miro Web SDK iframe, isolating our code from other scripts on your board to prevent cross-site scripting (XSS) attacks.

2. Data Protection & Encryption

We adhere to strict cryptographic standards to protect data as it moves between your CRM and Miro.

  • Encryption in Transit: All data transmitted between the user’s browser, our servers, and Pipedrive is encrypted using strong TLS 1.3 (Transport Layer Security) protocols.

  • Encryption at Rest: Sensitive authentication tokens are stored using industry-standard AES-256 encryption within our secure key-value storage systems.

  • Data Minimization: We employ a “transient processing” model. We fetch deal data (such as value, stage, and owner) in real-time for display and do not create permanent copies of your sales records in our own databases.

3. Authentication & Access Control

We use industry-standard protocols to manage access to your data without ever handling your login credentials.

  • OAuth 2.0: We utilize the OAuth 2.0 standard for authentication. This allows you to grant our app access to your Pipedrive account without sharing your password. You can revoke this access at any time via your Pipedrive settings.

  • Least Privilege: Our application requests only the specific API scopes required to function (e.g., reading deal metadata and updating card positions). We do not request access to unrelated data such as emails or global account settings.

4. Operational Security

  • Code Reviews: All code changes undergo strict peer review and automated static analysis testing before deployment.

  • Incident Response: We maintain a documented incident response plan to address potential availability or security events rapidly.

5. Compliance

  • GDPR: We act as a Data Processor and process data in accordance with GDPR requirements. We rely on standard contractual clauses (SCCs) and the adequacy decisions regarding our infrastructure providers.

  • Data Residency: Our infrastructure utilizes a global network to serve data from the location nearest to the user, ensuring low latency while maintaining security compliance.