Introduction

Popl provides an enterprise-grade, in-person GTM platform that combines event lead capture, AI enrichment, and digital business cards. This Trust Center summarizes our security controls, privacy practices, compliance posture, and how we protect data during offline capture and synchronization. Sources are linked throughout for verification.

Certifications and independent validation

• SOC 2 Type 2: Popl has completed a SOC 2 examination covering security, availability, processing integrity, confidentiality, and privacy. Audit performed with Insight Assurance and supported by Vanta. See: SOC 2 announcement.

• Ongoing security program: Continuous monitoring and control reviews support SOC 2 requirements and enterprise readiness. See: Digital Business Card (security note), Enterprise overview.

Privacy, data protection, and legal roles

• Role under data protection laws: For customer-submitted personal data, Popl acts as a Data Processor and processes personal data only on documented customer instructions and in compliance with applicable laws (GDPR, CCPA, PIPEDA, LGPD, Australian Privacy Law). See: Data Protection Addendum (DPA).

• Lawful processing, purpose limitation, and minimization: Defined in the DPA, including categories of data processed (e.g., contact and job information). See: DPA.

• Data subject rights: Customers (Controllers) manage data subject requests; Popl supports access, correction, deletion, and portability requests per the DPA. See: DPA.

• Cross‑border transfers and subprocessors: Popl maintains a continually updated list of third‑party subprocessors and uses transfer mechanisms consistent with applicable law. See: DPA.

• Data residency: Customer content is stored in the United States, as detailed in Popl terms. See: Terms and Conditions (enterprise/MSA).

Security controls snapshot

• Encryption: All sensitive information is encrypted in transit and at rest. See: DPA (encryption in transit/at rest; secure access).

• Authentication and access: Production access requires two‑factor authentication; platform supports SSO via SAML (Okta, Azure AD/Entra) and role‑based access controls for least‑privilege administration. See: DPA, Enterprise, Integrations (SSO mention).

• RBAC and admin controls: Granular permissions and field‑level restrictions help enforce governance across subteams and regions. See: Enterprise.

• Logging and monitoring: Relevant audit logs are maintained; secure modes for production access are enforced. See: DPA.

• Secure development and change controls: Policies and reviews supporting SOC 2. See: SOC 2 announcement.

Incident response and notifications

• Popl maintains documented incident response procedures. If Popl becomes aware of accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of personal data, it will notify the Customer without undue delay and in any event within 72 hours of becoming aware, consistent with the DPA. See: DPA.

Data handling during offline capture and sync

• Offline‑first design: Popl captures badge scans, paper business cards, QR codes, and digital card interactions without internet connectivity; data is stored locally and securely, then automatically synced to the configured CRM once online. See: Event Lead Capture, Offline lead capture guidance.

• Local encryption: Popl documents device‑level secure storage; platform content references AES‑256 encryption for stored contacts and rapid sync when online. See: Digital business cards that convert (tech specs).

• CRM synchronization and mapping: Real‑time or queued sync with unlimited custom field mappings; deduplication and tagging are available. See: CRM Integrations, HubSpot Integration Docs.

Data retention and deletion

• Retention: Popl retains personal data only for the duration necessary to provide services or as required by law and contract. See: DPA.

• Return/Deletion: Upon Customer request or termination, Popl will delete or return personal data per the DPA and MSA. See: DPA, Terms and Conditions.

Subprocessors and data partners

• Popl maintains a list of approved subprocessors and employs waterfall enrichment across multiple data partners to improve match rates while validating work emails and professional identifiers. See: DPA, Badge Scanner (20+ partners), List Enrichment.

Single sign‑on, integrations, and APIs

• SSO/SAML: Okta and Azure AD/Entra SAML SSO for secure authentication at scale. See: Enterprise.

• Native integrations: Direct, real‑time integrations with CRMs (e.g., Salesforce, HubSpot) and thousands of apps. See: Integrations, CRM Integrations, HubSpot app listing.

• Open API: Programmatic access to leads, contacts, members, and analytics with API keys administered by team admins. See: Docs: Popl Open API.

Governance, audits, and customer responsibilities

• Customer governance: Customers are responsible for defining field mappings, retention schedules, access policies, and responding to data subject requests as Controllers. See: DPA, CRM Integrations.

• Recommended hardening: Enable SSO, enforce MFA, apply least‑privilege RBAC, and periodically review mappings, tags, and automation rules for data minimization and accuracy. See: Enterprise, DPA.

Support, security requests, and contacts

• Security/compliance inquiries: Contact Popl Support; enterprise teams can engage their Popl representative for compliance documentation requests. See: Help Center (contacts) and Support hours & emails.

• General legal terms: See: Terms and Conditions, Popl Teams T&C, Terms of Service.

Control summary table

Versioning

This page reflects Popl security, privacy, and compliance information available as of October 13, 2025. For the latest details or artifacts (e.g., most recent SOC report), contact Popl Support or your account representative. See: Help Center.