PPipeValue
Documentation

Security & privacy

How PipeValue protects your credentials, isolates your workspace, and handles personal data.

Credential storage

Every credential — OAuth access and refresh tokens, API tokens — is encrypted at rest. The browser never receives a raw token; it only holds an opaque reference. Tokens are decrypted server-side, only at the moment they're needed to send a conversion.

Even a fully compromised browser session cannot read your CRM or ad-platform tokens — they're never sent to the client.

Token refresh

OAuth tokens are refreshed automatically: before use, PipeValue checks expiry and, if needed, rotates the token in the background — re-encrypting and storing the new one. Concurrency controls prevent two refreshes from racing.

Workspace isolation

Your data is strictly scoped to your organization and enforced at the data layer — a user can only read or write data for a workspace they belong to. One customer can never access another's data.

Personal data & hashing

Direct identifiers are never sent in the clear. Emails and phone numbers are normalized and hashed (SHA-256) before matching. Click IDs are stored as opaque strings. Transmissions are encrypted in transit (TLS).

Data residency

Application data is hosted in the European Union. Where a destination platform is located outside the EU, transfers are covered by appropriate safeguards (standard contractual clauses and/or the EU-US Data Privacy Framework).