We take security very seriously across all our cloud services, and aim to lead the market in certifications, policies, architecture and response.
dataloader.io is a 100% web-based application and it is not available on-premises. It uses oAuth 2.0 so users can log into dataloader.io with existing Salesforce credentials without compromising security.
The CSV file used to import, export or delete data in Salesforce is stored within our data centers, so users can re-run the same task without having to upload/download the file again. CSV data can be completely removed from our servers by deleting a task from dataloader.io UI. Also, since July ‘16 release we allow users to save result files externally to cloud services like (S)FTP, Box, Dropbox and avoid information to be stored in our data centers (more information here).
In addition, we are certified under HiTrust, which is a common security framework designed to simplify compliance with technical controls derived from HIPAA/HITECH. HiTrust is a very extensive security framework, that many companies are pursuing because it incorporates other standards and provides clear, actionable guidelines.
In regards to HIPAA, MuleSoft is not subject to HIPAA regulations, as we do not directly handle personal health information. HIPAA is only applicable to covered entities.
We are also a level 1 PCI service provider and and are SSAE16 certified. You can see more about our approach to security at our Trust Center.