Skip to content

Trust Center

Built for what’s next — secured for what matters.

Privion helps organizations modernize their Microsoft 365 environments and operates a small number of hosted services. This page explains how we protect client data across both.

SOC 2 readiness report (PDF)Management attestation letter (PDF)
View security policiesDownload Trust Center PDF

Where your data lives

Procurement and InfoSec teams need different answers for Microsoft 365 consulting than for hosted services. Privion separates these trust boundaries explicitly.

Trust boundary diagramClient Microsoft 365 data remains in the client tenant with partner access only.Privion Intranet and PAnalytics run on Privion-managed Azure in Azure West US 2.SOC 2 scope (roadmap): hosted services and privileged-access program.

Client tenant

Microsoft 365

SharePoint · Power Platform

Your data stays here

Consulting & tenant administration

No client content copied to Privion endpoints

Privion infrastructure

Azure West US 2 · Privion as data processor

Privion Intranet

  • Cloud AI processing; methodology proprietary
  • No persistent store after delivery

PAnalytics

  • Privion-hosted Matomo · West US 2
  • Nightly DB backups · West Central US DR

SOC 2 scope (roadmap): hosted services + privileged-access program

Client tenant

Where most of your data lives

  • Microsoft 365 / SharePoint / Power Platform consulting

    Data remains in your Microsoft 365 tenant. Privion does not store, copy, or relocate client content for this work.

Privion infrastructure

Hosted services Privion operates

  • Privion Intranet

    Privion-managed Azure (Azure West US 2). Privion Intranet processes documents into structured outputs via cloud AI services. Privion's processing methodology is proprietary and is not disclosed publicly to protect competitive advantage. Privion acts as data processor where processing occurs in the service. Data handling: encrypted transit, post-delivery deletion of documents and intermediate artifacts, no training re-use.

  • PAnalytics (Privion-hosted Matomo)

    PAnalytics is Privion-hosted Matomo on a shared Privion-managed Azure stack (Azure West US 2). Clients may instead deploy Matomo in their own environment. Privion acts as data processor for visitor analytics collected on clients' websites when the hosted service is in use.

  • For consulting work, client Microsoft 365 data stays in the client's tenant. Privion's risk surface is privileged access, not data custodianship.
  • For Privion Intranet and PAnalytics, Privion is the data processor. Controls for those environments are described on this Trust Center.
  • Privion's SOC 2 scope (when in scope) is intended to cover hosted services and the privileged-access program for client tenants — not the client tenants themselves.

Security controls

Controls tailored to partner-delegated Microsoft 365 access and Privion-hosted workloads.

Privileged Access Management

  • MFA required for all Privion personnel and administrative accounts
  • FIDO2 hardware keys for tenant-admin operations (admin roles)
  • Microsoft Entra Privileged Identity Management (PIM) for just-in-time admin elevation
  • Microsoft GDAP for partner-delegated client access (no standing Global Administrator)
  • Conditional Access policies on administrative accounts
  • Quarterly access reviews per client tenant
  • GDAP/PIM recovery: documented partner relationships, annual playbook review, re-establishment procedures after disruption; test evidence under NDA.

Data Protection

  • TLS 1.2+ in transit for hosted services
  • Encryption at rest for Privion Intranet and PAnalytics storage (Azure platform defaults)
  • Privion Intranet: proprietary methodology; encrypted transit; no persistent store after delivery; no training re-use; DPA/NDA for specifics.
  • PAnalytics is Privion-hosted Matomo on a shared Privion-managed Azure stack (Azure West US 2). Clients may instead deploy Matomo in their own environment.
  • Secure data disposal procedures at engagement end
  • No client data stored on Privion endpoints for consulting work performed directly in client tenants

Infrastructure Security

  • Microsoft Azure hosting for Privion Intranet and PAnalytics in West US 2 (inherits SOC 2 Type II / ISO 27001 platform controls)
  • Nightly MySQL dumps to Azure Blob Storage in Azure West Central US (30-day retention).
  • Privion Intranet: encrypted transit; no persistent client content after delivery

Endpoint & Personnel

  • MFA required for all Privion personnel and administrative accounts
  • Company-managed devices used for client tenant and infrastructure administration: full-disk encryption, current OS security updates, and host firewall enabled
  • Infrastructure and privileged access via SSH keys and MFA; password-only remote administrative access is not permitted
  • Conditional Access policies require managed devices for Microsoft 365 and client tenant administrative work
  • Microsoft Intune and Microsoft Defender for Endpoint — phased deployment through 2026 for centralized endpoint management and monitoring
  • Background checks (FCRA-compliant vendor) for all Privion personnel with client or infrastructure access, including criminal history, employment verification, and adverse media screening where permitted by law.
  • Annual security awareness training covering phishing, data classification, incident reporting, and GDPR/CCPA fundamentals. Completion is tracked; evidence available upon request.

Hosted services detail

Procurement teams often need more than a one-line data-residency answer. The following clarifies what Privion processes and how operational risk is managed.

Privion Intranet

Privion Intranet processes documents into structured outputs via cloud AI services. Privion's processing methodology is proprietary and is not disclosed publicly to protect competitive advantage.

Data handling guarantees

  • Documents are transmitted to processing infrastructure via encrypted channels.
  • Results are returned to the client and made available for download.
  • Documents and intermediate processing artifacts are not retained persistently on Privion infrastructure after delivery.
  • No training data re-use: client data is not used to improve Privion products or third-party model services.
  • For detailed data residency and processing specifics, see the Data Processing Agreement (available under NDA).

For third-party processing dependencies (for example, Azure OpenAI), see our Subprocessors page.

PAnalytics (Privion-hosted Matomo)

PAnalytics is Privion-hosted Matomo on a shared Privion-managed Azure stack (Azure West US 2). Clients may instead deploy Matomo in their own environment.

Privion acts as data processor for visitor analytics collected on clients' websites when the hosted service is in use.

Backup and disaster recovery

  • Automated nightly MySQL logical backups (mysqldump) from Azure Database for MySQL Flexible Server
  • Cross-region copy to Azure Blob Storage in Azure West Central US (30-day retention; lifecycle-managed)
  • Documented restore procedure (provision recovery-region MySQL Flexible Server in Azure West Central US and replay latest dump)
  • Quarterly recovery test per documented procedure
  • RTO/RPO targets available on request

PAnalytics security posture

PAnalytics is a Privion-managed offering built on Matomo. Platform risk and operational risk are addressed separately below.

  • Deployed on Privion-managed Azure infrastructure (Azure West US 2).
  • Built on Matomo, an open-source platform with published security assessments at matomo.org/security.
  • Privion manages network isolation, access controls, patch management, and compliance-oriented configuration for hosted deployments. Nightly MySQL dumps are replicated to Azure Blob Storage in a secondary region (30-day retention) with a documented restore path.
  • Clients may deploy Matomo in their own environment to eliminate Privion's processor role for visitor data.

Platform assessments: matomo.org/security

Compliance, DPA summary, and audit evidence

Compliance & certifications

Status reflects our public program today — not implied certification unless explicitly stated.

Learn more
  • SOC 2 Type 1Roadmap

    Target Q4 2026. Readiness program and control mapping in progress.

  • SOC 2 Type 2Roadmap

    Target Q3 2027. Readiness program and control mapping in progress.

  • NIST CSFAligned

    Self-assessment mapping of security program controls to NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover), maintained as part of Privion's SOC 2 readiness program. Detailed mapping available under NDA — not a third-party NIST certification.

  • GDPRAvailable

    PAnalytics can be configured for GDPR-aligned processing; Data Processing Agreement available on request

  • CCPAAvailable

    Data Processing Agreement available on request for applicable engagements

  • ISO 27001Roadmap

    Planned after SOC 2 program maturity

  • Microsoft AI Cloud Partner ProgramActive

    Microsoft AI Cloud Partner Program designation

  • Penetration testingRoadmap

    Organization-wide penetration testing planned for 2027. PAnalytics is built on Matomo; see Matomo published security assessments at matomo.org/security and Privion operational controls on the Trust Center.

Security policies

Summaries for procurement review. Full policies are available under NDA.

All policies

Information Security Policy

Purpose, authorized use, system-owner duties, governance, and links to subsidiary policies for Privion Intranet and PAnalytics, and consulting access.

Access Control Policy

MFA, role-based access, GDAP and PIM for client tenants, and joiner/mover/leaver procedures for Privion personnel.

Data Classification Policy

Handling of public, internal, client-confidential, and regulated data categories where engagements require it.

Incident Response Policy

Detection, triage, containment, eradication, recovery, post-incident review, and customer notification commitments.

Acceptable Use Policy

Expected use of Privion systems and acceptable behavior when accessing client Microsoft 365 environments.

Vendor Management Policy

Subprocessor onboarding, contractual security requirements, DPA expectations, and periodic vendor review.

Business Continuity & Disaster Recovery

Continuity and recovery objectives for Privion Intranet and PAnalytics, backup strategy, and restoration planning.

Subprocessors

Privion provides 30 days' notice via this page before adding or changing a subprocessor that processes client personal data.

Third parties that may process personal data on Privion's behalf are listed with purpose, region, and contractual posture.

View subprocessor list

Incident response

How Privion detects, responds to, and communicates about security incidents.

  1. 01

    Detection

    Monitoring of Privion infrastructure (Privion Intranet and PAnalytics) via Azure Monitor platform telemetry (Application Insights and Log Analytics). Client-tenant incidents may be detected through Microsoft 365 Defender alerts and partner notifications.

  2. 02

    Response

    15-minute acknowledgment target for critical incidents affecting hosted services. Emergency contact channels for clients with active engagements.

  3. 03

    Communication

    GDPR-aligned 72-hour breach notification commitment for personal data incidents where Privion acts as processor. Per-client communication channels established at engagement start.

Report a security concern: security@priviontech.com · Phone: +1 (888) 600-2236 · Full overview

Trust indicators

Targets and program metrics — not historical averages unless noted.

100%

MFA adoption (Privion personnel)

99.999%

Privion Intranet uptime (historical; not a contractual SLA)

15 min

Critical incident acknowledgment

72 h

Breach notification SLA (GDPR-aligned)

Questions about our security?

Procurement, InfoSec, and legal teams can reach our security contact for readiness materials, DPA requests, and policy documentation.

Privion SOC 2 Type 1 (target Q4 2026) and Type 2 (target Q3 2027) reports will be available under NDA upon request when issued. Until then, customers may download the SOC 2 readiness report and management attestation letter (management self-assessment against AICPA Trust Services Criteria — not an audited SOC 2 report), request NIST Cybersecurity Framework mapping, or contact security@priviontech.com for additional evidence.

SOC 2 readiness report (PDF)Management attestation letter (PDF)
Email security teamContact PrivionDownload Trust Center PDF

Looking for the PrivionGRC product trust center? See priviongrc.com/trust. Privion (the consultancy, this site) and PrivionGRC (a separate product) maintain distinct security programs and trust centers.