Skip to content

Trust Center

Compliance & certifications

Last updated

← Trust Center

Privion's SOC 2 scope is intended to cover (1) the Privion Intranet hosted service, (2) the PAnalytics hosted service, and (3) the privileged-access program by which Privion personnel access client Microsoft 365 tenants. It does not cover client tenants themselves, which remain the client's responsibility.

SOC 2 readiness (management self-assessment)

Privion publishes a management readiness self-assessment mapped to the AICPA Trust Services Criteria (Security, Availability, and Confidentiality), plus a management assertion letter. These documents are not SOC 2 Type I or Type II reports and are not attested by an independent CPA.

This document is a management readiness self-assessment mapped to the AICPA Trust Services Criteria. It is not a SOC 2 Type I or Type II report and has not been examined or attested to by an independent certified public accountant. Privion does not represent that controls are suitably designed or operating effectively for audit purposes until a completed engagement with a qualified service auditor.

SOC 2 readiness report (PDF)Management attestation letter (PDF)

Framework: AICPA Trust Services Criteria (2017). Reference: AICPA Trust Services Criteria.

Program status

  • SOC 2 Type 1Roadmap. Target Q4 2026. Readiness program and control mapping in progress.
  • SOC 2 Type 2Roadmap. Target Q3 2027. Readiness program and control mapping in progress.
  • NIST CSFAligned. Self-assessment mapping of security program controls to NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover), maintained as part of Privion's SOC 2 readiness program. Detailed mapping available under NDA — not a third-party NIST certification.
  • GDPRAvailable. PAnalytics can be configured for GDPR-aligned processing; Data Processing Agreement available on request
  • CCPAAvailable. Data Processing Agreement available on request for applicable engagements
  • ISO 27001Roadmap. Planned after SOC 2 program maturity
  • Microsoft AI Cloud Partner ProgramActive. Microsoft AI Cloud Partner Program designation
  • Penetration testingRoadmap. Organization-wide penetration testing planned for 2027. PAnalytics is built on Matomo; see Matomo published security assessments at matomo.org/security and Privion operational controls on the Trust Center.

NIST Cybersecurity Framework

Self-assessment mapping of security program controls to NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover), maintained as part of Privion's SOC 2 readiness program. Detailed mapping available under NDA — not a third-party NIST certification.

Verifying our controls

Privion SOC 2 Type 1 (target Q4 2026) and Type 2 (target Q3 2027) reports will be available under NDA upon request when issued. Until then, customers may download the SOC 2 readiness report and management attestation letter (management self-assessment against AICPA Trust Services Criteria — not an audited SOC 2 report), request NIST Cybersecurity Framework mapping, or contact security@priviontech.com for additional evidence.

Data Processing Agreement (summary)

Privion provides Data Processing Agreements for hosted services and applicable consulting engagements. Executed terms govern; this summary helps procurement teams understand typical commitments.

  • RolesDefines controller/processor roles; client Microsoft 365 tenants remain under client control for consulting workloads.
  • Data residencyHosted services (Privion Intranet and PAnalytics) run in United States regions unless otherwise agreed; subprocessors listed on the Trust Center.
  • Subprocessors30 days' notice before adding or changing subprocessors that process client personal data; list published at priviontech.com/trust/subprocessors.
  • SecurityTechnical and organizational measures aligned with the Trust Center and SOC 2 readiness program.
  • Breach notificationProcessor notification commitments aligned with applicable law and contract (including GDPR-aligned timelines where required).
  • Audit rightsCustomers may request SOC 2 reports, readiness summaries, and security documentation under NDA as the audit program matures.

Request an executed DPA or customer-specific terms via security@priviontech.com.

Privion Intranet data handling

Privion Intranet processes documents into structured outputs via cloud AI services. Privion's processing methodology is proprietary and is not disclosed publicly to protect competitive advantage.

  • Documents are transmitted to processing infrastructure via encrypted channels.
  • Results are returned to the client and made available for download.
  • Documents and intermediate processing artifacts are not retained persistently on Privion infrastructure after delivery.
  • No training data re-use: client data is not used to improve Privion products or third-party model services.
  • For detailed data residency and processing specifics, see the Data Processing Agreement (available under NDA).

Third-party dependencies: Subprocessors.

PAnalytics deployment and backups

PAnalytics is Privion-hosted Matomo on a shared Privion-managed Azure stack (Azure West US 2). Clients may instead deploy Matomo in their own environment.

Privion acts as data processor for visitor analytics collected on clients' websites when the hosted service is in use.

Backup and disaster recovery:

  • Automated nightly MySQL logical backups (mysqldump) from Azure Database for MySQL Flexible Server
  • Cross-region copy to Azure Blob Storage in Azure West Central US (30-day retention; lifecycle-managed)
  • Documented restore procedure (provision recovery-region MySQL Flexible Server in Azure West Central US and replay latest dump)
  • Quarterly recovery test per documented procedure
  • RTO/RPO targets available on request

PAnalytics (Matomo) security posture

PAnalytics is a Privion-managed offering built on Matomo. Platform risk and operational risk are addressed separately below.

  • Deployed on Privion-managed Azure infrastructure (Azure West US 2).
  • Built on Matomo, an open-source platform with published security assessments at matomo.org/security.
  • Privion manages network isolation, access controls, patch management, and compliance-oriented configuration for hosted deployments. Nightly MySQL dumps are replicated to Azure Blob Storage in a secondary region (30-day retention) with a documented restore path.
  • Clients may deploy Matomo in their own environment to eliminate Privion's processor role for visitor data.

Matomo platform assessments: matomo.org/security

Hosted service infrastructure (PAnalytics)

PAnalytics is deployed in Azure West US 2 on Azure Linux App Service with private MySQL Flexible Server connectivity, Key Vault for secrets, and platform monitoring. This does not imply Privion holds independent ISO or SOC attestation for the application layer until our audit program completes.

  • Linux App Service (containerized Matomo), HTTPS-only public endpoint
  • Azure Database for MySQL — Flexible Server (private VNet integration)
  • Azure Files (Standard LRS) for configuration and custom plugins
  • Azure Key Vault for database credentials (user-assigned managed identity)
  • Azure Monitor — Application Insights and Log Analytics (platform telemetry)

Nightly MySQL dumps to Azure Blob Storage in Azure West Central US (30-day retention).

Privileged-access program recovery

Privion maintains documented records of GDAP relationships, PIM role assignments, and partner access procedures to re-establish client tenant administration after disruption. Recovery playbooks cover partner center unavailability, compromised administrative accounts, and client offboarding. Procedures are reviewed at least annually; exercise and test evidence available under NDA.

What you can request today

Download the SOC 2 readiness report and management attestation letter above, or contact security@priviontech.com for NIST mapping, full policy text, gap analyses, and additional control evidence under NDA.

Standards references

Useful external frameworks: NIST Cybersecurity Framework, ISO/IEC 27001.

Looking for the PrivionGRC product trust center? See priviongrc.com/trust. Privion (the consultancy, this site) and PrivionGRC (a separate product) maintain distinct security programs and trust centers.