Compliance & security

Where Privian is in its security journey

An honest, dated view of implemented controls, in-progress work and planned compliance milestones — with no invented certifications and no invented timelines.

As of 2026-07-01. This page is refreshed when the underlying posture changes.

Definition

Privian is not SOC 2 or ISO 27001 certified today. The controls enterprise reviewers care about — masked prompts before egress, BYOK, AES-256-GCM at-rest encryption, no raw prompt retention, a signed DPA on request, and a published subprocessor list — are implemented now. Third-party penetration testing and SOC 2 readiness are in progress; no dates are promised until they complete.

Definition

What this roadmap is

Certifications describe the past; a roadmap describes the present and near future. Both matter in a security review. Everything on this page maps to a specific control described in the Blueprint, the Data Path or the Security pages.

A missing attestation is not the same as a missing control. Reviewers move faster when the two are separated.

Current state

What is implemented today

Framework

Implemented controls

  1. 01

    Data path

    Documented end-to-end at /data-path. Masked prompt is what reaches the model; raw prompt bodies are not persisted.

  2. 02

    Retention model

    Narrow persistence: account, encrypted BYOK credentials, hashed gateway keys, usage rollups, sanitized events. See /security/data-handling.

  3. 03

    Credential handling

    BYOK provider credentials encrypted at rest with AES-256-GCM; decrypted in-process per request. Gateway API keys stored as SHA-256 hashes.

  4. 04

    Subprocessor transparency

    Current list at /legal/subprocessors and /resources/subprocessors, with the BYOK provider you select noted for transparency.

  5. 05

    DPA

    Overview at /legal/dpa. Signed DPA available on request for business customers.

  6. 06

    Trust documentation

    Trust Center, Blueprint (PDF + HTML), Architecture and Security pages are published and grounded in the current implementation.

Timeline

Roadmap by phase

No committed dates for attestations until scoping completes. Direction, not deadlines.

  1. Now — implemented

    As of 2026-07-01

    • Prompt masking before egress with rehydration on response.
    • BYOK for OpenAI, Anthropic, Google (Gemini), DeepSeek.
    • AES-256-GCM at-rest encryption for provider credentials.
    • Row-level scoping to customer organization.
    • Sanitized observability events (no prompt or response bodies).
    • Public Trust Center, Blueprint, Data Path, Architecture, Security and Subprocessor references.
    • DPA overview published; signed DPA available on request.
  2. In progress

    As of 2026-07-01

    • Third-party penetration test — scoping.
    • Expanded security documentation for enterprise reviewers.
    • Formal vulnerability disclosure process.
    • Deeper access-log surfacing for account owners.
  3. Planned

    As of 2026-07-01

    • SOC 2 Type I readiness assessment — no committed date.
    • SOC 2 Type II — dependent on Type I completion.
    • ISO 27001 evaluation — under consideration; no committed date.
    • Regional residency options — under evaluation; not a contracted feature today.
  4. Available upon request

    As of 2026-07-01

    • Signed Data Processing Addendum (business customers).
    • Security review call with the Privian team.
    • Written responses to standard security questionnaires.
    • Architecture walkthrough for security & procurement.

Posture matrix

Status at a glance

One row per item a reviewer typically asks about. Nothing on this table is marked complete unless it is.

ItemStatus (as of 2026-07-01)
SOC 2 Type IPlanned — readiness scoping
SOC 2 Type IIPlanned — dependent on Type I
ISO 27001Under consideration
HIPAA BAANot offered today
PCI DSSNot in scope — Privian does not process cardholder data
GDPR — controller/processor DPAAvailable on request
Subprocessor listPublished (/legal/subprocessors)
Penetration testing (third-party)In progress — scoping
Vulnerability disclosure policyIn progress
Encryption in transitImplemented — TLS on all endpoints
Encryption at rest (BYOK credentials)Implemented — AES-256-GCM
Regional data residencyNot a contracted feature today
Self-hosted deploymentNot offered today

For the implemented controls behind each row, see Security, Data Path and the Blueprint.

Send one document

Blueprint

Related

Where to go next

  • Privian Blueprint

    Single document covering data path, retention, BYOK and scope.

  • Blueprint Guide

    HTML companion to the Blueprint — how founders, security and procurement use it.

  • Enterprise Trust Package

    One URL to forward to security and procurement teams.

  • Trust Center

    Posture, controls, retention boundaries, customer-owned credentials.

  • Data path

    What reaches the model, what is retained, what is discarded.

  • Security

    Detailed security model and data-handling posture.

  • Architecture

    How the gateway is built end-to-end.

  • Subprocessors

    Operational providers and the BYOK boundary.

  • DPA

    Data Processing Addendum overview.

FAQ

Frequently asked questions

Is Privian SOC 2 or ISO 27001 certified today?
No. Privian has not completed a SOC 2 Type I or Type II audit and is not ISO 27001 certified today. The Privian Blueprint, Data Path and Security pages describe the controls that are implemented and can be reviewed directly, and a signed DPA is available on request.
Is a DPA available?
Yes. A Data Processing Addendum is available for business customers on request. The overview lives at /legal/dpa and describes controller/processor roles, subprocessors, security measures, breach notification and international transfers.
Do you publish a subprocessor list?
Yes. The current subprocessor list is maintained at /legal/subprocessors and /resources/subprocessors. Material changes are notified in accordance with the executed DPA where applicable.
Do you conduct penetration tests?
Third-party penetration testing is planned. Until a completed report is available, security review can be conducted against the documented data path, retention model and BYOK boundary in the Blueprint and Trust Center.
How should we treat 'in progress' items in a security review?
Treat them as unattested. Rely on the implemented controls described in the Blueprint, Data Path, Security and Architecture pages, plus a signed DPA where required. Roadmap items describe direction, not current capability.
How often is this page updated?
This page is dated. Any change to the underlying posture — a new attestation, an added subprocessor, a change in scope — is reflected here and on the Trust Center. The 'As of' date at the top of the page reflects the last review.