Compliance & security
Where Privian is in its security journey
An honest, dated view of implemented controls, in-progress work and planned compliance milestones — with no invented certifications and no invented timelines.
As of 2026-07-01. This page is refreshed when the underlying posture changes.
Definition
Privian is not SOC 2 or ISO 27001 certified today. The controls enterprise reviewers care about — masked prompts before egress, BYOK, AES-256-GCM at-rest encryption, no raw prompt retention, a signed DPA on request, and a published subprocessor list — are implemented now. Third-party penetration testing and SOC 2 readiness are in progress; no dates are promised until they complete.
Definition
What this roadmap is
Certifications describe the past; a roadmap describes the present and near future. Both matter in a security review. Everything on this page maps to a specific control described in the Blueprint, the Data Path or the Security pages.
A missing attestation is not the same as a missing control. Reviewers move faster when the two are separated.
Current state
What is implemented today
Framework
Implemented controls
- 01
Data path
Documented end-to-end at /data-path. Masked prompt is what reaches the model; raw prompt bodies are not persisted.
- 02
Retention model
Narrow persistence: account, encrypted BYOK credentials, hashed gateway keys, usage rollups, sanitized events. See /security/data-handling.
- 03
Credential handling
BYOK provider credentials encrypted at rest with AES-256-GCM; decrypted in-process per request. Gateway API keys stored as SHA-256 hashes.
- 04
Subprocessor transparency
Current list at /legal/subprocessors and /resources/subprocessors, with the BYOK provider you select noted for transparency.
- 05
DPA
Overview at /legal/dpa. Signed DPA available on request for business customers.
- 06
Trust documentation
Trust Center, Blueprint (PDF + HTML), Architecture and Security pages are published and grounded in the current implementation.
Timeline
Roadmap by phase
No committed dates for attestations until scoping completes. Direction, not deadlines.
Now — implemented
As of 2026-07-01
- Prompt masking before egress with rehydration on response.
- BYOK for OpenAI, Anthropic, Google (Gemini), DeepSeek.
- AES-256-GCM at-rest encryption for provider credentials.
- Row-level scoping to customer organization.
- Sanitized observability events (no prompt or response bodies).
- Public Trust Center, Blueprint, Data Path, Architecture, Security and Subprocessor references.
- DPA overview published; signed DPA available on request.
In progress
As of 2026-07-01
- Third-party penetration test — scoping.
- Expanded security documentation for enterprise reviewers.
- Formal vulnerability disclosure process.
- Deeper access-log surfacing for account owners.
Planned
As of 2026-07-01
- SOC 2 Type I readiness assessment — no committed date.
- SOC 2 Type II — dependent on Type I completion.
- ISO 27001 evaluation — under consideration; no committed date.
- Regional residency options — under evaluation; not a contracted feature today.
Available upon request
As of 2026-07-01
- Signed Data Processing Addendum (business customers).
- Security review call with the Privian team.
- Written responses to standard security questionnaires.
- Architecture walkthrough for security & procurement.
Posture matrix
Status at a glance
One row per item a reviewer typically asks about. Nothing on this table is marked complete unless it is.
| Item | Status (as of 2026-07-01) |
|---|---|
| SOC 2 Type I | Planned — readiness scoping |
| SOC 2 Type II | Planned — dependent on Type I |
| ISO 27001 | Under consideration |
| HIPAA BAA | Not offered today |
| PCI DSS | Not in scope — Privian does not process cardholder data |
| GDPR — controller/processor DPA | Available on request |
| Subprocessor list | Published (/legal/subprocessors) |
| Penetration testing (third-party) | In progress — scoping |
| Vulnerability disclosure policy | In progress |
| Encryption in transit | Implemented — TLS on all endpoints |
| Encryption at rest (BYOK credentials) | Implemented — AES-256-GCM |
| Regional data residency | Not a contracted feature today |
| Self-hosted deployment | Not offered today |
For the implemented controls behind each row, see Security, Data Path and the Blueprint.
Send one document
Blueprint
Related
Where to go next
- Privian Blueprint
Single document covering data path, retention, BYOK and scope.
- Blueprint Guide
HTML companion to the Blueprint — how founders, security and procurement use it.
- Enterprise Trust Package
One URL to forward to security and procurement teams.
- Trust Center
Posture, controls, retention boundaries, customer-owned credentials.
- Data path
What reaches the model, what is retained, what is discarded.
- Security
Detailed security model and data-handling posture.
- Architecture
How the gateway is built end-to-end.
- Subprocessors
Operational providers and the BYOK boundary.
- DPA
Data Processing Addendum overview.
FAQ
Frequently asked questions
- Is Privian SOC 2 or ISO 27001 certified today?
- No. Privian has not completed a SOC 2 Type I or Type II audit and is not ISO 27001 certified today. The Privian Blueprint, Data Path and Security pages describe the controls that are implemented and can be reviewed directly, and a signed DPA is available on request.
- Is a DPA available?
- Yes. A Data Processing Addendum is available for business customers on request. The overview lives at /legal/dpa and describes controller/processor roles, subprocessors, security measures, breach notification and international transfers.
- Do you publish a subprocessor list?
- Yes. The current subprocessor list is maintained at /legal/subprocessors and /resources/subprocessors. Material changes are notified in accordance with the executed DPA where applicable.
- Do you conduct penetration tests?
- Third-party penetration testing is planned. Until a completed report is available, security review can be conducted against the documented data path, retention model and BYOK boundary in the Blueprint and Trust Center.
- How should we treat 'in progress' items in a security review?
- Treat them as unattested. Rely on the implemented controls described in the Blueprint, Data Path, Security and Architecture pages, plus a signed DPA where required. Roadmap items describe direction, not current capability.
- How often is this page updated?
- This page is dated. Any change to the underlying posture — a new attestation, an added subprocessor, a change in scope — is reflected here and on the Trust Center. The 'As of' date at the top of the page reflects the last review.
