Legal · Security overview

Security.

A summary of Privil's information-security program. Detailed evidence, audit reports, architecture diagrams, penetration test results, is available to customers and prospective customers under NDA.

Compliance programs

Privil maintains a security and privacy program designed to meet or exceed the requirements of widely adopted frameworks. Our current status:

  • SOC 2 Type II. Annual audit; current report available under NDA.
  • ISO/IEC 27001. Certified by an accredited registrar; surveillance audits conducted annually.
  • HIPAA. BAA available for customers with applicable workloads.
  • GDPR / UK GDPR. Standard Contractual Clauses available; data subject rights workflow documented in our DPA.
  • NYDFS 23 NYCRR 500. Applicable controls implemented for customers in scope.

Encryption

Data in transit is protected with TLS 1.3 (or TLS 1.2 with modern cipher suites where required for interoperability). Data at rest is encrypted using AES-256. Key material is managed in customer-controlled or partitioned key-management services depending on the deployment model.

Access controls

Access to production systems is granted on a least-privilege basis, reviewed quarterly, and requires multi-factor authentication and short-lived credentials. All production access is logged to an immutable store and reviewable by customers for audit purposes upon request.

Architecture

Privil’s detection and policy engines are designed to run inside customer-controlled environments (customer VPC or on-premise) for the default deployment. Prompts are not transmitted to Privil-operated infrastructure under that model. Customers may opt into Privil-hosted detection for non-sensitive workloads.

Network security

Production networks are segmented and protected by host- and network-based intrusion detection. Public-facing services are protected by a web application firewall and DDoS mitigation. Egress is restricted and monitored.

Personnel security

Employees and contractors with access to production undergo background screening (where lawful), sign confidentiality agreements, and complete annual security and privacy training. Access is revoked promptly upon role change or departure.

Incident response

Privil maintains a documented incident response plan reviewed annually and exercised semi-annually. We commit to notifying affected customers without undue delay and, in any event, within the timeframes specified in the applicable contract or governing law.

Vulnerability management

We patch known vulnerabilities promptly, prioritized by severity and exposure. We engage independent third parties for annual penetration tests and continuously scan our infrastructure and code for vulnerabilities.

Reporting a vulnerability

Security researchers are invited to report suspected vulnerabilities to security@privil.ai. We acknowledge reports within two business days and aim to resolve confirmed vulnerabilities within timeframes appropriate to severity. We do not pursue legal action against researchers acting in good faith under our coordinated disclosure terms.

Customer responsibility

Privil’s security program is one half of a shared-responsibility model. Customers are responsible for the configuration of their deployment, the access controls they implement for their users, and the policies and rules they configure within the Services. We provide documentation and review services to help with each.

Last updated May 1, 2026. For the most current statement, contact your account representative or write to security@privil.ai.