Priivacy Security Architecture
Priivacy reads your data. It doesn't take it.
A data discovery platform should reduce your risk surface, not add to it. Priivacy installs inside your environment, processes data in memory, and stores only the metadata and findings your team needs. Original file content is never persisted. No external transmission during scanning. Fully air-gap capable.
Your data stays in your environment. Period.
Priivacy is not a SaaS data lake. We do not ingest, copy, or replicate your files, mailboxes, or database content to a USC Data cloud. The platform installs inside your network or your cloud tenant. Scanning, classification, indexing, and reporting all happen locally.
Original file content is never stored. Files are processed in memory and discarded after scanning. Only metadata (name, path, size, modification date) and detected PII findings (type, confidence, position, and a short content preview for verification) are persisted. The full file content is never written to the Priivacy database or filesystem.
If you select the USC Data dedicated cloud hosting option, your Priivacy instance runs on a single-tenant Linux host on Microsoft Azure. We manage the host but do not have access to your tenant data, your Microsoft 365 credentials, or your scan results.
Air-gap capable. No phone-home. No third-party AI.
Many "AI-powered" data tools quietly send your file content to external classification services. Priivacy doesn't. Every detection engine runs locally inside the Priivacy environment.
Detection runs locally
Pattern matching, Named Entity Recognition (spaCy NER), and document classification all execute inside the Priivacy host. No external API calls during scanning. Microsoft Presidio is the framework — open-source, audited, customizable.
AI triage runs locally
DSAR workflows include AI-assisted finding triage via a local Qwen2.5-3B language model that runs inside the priivacy-llm container. No data leaves the appliance. The same audit-grade no-egress promise as detection.
Air-gap deployment supported
Priivacy can operate completely offline. No external service is required to scan, classify, remediate, or report. The only outbound traffic in a typical M365 deployment is to Microsoft Graph — and that's optional if your data lives on file shares or SQL.
Encrypted in transit. Credentials encrypted at rest. Keys you control.
In transit
All communication between Priivacy and your data sources uses HTTPS. Browser-to-server traffic, server-to-Graph traffic, and the remote agent's WebSocket connection are all TLS-encrypted. SQL database connections require SSL/TLS by default.
Credentials at rest
Microsoft 365 OAuth tokens are stored encrypted in the Priivacy database. License keys are protected with Argon2id key derivation and AES-GCM encryption. Database credentials supplied for SQL scans are encrypted with the scan record.
At export
Reports exported as PDF can be password-protected. HTML reports are standalone files that travel by email and require no platform access. The exported file is what the recipient sees — nothing phones home from the report itself.
Three roles. Two-factor authentication. Least-privilege by design.
Every action logged. Defensible by design.
Priivacy was built for environments where data handling has to be defensible — to auditors, to boards, to regulators. Every action against the platform is logged with the user, the timestamp, and the before/after state.
- Comprehensive event logging — authentication, scan jobs, classification changes, remediation actions, workflow rule executions, permission audit results, export operations, configuration changes.
- Per-file remediation history — every redact, quarantine, delete, dismiss, and reapply action recorded against the file's record with the user, the workflow rule (if applicable), and the timestamp.
- SAR / DSAR audit log — every Subject Access Request generation is logged with the subject, the estate, the admin who generated it, file and finding counts, and the request reference. Audit row commits before the PDF renders, so failed generations still leave a trail. Useful for spotting someone fishing.
- System health diagnostics — a live System Health page shows worker counts, queue depth, alerts for memory or disk pressure, and currently active scans. Refreshes every 15 seconds.
- Right to audit — your team can audit Priivacy's installation, configuration, and logs at any time without notice. We don't get advance warning on customer-side audits.
Certified, mapped, and aligned to the frameworks you report against.
USC Data's data governance and privacy program is ISO 27001 certified. The Priivacy platform supports — not replaces — your compliance program. Findings and reports plug directly into the frameworks your team already reports against.
ISO 27001
USC Data corporate certification
GDPR
Full DSAR workflow with jurisdiction-aware export, lawful basis tracking, right-to-erasure remediation paths.
UK Data Protection Act
DSAR workflow with UK-specific deadlines (1 month, extendable by 2) and ICO complaint routing.
Australian Privacy Act 1988 / APP
DSAR workflow with APP 12 alignment, OAIC complaint routing, "reasonably identifiable" risk model built into the engine.
CCPA / CPRA
Consumer data inventory, deletion workflow.
FERPA
Student record discovery, access auditing, custom detector support for school-specific identifiers.
HIPAA
PHI discovery, access logging, healthcare-specific detector library.
EU AI Act
Training data inventory, lineage, classification.
PCI DSS
Cardholder data discovery, scoping support.
Priivacy is a tool that helps you defend a program. It is not a substitute for one. We'll be honest about where it fits and where you still need other controls.
How Priivacy itself stays secure.
The list, kept short by design.
For on-premises and customer-cloud deployments, Priivacy has no subprocessors. The platform runs in your environment, talks to your data sources, and produces reports for your team. No third party is involved.
For the USC Data dedicated cloud hosting option, Microsoft Azure is the underlying infrastructure provider. That's the only subprocessor in the stack. No analytics platforms, no log aggregators, no marketing pixels touch your environment.
Subprocessor changes — should they ever happen — are notified to customers with at least 30 days' lead time and the right to terminate without penalty if the change is not acceptable.
Cryptographically signed. Pinned to your install.
Every Priivacy deployment runs under an Ed25519-signed license tied to a non-reversible hash of the deployment's public key (an "instance fingerprint"). Licenses cannot be moved between installations. A grace-period warning appears 14 days before expiry. Already-running scans complete on expiry — never corrupting in-flight data — but new scans, connections, and remediation actions block at the API until the license is renewed.
Need to dig deeper?
Our security team will work directly with your CISO, IT director, or auditor to answer questions, complete vendor security questionnaires, and provide architecture documentation under NDA.
