// Trust & Security Report
Material Security, Inc.
Detection and response platform for the cloud workspace (Google Workspace and Microsoft 365), sold as a single B2B security platform with three modules: Email Security, File Security, and Account Security. No consumer tier; enterprise-only sales motion with SSO/API integrations and an MCP server for agentic access.
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.material.security“SOC 2 Type 2 listed as a compliance badge/document on the Material Security SafeBase trust center, under the Compliance section, verified via two independent fetches of the page.”
Verify on trust.material.security“GDPR listed as a compliance item on the Material Security trust center; privacy policy also references EEA/UK 'Supervisory Authority' complaint rights, consistent with GDPR posture, though the policy states data centers are US-only.”
Verify on trust.material.security“CCPA listed as a compliance badge on the Material Security trust center; privacy policy also includes a dedicated 'CalOPPA Compliance' section.”
> Show 6 unconfirmed / not-held certifications
source: trust.material.securityNo ISO 27001 badge, document, or claim appears on the vendor's trust center (trust.material.security), home page, or privacy policy. The only 'ISO' string match on the home page was an unrelated substring ('curbed') with no certification content nearby. No public evidence of ISO 27001 certification.
source: material.securityNo HIPAA badge or BAA-availability claim appears on the trust center or privacy policy. The vendor's own blog posts discuss HIPAA as an industry topic for customers/auditors (e.g. 'A guide for auditors, HITRUST assessors, and HIPAA compliance consultants') but Material does not claim its own HIPAA compliance or BAA offering anywhere in captured or fetched pages. No public evidence of HIPAA compliance for Material's own service.
source: trust.material.securityNot listed on the trust center; no public evidence. PCI DSS is not applicable to this product's function (cloud workspace security, not payment processing).
source: trust.material.securityNo ISO 42001 or CSA STAR AI badge appears on the trust center's Compliance section (only SOC 2 Type 2, GDPR, CCPA are listed). No public evidence of an AI-specific management-system certification.
source: trust.material.securityNot present in the trust center's Compliance section. No public evidence.
source: trust.material.securityNot present in the trust center's Compliance section; product and marketing content target commercial enterprise customers, not U.S. federal agencies. No public evidence.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States only. Privacy policy states: 'We locate our data centers in the United States and by utilizing our Services, you expressly instruct us to process Personal Data within the United States and consent to its processing in accordance with this Privacy Policy.' No EU/regional data residency option is documented.
No explicit public statement was found on whether Material trains its own detection models on customer cloud-workspace content (email/file metadata and content), nor any opt-out mechanism. The privacy policy describes Material as an 'exclusive data processor' acting under customer instructions and restricted by Google API Services User Data Policy 'Limited Use' requirements for Google-sourced data, which constrains but does not fully answer the training question. This should be clarified directly with the vendor before procurement for any customer with strict no-training requirements.
// Security controls
Third-party penetration testing
Pentest Report listed as an available document on the trust center.
trust.material.securityEncryption
Encryption Policy listed as an available document on the trust center; specific in-transit/at-rest algorithm details not disclosed in captured/public content.
trust.material.securityAccess control
Access Control Policy listed as an available trust-center document (title only; contents gated).
trust.material.securityBusiness continuity / disaster recovery
BC/DR Policy listed as an available trust-center document (title only; contents gated).
trust.material.securityVulnerability disclosure
Responsible Disclosure policy listed and published on the trust center.
trust.material.securitySubprocessors
Five named subprocessors, all US-based: Google LLC (cloud infrastructure), PostHog Inc. (product analytics), Sendgrid Inc. (email communications), Pylon Labs Inc. (support ticketing), Urlscan GmbH (link scanning).
material.securityExternal security ratings
SecurityScorecard grade A and Qualys SSL Labs grade A+ displayed on the trust center for the material.security domain.
trust.material.security// Products & data scope
data: Reads and acts on inbound/outbound email content and metadata within Google Workspace / Microsoft 365
Automatically detects and remediates malicious email that bypasses native controls; single product line, no separate compliance posture documented.
data: Reads file sharing permissions, metadata, and access settings across cloud drives
Cleans up over-permissive sharing and reduces data sprawl; part of the same platform and trust center, no separate certifications documented.
data: Monitors account activity and behavior signals within the cloud workspace
Hardens accounts and contains blast radius of compromise; same platform-wide compliance posture applies.
// What to watch
- No ISO 27001, HIPAA, or PCI DSS support; only SOC 2 Type II, GDPR, and CCPA are shown on the vendor's own trust center. Do not list ISO 27001 or HIPAA for this vendor.
- Vendor's own blog content discusses HIPAA extensively as an industry topic (auditor/HITRUST guidance) even though Material does not itself claim HIPAA compliance or BAA availability. Risk of a listing incorrectly implying HIPAA support if the blog content is mistaken for a compliance claim -- verified it is not a compliance claim.
- Data processing is US-only with no documented EU/regional residency option, which is a relevant caveat for EU customers relying on the GDPR badge.
- No standalone Data Processing Agreement (DPA) is publicly linked on the trust center; likely available under a signed customer/sales agreement per standard enterprise SaaS practice, but this could not be confirmed from public sources.
- Whether Material trains its own detection models on customer cloud-workspace content is not addressed in any public document; recommend the listing prompt buyers to confirm this directly with the vendor.
// At a glance
Pricing model
Enterprise B2B (demo/quote-based); no self-serve or published per-seat pricing found in captured content.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Material Security, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.material.security