// Trust & Security Report

    Matterport, LLC (subsidiary of CoStar Group, Inc.) logo

    Matterport, LLC (subsidiary of CoStar Group, Inc.)

    3D digital twin platform for real estate, facilities management, design, and construction with AI-powered features. SaaS offerings: Free, Starter, Professional, Business, and Enterprise plans with integrations to Procore, Autodesk, and AWS IoT Twinmaker.

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Undergo independent third-party, annual audits against SOC2's Trust Principles of Security, Availability and Confidentiality. Audited by Frank, Rimerman + Co. LLP (independent CPA firm). Announced November 22, 2021. SOC 3 report available without NDA.

    Verify on matterport.com
    GDPR DPA
    HELD

    Data Processing Addendum and Standard Contractual Clauses available for GDPR compliance. DPA references GDPR, CCPA, UK GDPR, and PIPEDA requirements.

    Verify on matterport.com
    CCPA DPA
    HELD

    Data Processing Addendum explicitly addresses California Consumer Privacy Act (CCPA) compliance with DPA available.

    Verify on matterport.com
    UK GDPR DPA
    HELD

    Data Processing Addendum explicitly covers UK Data Protection Act (2018) and UK GDPR requirements.

    Verify on matterport.com
    PIPEDA DPA
    HELD

    Data Processing Addendum includes Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) compliance.

    Verify on matterport.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on Matterport domain despite multiple searches of trust center and security documentation.

    source: matterport.com
    HIPAA / HIPAA BAA
    NOT CONFIRMED

    No Business Associate Agreement or HIPAA compliance language found in Matterport's legal documents, terms of use, or trust center. No HIPAA BAA mentioned in Enterprise Addendum.

    source: matterport.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS certification found for Matterport. Parent company CoStar Group complies with PCI DSS Level 2, but this is CoStar's certification, not Matterport's.

    source: trust.costargroup.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27017 (cloud-specific) or ISO 27018 (personal data in cloud) certifications found.

    source: matterport.com
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 (privacy management) certification found.

    source: matterport.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No evidence of ISO/IEC 42001 or other AI governance certifications found despite Matterport's use of AI features and customer data training.

    source: matterport.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Infrastructure hosted on AWS (multi-tenant). Sub-processors located in United States and Australia. Exact data residency options not specified in available documentation.

    Matterport trains AI models on aggregated and anonymized spatial and environmental data to improve services and develop new features. No explicit opt-out mechanism documented. Matterport grants itself 'unrestricted, irrevocable, perpetual, transferable, sublicensable, worldwide, royalty-free license' to use customer content submitted to platform. Customers are prohibited from training commercial AI/ML models on Matterport data.

    // Security controls

    Encryption in Transit

    All network traffic encrypted

    matterport.com

    Encryption at Rest

    256-bit AES encryption for customer data

    matterport.com

    Authentication

    Unique user IDs, password controls with expiration, SSO via SAML 2.0 with multiple identity providers

    matterport.com

    Access Control

    Role-based access control (RBAC), least-privilege access, prompt revocation on employment termination

    matterport.com

    Network Security

    Firewalls, VPN remote access, network segmentation, continuous monitoring for unauthorized activity

    matterport.com

    Audit Logging

    Audit logging for user access and system activity. Data breaches notified within 48 hours to data controllers (72 hours in Enterprise Addendum).

    matterport.com

    Penetration Testing

    Annual penetration testing by third-party firms. Reports available upon request.

    matterport.com

    Incident Response

    Documented incident response program with 72-hour notification window for suspected security incidents affecting customer data

    matterport.com

    Business Continuity

    Business continuity and disaster recovery procedures in place. Backup data retention: 7 days.

    matterport.com

    Vendor Management

    Sub-processor vendor management program with DPA requirements

    matterport.com

    Infrastructure Provider

    AWS multi-tenant environment (physical security, facility access, environmental monitoring delegated to AWS)

    matterport.com

    // Products & data scope

    Free PlanSaaS Platform

    data: 1 Active Space, 2 users, basic features, no advanced integrations

    Entry-level offering for individuals or small exploration of platform capabilities

    Starter PlanSaaS Platform

    data: 5-20 Active Spaces, 3 users, essential features, limited integrations

    Starting at €11/month (billed annually)

    Professional PlanSaaS Platform

    data: 20-150 Active Spaces, 10 users, advanced functionality, collaboration features

    Most popular tier. Starting at €53/month (billed annually)

    Business PlanSaaS Platform

    data: 100-300 Active Spaces, 50 users, advanced collaboration and integrations

    Starting at €277/month (billed annually)

    Enterprise PlanSaaS Platform

    data: Unlimited spaces and users, custom configuration

    Custom pricing. Enterprise-grade security, advanced admin features, enhanced enterprise services. Enterprise Addendum available covering DPA, incident notification, security reporting.

    Capture ServicesProfessional Services

    data: Expert technician-performed 3D scanning

    On-demand service: Matterport certified technicians scan spaces; customer uploads handled through platform

    AI FeaturesProduct Feature

    data: Generative AI for digital twin creation and enhancement

    Subject to Gen AI User Guidelines. Users cannot train ML models on outputs. Matterport trains on aggregated/anonymized data. Commercial use requires consent.

    // What to watch

    • CoStar Group acquisition (completed Feb 28, 2025): Matterport is now a CoStar subsidiary. Privacy policy redirects to CoStar. Compliance may be inherited from or coordinated with parent company. Recent acquisition may affect data handling practices; verify with sales for current posture.
    • No HIPAA BAA: Despite some search results mentioning 'HIPAA BAA for healthcare facilities' in Matterport's context, no actual HIPAA Business Associate Agreement or HIPAA compliance language found in legal documents. Customers in healthcare should verify HIPAA readiness directly.
    • No ISO 27001: Unlike ISO 27001-certified competitors, Matterport only holds SOC 2 Type II. For procurement requiring ISO 27001, this is a gap.
    • Broad Data Licensing: Terms of Use grant Matterport 'unrestricted, irrevocable, perpetual, transferable, sublicensable, worldwide, royalty-free license' to user-submitted content. Customer owns copyright but grants extremely broad rights to Matterport.
    • AI Training on Customer Data: Matterport trains AI models on aggregated/anonymized customer spatial data. No explicit opt-out documented. Customers cannot train commercial models on Matterport data (asymmetrical). Verify AI training opt-outs with sales.
    • No AI Governance Certification: Despite AI features and customer data training, no ISO/IEC 42001 or CSA STAR AI certification found. Consider for AI-risk-sensitive deployments.
    • Governance: Matterport is incorporated in Delaware/California, disputes resolved in Santa Clara County courts. GDPR customers should note this US-based governance despite DPA availability.

    // At a glance

    Pricing model

    Tiered SaaS: Free → Starter/Professional/Business (monthly/annual) → Enterprise (custom). Pricing based on Active Spaces and concurrent users.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Matterport, LLC (subsidiary of CoStar Group, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    matterport.com

    > Browse all vendor trust reports