// Trust & Security Report
Matterport, LLC (subsidiary of CoStar Group, Inc.)
3D digital twin platform for real estate, facilities management, design, and construction with AI-powered features. SaaS offerings: Free, Starter, Professional, Business, and Enterprise plans with integrations to Procore, Autodesk, and AWS IoT Twinmaker.
Certifications held
5
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on matterport.com“Undergo independent third-party, annual audits against SOC2's Trust Principles of Security, Availability and Confidentiality. Audited by Frank, Rimerman + Co. LLP (independent CPA firm). Announced November 22, 2021. SOC 3 report available without NDA.”
Verify on matterport.com“Data Processing Addendum and Standard Contractual Clauses available for GDPR compliance. DPA references GDPR, CCPA, UK GDPR, and PIPEDA requirements.”
Verify on matterport.com“Data Processing Addendum explicitly addresses California Consumer Privacy Act (CCPA) compliance with DPA available.”
Verify on matterport.com“Data Processing Addendum explicitly covers UK Data Protection Act (2018) and UK GDPR requirements.”
Verify on matterport.com“Data Processing Addendum includes Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) compliance.”
> Show 6 unconfirmed / not-held certifications
source: matterport.comNo public evidence of ISO 27001 certification found on Matterport domain despite multiple searches of trust center and security documentation.
source: matterport.comNo Business Associate Agreement or HIPAA compliance language found in Matterport's legal documents, terms of use, or trust center. No HIPAA BAA mentioned in Enterprise Addendum.
source: trust.costargroup.comNo PCI DSS certification found for Matterport. Parent company CoStar Group complies with PCI DSS Level 2, but this is CoStar's certification, not Matterport's.
source: matterport.comNo public evidence of ISO 27017 (cloud-specific) or ISO 27018 (personal data in cloud) certifications found.
source: matterport.comNo public evidence of ISO 27701 (privacy management) certification found.
source: matterport.comNo evidence of ISO/IEC 42001 or other AI governance certifications found despite Matterport's use of AI features and customer data training.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Infrastructure hosted on AWS (multi-tenant). Sub-processors located in United States and Australia. Exact data residency options not specified in available documentation.
Matterport trains AI models on aggregated and anonymized spatial and environmental data to improve services and develop new features. No explicit opt-out mechanism documented. Matterport grants itself 'unrestricted, irrevocable, perpetual, transferable, sublicensable, worldwide, royalty-free license' to use customer content submitted to platform. Customers are prohibited from training commercial AI/ML models on Matterport data.
// Security controls
Authentication
Unique user IDs, password controls with expiration, SSO via SAML 2.0 with multiple identity providers
matterport.comAccess Control
Role-based access control (RBAC), least-privilege access, prompt revocation on employment termination
matterport.comNetwork Security
Firewalls, VPN remote access, network segmentation, continuous monitoring for unauthorized activity
matterport.comAudit Logging
Audit logging for user access and system activity. Data breaches notified within 48 hours to data controllers (72 hours in Enterprise Addendum).
matterport.comPenetration Testing
Annual penetration testing by third-party firms. Reports available upon request.
matterport.comIncident Response
Documented incident response program with 72-hour notification window for suspected security incidents affecting customer data
matterport.comBusiness Continuity
Business continuity and disaster recovery procedures in place. Backup data retention: 7 days.
matterport.comInfrastructure Provider
AWS multi-tenant environment (physical security, facility access, environmental monitoring delegated to AWS)
matterport.com// Products & data scope
data: 1 Active Space, 2 users, basic features, no advanced integrations
Entry-level offering for individuals or small exploration of platform capabilities
data: 5-20 Active Spaces, 3 users, essential features, limited integrations
Starting at €11/month (billed annually)
data: 20-150 Active Spaces, 10 users, advanced functionality, collaboration features
Most popular tier. Starting at €53/month (billed annually)
data: 100-300 Active Spaces, 50 users, advanced collaboration and integrations
Starting at €277/month (billed annually)
data: Unlimited spaces and users, custom configuration
Custom pricing. Enterprise-grade security, advanced admin features, enhanced enterprise services. Enterprise Addendum available covering DPA, incident notification, security reporting.
data: Expert technician-performed 3D scanning
On-demand service: Matterport certified technicians scan spaces; customer uploads handled through platform
data: Generative AI for digital twin creation and enhancement
Subject to Gen AI User Guidelines. Users cannot train ML models on outputs. Matterport trains on aggregated/anonymized data. Commercial use requires consent.
// What to watch
- CoStar Group acquisition (completed Feb 28, 2025): Matterport is now a CoStar subsidiary. Privacy policy redirects to CoStar. Compliance may be inherited from or coordinated with parent company. Recent acquisition may affect data handling practices; verify with sales for current posture.
- No HIPAA BAA: Despite some search results mentioning 'HIPAA BAA for healthcare facilities' in Matterport's context, no actual HIPAA Business Associate Agreement or HIPAA compliance language found in legal documents. Customers in healthcare should verify HIPAA readiness directly.
- No ISO 27001: Unlike ISO 27001-certified competitors, Matterport only holds SOC 2 Type II. For procurement requiring ISO 27001, this is a gap.
- Broad Data Licensing: Terms of Use grant Matterport 'unrestricted, irrevocable, perpetual, transferable, sublicensable, worldwide, royalty-free license' to user-submitted content. Customer owns copyright but grants extremely broad rights to Matterport.
- AI Training on Customer Data: Matterport trains AI models on aggregated/anonymized customer spatial data. No explicit opt-out documented. Customers cannot train commercial models on Matterport data (asymmetrical). Verify AI training opt-outs with sales.
- No AI Governance Certification: Despite AI features and customer data training, no ISO/IEC 42001 or CSA STAR AI certification found. Consider for AI-risk-sensitive deployments.
- Governance: Matterport is incorporated in Delaware/California, disputes resolved in Santa Clara County courts. GDPR customers should note this US-based governance despite DPA availability.
// At a glance
Pricing model
Tiered SaaS: Free → Starter/Professional/Business (monthly/annual) → Enterprise (custom). Pricing based on Active Spaces and concurrent users.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Matterport, LLC (subsidiary of CoStar Group, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
matterport.com