// Trust & Security Report
Proofpoint, Inc.
Email and data security platform with AI-powered behavioral detection. Products include Tessian Guardian (accidental data loss prevention), Tessian Enforcer (insider threat and exfiltration prevention), Proofpoint Email Security, AI Security, and Data Security & Governance solutions.
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on proofpoint.com“Proofpoint maintains a robust security posture with a public Trust Center and verified SOC 2 Type II compliance. Available for Proofpoint Core Email Protection SEG/API, Proofpoint Prime, Proofpoint Combined SaaS Solutions (Legacy Tessian and Normalyze).”
Verify on proofpoint.com“ISO 27001 - Information security management system certification providing 'a comprehensive framework to establish, implement, and maintain controls' for data protection.”
Verify on proofpoint.com“ISO 42001 - 'Artificial Intelligence management system (AIMS)' certification for responsible AI development and monitoring.”
Verify on proofpoint.com“FedRAMP Authorization - Cloud products meet federal security standards; details available at the FedRAMP Marketplace.”
Verify on proofpoint.com“IRAP - Australian Government certification aligned with the Information Security Manual (ISM) requirements.”
Verify on proofpoint.com“National Security Framework (ENS) - Spain's framework certification for information systems supporting identified services.”
Verify on proofpoint.com“Data Privacy Framework Certification - Complies with EU-U.S., UK Extension, and Swiss-U.S. frameworks per dataprivacyframework.gov.”
Verify on proofpoint.com“FIPS Certification - 'Federal Information Protection Standard (FIPS) certification and validation' for cryptographic modules.”
Verify on proofpoint.com“STAR Registry - Listed on the Cloud Security Alliance's Security, Trust, Assurance, and Risk registry.”
Verify on proofpoint.com“Proofpoint's global operations adhere to GDPR with Global DPA available in a variety of languages. GDPR compliance is fundamental to their data processing model.”
> Show 4 unconfirmed / not-held certifications
source: proofpoint.comProofpoint offers HIPAA-compliant products and can enter Business Associate Agreements. However, no formal HIPAA certification (e.g., HITRUST) or public BAA template is documented. Proofpoint states 'Proofpoint applies the minimum necessary concept required by HIPAA' and commits to protecting Protected Health Information (PHI) for up to 18 months.
source: proofpoint.comNo public evidence found on Proofpoint's vendor domain or trust center pages.
source: proofpoint.comNo public evidence found on Proofpoint's vendor domain or trust center pages.
source: proofpoint.comNo public evidence found on Proofpoint's vendor domain or trust center pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region with data processing in North America (AWS, Google Cloud, co-location facilities) and Europe (EU co-location facilities). Specific residency options available upon request.
Proofpoint explicitly states: 'We do not use customer data to train any generative LLMs.' However, they do use definitively identified malicious messages to train classical machine learning models (not generative) for threat detection, and aggregated threat analytics without identifying customer content. No customer opt-out mechanism is documented for threat intelligence training.
// Security controls
Information Security Program
Documented information security program aligning with NIST 800-53 and ISO 27001 requirements, with continuous monthly/quarterly monitoring and annual SOC 2 Type II audit.
proofpoint.comSubprocessor Transparency
Published list of third-party service providers and subprocessors by location
proofpoint.comData Retention Policy
Product-specific data retention policies documented; HIPAA-scope data retained up to 18 months post-agreement then destroyed
proofpoint.com// Products & data scope
data: Outbound email content, recipient analysis, file attachments
AI-powered accidental data loss prevention using behavioral detection. Integrates with Microsoft 365 and Google Workspace. GDPR/CCPA compliant.
data: Email content analysis, user behavior patterns, file access logs
Advanced machine learning prevents malicious insider threats and sophisticated data exfiltration. No pre-defined rules required.
data: Email headers, message content, attachment metadata
Leader in Gartner Magic Quadrant for Email Security 2025. Blocks 95M BEC attacks annually.
data: LLM interactions, prompt history, data access logs
Controls how LLMs and AI agents access and share data. Prevents prompt-based attacks and data leaks. Does not train generative models on customer data.
data: Sensitive data discovery, access patterns, usage monitoring
Unified platform for data protection and compliance across storage, access, and usage. Supports GDPR, CCPA, and healthcare regulations.
// What to watch
- HIPAA: Proofpoint does not hold a formal HIPAA certification (e.g., HITRUST). They offer HIPAA-compliant products and can execute BAAs, but no public Business Associate Agreement template or HIPAA compliance certification is documented. Healthcare customers should verify BAA availability during procurement.
- Cloud Provider Certifications: Proofpoint's infrastructure leverages AWS, Google Cloud, and co-location providers that maintain their own SOC 2/ISO 27001 certifications. These are the cloud provider's certs, not Proofpoint's direct responsibility, though Proofpoint relies on them.
- AI Training Transparency: While Proofpoint does not train generative LLMs on customer data, they do use malicious message samples and aggregated threat analytics for classical ML model training. No customer opt-out mechanism is documented for this threat intelligence training, which may be a concern for some regulated sectors.
// At a glance
Pricing model
SaaS subscription, per-user or per-email basis. Enterprise licensing available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Proofpoint, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
proofpoint.com