// Trust & Security Report

    Proofpoint, Inc. logo

    Proofpoint, Inc.

    Email and data security platform with AI-powered behavioral detection. Products include Tessian Guardian (accidental data loss prevention), Tessian Enforcer (insider threat and exfiltration prevention), Proofpoint Email Security, AI Security, and Data Security & Governance solutions.

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Proofpoint maintains a robust security posture with a public Trust Center and verified SOC 2 Type II compliance. Available for Proofpoint Core Email Protection SEG/API, Proofpoint Prime, Proofpoint Combined SaaS Solutions (Legacy Tessian and Normalyze).

    Verify on proofpoint.com
    ISO 27001
    HELD

    ISO 27001 - Information security management system certification providing 'a comprehensive framework to establish, implement, and maintain controls' for data protection.

    Verify on proofpoint.com
    ISO 42001 (AI Management System)
    HELD

    ISO 42001 - 'Artificial Intelligence management system (AIMS)' certification for responsible AI development and monitoring.

    Verify on proofpoint.com
    FedRAMP Authorization
    HELD

    FedRAMP Authorization - Cloud products meet federal security standards; details available at the FedRAMP Marketplace.

    Verify on proofpoint.com
    IRAP (Australian Government)
    HELD

    IRAP - Australian Government certification aligned with the Information Security Manual (ISM) requirements.

    Verify on proofpoint.com
    National Security Framework (ENS) - Spain
    HELD

    National Security Framework (ENS) - Spain's framework certification for information systems supporting identified services.

    Verify on proofpoint.com
    Data Privacy Framework Certification
    HELD

    Data Privacy Framework Certification - Complies with EU-U.S., UK Extension, and Swiss-U.S. frameworks per dataprivacyframework.gov.

    Verify on proofpoint.com
    PCI DSS
    HELD

    PCI Compliant - Proofpoint Archive meets PCI standards.

    Verify on proofpoint.com
    FIPS Certification
    HELD

    FIPS Certification - 'Federal Information Protection Standard (FIPS) certification and validation' for cryptographic modules.

    Verify on proofpoint.com
    CSA STAR Registry
    HELD

    STAR Registry - Listed on the Cloud Security Alliance's Security, Trust, Assurance, and Risk registry.

    Verify on proofpoint.com
    GDPR Compliance
    HELD

    Proofpoint's global operations adhere to GDPR with Global DPA available in a variety of languages. GDPR compliance is fundamental to their data processing model.

    Verify on proofpoint.com
    > Show 4 unconfirmed / not-held certifications
    HIPAA Compliance
    NOT CONFIRMED

    Proofpoint offers HIPAA-compliant products and can enter Business Associate Agreements. However, no formal HIPAA certification (e.g., HITRUST) or public BAA template is documented. Proofpoint states 'Proofpoint applies the minimum necessary concept required by HIPAA' and commits to protecting Protected Health Information (PHI) for up to 18 months.

    source: proofpoint.com
    ISO 27017 (Cloud Security Controls)
    NOT CONFIRMED

    No public evidence found on Proofpoint's vendor domain or trust center pages.

    source: proofpoint.com
    ISO 27018 (Cloud PII Protection)
    NOT CONFIRMED

    No public evidence found on Proofpoint's vendor domain or trust center pages.

    source: proofpoint.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence found on Proofpoint's vendor domain or trust center pages.

    source: proofpoint.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region with data processing in North America (AWS, Google Cloud, co-location facilities) and Europe (EU co-location facilities). Specific residency options available upon request.

    Proofpoint explicitly states: 'We do not use customer data to train any generative LLMs.' However, they do use definitively identified malicious messages to train classical machine learning models (not generative) for threat detection, and aggregated threat analytics without identifying customer content. No customer opt-out mechanism is documented for threat intelligence training.

    // Security controls

    Encryption in Transit

    TLS 1.2+ for all data transmission

    proofpoint.com

    Encryption at Rest

    AES-256 encryption for stored data

    proofpoint.com

    Information Security Program

    Documented information security program aligning with NIST 800-53 and ISO 27001 requirements, with continuous monthly/quarterly monitoring and annual SOC 2 Type II audit.

    proofpoint.com

    Subprocessor Transparency

    Published list of third-party service providers and subprocessors by location

    proofpoint.com

    Data Retention Policy

    Product-specific data retention policies documented; HIPAA-scope data retained up to 18 months post-agreement then destroyed

    proofpoint.com

    // Products & data scope

    Tessian GuardianEmail Data Loss Prevention

    data: Outbound email content, recipient analysis, file attachments

    AI-powered accidental data loss prevention using behavioral detection. Integrates with Microsoft 365 and Google Workspace. GDPR/CCPA compliant.

    Tessian EnforcerInsider Threat & Exfiltration Prevention

    data: Email content analysis, user behavior patterns, file access logs

    Advanced machine learning prevents malicious insider threats and sophisticated data exfiltration. No pre-defined rules required.

    Proofpoint Email Security (Core)Email Security & Threat Protection

    data: Email headers, message content, attachment metadata

    Leader in Gartner Magic Quadrant for Email Security 2025. Blocks 95M BEC attacks annually.

    Proofpoint AI SecurityAI Governance & Control

    data: LLM interactions, prompt history, data access logs

    Controls how LLMs and AI agents access and share data. Prevents prompt-based attacks and data leaks. Does not train generative models on customer data.

    Proofpoint Data Security & GovernanceData Loss Prevention & Governance

    data: Sensitive data discovery, access patterns, usage monitoring

    Unified platform for data protection and compliance across storage, access, and usage. Supports GDPR, CCPA, and healthcare regulations.

    // What to watch

    • HIPAA: Proofpoint does not hold a formal HIPAA certification (e.g., HITRUST). They offer HIPAA-compliant products and can execute BAAs, but no public Business Associate Agreement template or HIPAA compliance certification is documented. Healthcare customers should verify BAA availability during procurement.
    • Cloud Provider Certifications: Proofpoint's infrastructure leverages AWS, Google Cloud, and co-location providers that maintain their own SOC 2/ISO 27001 certifications. These are the cloud provider's certs, not Proofpoint's direct responsibility, though Proofpoint relies on them.
    • AI Training Transparency: While Proofpoint does not train generative LLMs on customer data, they do use malicious message samples and aggregated threat analytics for classical ML model training. No customer opt-out mechanism is documented for this threat intelligence training, which may be a concern for some regulated sectors.

    // At a glance

    Pricing model

    SaaS subscription, per-user or per-email basis. Enterprise licensing available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Proofpoint, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    proofpoint.com

    > Browse all vendor trust reports