Priivacy — Data Discovery & Remediation Software
Find sensitive data. Remediate it. Defend it.
Priivacy is the software platform USC Data uses to locate, classify, and remediate sensitive personal data across Microsoft 365, SharePoint, OneDrive, Exchange, file shares, and SQL databases — before it becomes a breach, a DSAR scramble, an AI exposure, or a regulator visit.
$12,000 for a 60-day license. Full platform. Done on your infrastructure.
ISO 27001 certified | Read-only by default | No external transmission | Air-gap capable | Single-tenant deployment
10+ years
Built by the Umlaut Solutions team. Operating since 2016. Our core team has worked together longer than that.
Royal Commission veterans
Major engagements during Australia's Hayne Royal Commission 2017–2019. For US readers: think of it as a full Senate inquiry into the entire financial services industry, with every advisor required to retrospectively prove best-interest duty across ten years of advice.
AU. US. UK. NZ.
Cross-jurisdictional delivery from day one. ISO 27001 certified data governance and privacy program.
No snakes and ladders. Here's the whole offer on one page.
One fixed price. Sixty days. Every tool in the platform — switched on. Works for any business with up to 1,000 active users. Industry-specific versions available if you want pre-built configuration for your sector.
Start
60-day license
$12,000
Full platform. Unlimited scanning. Every report. Every remediation tool.
Extend
Month-to-month
$5,000 / month
Keep the platform running while you work through remediation at your own pace.
Upgrade
Annual license
$18,000 upgrade
Roll your $12,000 starter into an annual license. Total annual: $30,000 if upgraded within 90 days.
Optional help
Professional services
$5,000 – $20,000
Sized to the job, not to our quarter. If a half-day session fixes the problem, we charge for half a day.
Pricing applies to organisations with up to 1,000 active users. Larger institutions and group structures scoped on the first call.
Looking for an industry-specific version? Schools & Colleges | Financial Services | Wealth Management | Healthcare | Legal & Professional
Three pressures converging in 2026.
If you're a CIO, CISO, CFO, or business owner, you're being asked harder questions about data than at any time in the last decade. Privacy regulators, cyber-insurance underwriters, audit committees, and AI safety reviews are all converging on the same root question: where is your sensitive data and who can access it?
Privacy regulation has caught up
The 2023–2026 wave of state privacy laws in the US (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA) joined GDPR, UK GDPR, the Australian Privacy Act, and the EU AI Act. DSAR clocks tick in 30 days. Notifiable Data Breach windows are measured in hours. Most organisations couldn't answer "where is this person's data" inside a week.
AI made the data problem urgent
Microsoft Copilot, RAG systems, and AI assistants are only as safe as the data they can read. If a Copilot license can see a folder with thirty unsecured KYC packs or a SharePoint site holding student records, you've expanded your exposure surface in ways the regulator won't excuse.
Breach economics shifted
The average cost of a data breach reached new highs in 2025, and cyber insurers are denying coverage or hiking premiums for organisations that can't demonstrate basic data hygiene. Defensible data discovery is no longer a "nice to have" for renewal conversations.
Built for the data problems regulators, AI, and breaches now create.
Eight capabilities. Every one designed to convert a vague risk into a specific action.
AI & Copilot Safety
Detects and remediates sensitive data in content that feeds Copilot, RAG systems, and AI training — preventing privacy leaks before they reach the model.
Intelligent Document Classification
Classifies documents by type — contracts, medical records, HR files, financial statements, KYC packs, trust deeds — so findings have context, not just content. Configurable to your industry's document landscape.
Affected Person Tracking
Identity resolution across files. See which individuals appear where, what PII types are associated with them, and the sensitivity of their exposure. Essential for breach response — know exactly who is affected.
Permission Auditing (SharePoint & OneDrive)
Discover who has access to files containing PII. Identify files with unique (non-inherited) sharing, flag stale links older than 12 months, see the intersection of sensitive data and excessive access.
DSAR & Privacy Response Automation
10-stage workflow for statutory data subject access requests. Identity verification, jurisdiction-locked responses (GDPR Article 15, UK GDPR, Australian APP 12), AI-assisted triage via a local LLM that never leaves your environment, and a sealed disclosure PDF.
Breach Investigation & Impact Reporting
When incidents occur, identify whose data was affected and what was exposed in hours, not months. Per-person exposure reports ready for notification.
Pre-Migration & Cloud Readiness
Clean and classify data before cloud migrations. Stop toxic data moving forward into modern platforms where it becomes a Copilot risk on day one.
Multi-Framework Compliance Reporting
Built-in mapping to Australian Privacy Act (APP 11), GDPR, UK GDPR, CCPA/CPRA + state privacy laws, HIPAA, PCI DSS 4.0, EU AI Act, FERPA, GLBA. Article-level reporting with evidence and recommended actions.
See the actual reports before you buy.
Priivacy ships four built-in HTML reports plus a Privacy Posture assessment and a per-owner exposure breakdown. Each one is designed for the audience that actually reads it. Click any sample to open the full report in a new tab — these are real outputs from anonymised customer scans.
PII Security Assessment
The primary client deliverable. Jurisdiction-aware narrative, risk score, framework overlay, prioritised actions.
View sample reportCompliance Deep-Dive (CCPA / CPRA shown)
Maps every finding to every article of a chosen framework — CCPA/CPRA sample here, with APP, GDPR, and HIPAA also supported. Article-level evidence and recommended actions.
View sample reportExecutive One-Pager
A single page. Risk headline, KPIs, top PII types, top three actions. Designed to fit a board pack.
View sample reportOwner Exposure
Ranks data custodians by PII volume. Per-owner severity, PII type chips, top files. Answers "who do I need to talk to?"
View sample reportCross-Owner Awareness
All-owners view across an estate. Sees the data-custodian footprint of your organisation in one place.
View sample reportPrivacy Posture (M365 tenant assessment)
24 read-only tests across the Microsoft 365 tenant — anonymous shares, mailbox forwarding, dormant guests, public sites, oversharing patterns. Posture grade and remediation guidance per finding. Sample shown for "Vantage" — a fictitious tenant.
View sample reportSample reports are anonymised outputs from real scans. The reports in your engagement are generated from your actual data and never leave your environment unless you choose to export them.
Your data stays in your environment. Period.
Priivacy is not a SaaS data lake. We don't ingest, copy, or replicate your files, mailboxes, or database content to a USC Data cloud. The platform installs inside your network or your cloud tenant. Scanning, classification, indexing, AI triage, and reporting all happen locally.
On-premises
Priivacy runs as a set of Docker containers on a Linux host inside your network. Fully air-gap capable. Nothing leaves unless you export it.
Your cloud tenant
Install Priivacy in your existing Azure, AWS, or Google Cloud environment. Same isolation as on-prem. No third-party cloud touches your data.
USC Data dedicated cloud
Single-tenant cloud server we provision and manage. You retain administrative control, authentication, and encryption keys. We don't see your data.
Local AI triage uses an on-prem language model — your DSAR review data never leaves the appliance. Original file content is never persisted. Only metadata and findings are stored, with HTTPS for all transit, OAuth 2.0 tokens encrypted at rest, and audit-grade logging of every action.
Three ways to buy. One platform underneath.
Buy Priivacy direct
Sign up, install, run. We'll help you stand it up and walk you through the first scan, but the platform is yours to operate. Best for in-house IT and security teams who want a tool they control.
Buy Priivacy with USC Data services
Our consultants configure the platform, tune detection for your environment, interpret the findings, and guide remediation. Best for organisations that want expert delivery without building in-house capability first.
Buy Priivacy through a partner
Many of our customers come to Priivacy through MSPs, GRC consultants, fractional CISOs, or industry advisors who know our platform and bundle it into their own engagements. Same platform, your existing trusted relationship.
Want to become a Priivacy partner? See the partner program
51 PII types across 7 categories.
Built-in detectors with mathematical checksum validation. Multi-jurisdiction by design: Australia, New Zealand, United Kingdom, European Union, United States, Singapore, France, Germany, Netherlands, Ireland.
National identifiers
TFN, Medicare, Passport, SSN, NHS, NINO, IRD, NHI, NRIC/FIN, INSEE, Personalausweis, BSN, PPS, driver's licences (AU, NZ, UK, US, EU)
Financial
Credit card, IBAN, SWIFT/BIC, AU/NZ bank accounts, ABN, ACN
Contact
Email, phone (AU, NZ, international), Person name, Address, Location, Organisation
Personal
Date of birth, Date of expiry, Gender, Nationality, Country of issue, Face image, Personal number (MRZ)
Sensitive (GDPR Article 9)
Racial/ethnic origin, Political opinions, Religious beliefs, Trade union membership, Health data, Sexual orientation, Biometric data
Health & medical
Medical record numbers, healthcare member IDs
Technical
IP address, MAC address
Don't see a pattern you need? Our Detector Builder synthesises a regex from a handful of example values you provide — "port the pattern from another system" takes minutes, not weeks.
Every system where your sensitive data actually lives.
Microsoft 365
SharePoint Online, OneDrive, Exchange Online (via Graph API)
File systems
On-premises and cloud file servers, via lightweight remote agents (Windows, macOS, Linux)
SQL databases
SQL Server, Azure SQL, PostgreSQL, MySQL, MariaDB (read-only)
Mounted server folders
SFTP / FTP drop locations
Legacy archives
Apache Tika fallback for 1,000+ additional file formats
The remote agent is a single ~10 MB binary. No installer. WebSocket connection, one-time pairing code, runs as a background service.
One platform. Every framework your team reports against.
Compliance Deep-Dive reports map findings to the framework that matters to you. Per-article risk, evidence, and recommended actions.
United States
CCPA / CPRA + state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA) | HIPAA / HITECH | GLBA | NYDFS 23 NYCRR 500 | SEC Reg S-P | FINRA recordkeeping | PCI DSS 4.0 | SOX 404 / ITGC | FERPA | EU AI Act (for US firms with EU customers)
Australia & New Zealand
Australian Privacy Act (APP) | Notifiable Data Breaches Scheme | APRA CPS 234 | APRA CPS 230 | AUSTRAC AML/CTF | AFSL recordkeeping | Consumer Data Right (CDR) | NZ Privacy Act
United Kingdom & EU
UK GDPR + Data Protection Act 2018 | EU GDPR | DORA | FCA SYSC 9 | MiFID II recordkeeping | EU AI Act
Get clarity before a breach, an audit, or a Copilot deployment forces the issue.
A 45-minute demo against your real environment. We'll scope it, show you what we'd find, walk you through the four reports, and answer whatever's on your list. No slide deck. No sales pressure.