ConvergentDS provides top security assessments for content owners and media vendors worldwide, with expert assessors and guidance across all production stages
CONTACT USTPN FAQsConvergentDS is the principal provider of security assessments for content owners and the media and entertainment vendor supply chain. Whether you have a site, hybrid site & cloud or web application, we offer the widest choice of security assessor, and our team offer the most experience and guidance for your environment. We work with pre-production, production, post-production and distribution vendors across the globe through our offices in the Americas, EMEA and APAC.
Please Contact Us to see a list of ConvergentDS assessors available to cover your region. We provide flexible capacity to meet your schedules based on a transparent fixed price model. The consultant or assessor undertaking tasks in a Readiness Pre-Assessment or in remediation will be a different assessor for your TPN Gold security assessment, in accordance with TPN protocol.

The Trusted Partner Network (TPN) is the film and TV industry's global content security standard, administered by the MPA. ConvergentDS is one of the world's leading TPN assessment providers
The Trusted Partner Network (TPN) is a global content security programme administered by the Motion Picture Association (MPA). It establishes a common framework of security standards that media and entertainment vendors must meet to demonstrate they can safely handle, store, and transmit premium content on behalf of studios and content owners.
TPN assessments evaluate physical and cloud-based production environments against MPA Content Security Best Practices v5.3.1, resulting in a verified security status that content owners and studios use to qualify vendors in their supply chain.
A TPN assessment is how media and entertainment vendors prove to studios and content owners that their systems are secure enough to handle premium or pre-release content — without one, vendors risk being disqualified from pitching for or retaining work.
Major content owners — including Hollywood studios and streaming platforms — require vendors to hold a current TPN assessment before entrusting them with sensitive material. Beyond compliance, the process helps vendors identify and remediate real security vulnerabilities before a breach occurs — protecting both their clients' intellectual property and their own reputation.
ConvergentDS provides the full range of TPN assessments: Site Security Assessments for physical production and post-production facilities; Cloud Security Assessments for cloud-native and hybrid workflows; and Cloud and Application Security Assessments for in-house developed web applications. We also offer Readiness Pre-Assessments and general consultancy to help organisations prepare before their formal evaluation.
We operate across the Americas, EMEA, and APAC, giving us the global reach to assess multi-site organisations consistently — as demonstrated by our work helping DNEG achieve TPN Gold across 17 sites globally.
The TPN Shield System is a four-tier framework that shows studios and content owners exactly where a vendor stands on content security — not just whether they have been assessed, but whether they have fixed what was found. It replaced the previous binary Gold/registered model and gives content owners granular visibility into vendor security posture and remediation progress.
The four tiers are:
The key distinction from the legacy model is the explicit recognition of remediation progress. Some studio contracts now specify minimum Shield tier requirements, meaning vendors need to understand which level is expected before bidding on work. ConvergentDS assessors can advise on what tier is achievable for your environment and what remediation work is required to progress.
A TPN assessment involves two separate costs: the annual TPN membership fee paid directly to TPN, and the assessment fee paid to your chosen assessor. ConvergentDS operates on a transparent fixed-price model — you will know the full cost upfront, with no unexpected charges.
TPN membership fees are set by TPN on a revenue-tiered basis. Fees start at $250 per year for self-employed members and scale with annual gross revenue — for example, organisations with annual M&E revenue of $5–10M pay approximately $5,000 per year. TPN publishes the full fee schedule at ttpn.org.
Assessment fees vary based on the type and scope of assessment (site, cloud, or application), the size and complexity of your environment, and your geographic location. ConvergentDS provides fixed-price quotes after an initial scoping conversation — contact us at tpn@convergentds.com for a no-obligation estimate tailored to your environment.
As a guide, factors that influence assessment cost include:
ConvergentDS's fixed-price model means you avoid the variable, open-ended billing that can come with individual independent assessors, who negotiate pricing case by case without TPN oversight on rates.
Timelines vary depending on the size and complexity of your environment. A straightforward single-site assessment can typically be completed within a few weeks from engagement. Multi-site or cloud-heavy engagements take longer, but ConvergentDS offers flexible capacity and scheduling to work around your production calendar.
A Readiness Pre-Assessment is recommended if you have not been assessed before, or if significant time has passed since your last review — this reduces the risk of surprises during the formal assessment.
No — and this is a deliberate TPN protocol requirement, not just our policy. The consultant
supporting your Readiness Pre-Assessment or remediation work must be a different individual from the assessor who conducts your formal TPN Gold security assessment. This separation ensures the independence and integrity of the assessment result.
ConvergentDS maintains the team depth to provide both services without requiring you to engage a second firm.
Yes — penetration testing is a requirement under the MPA Content Security Best Practices v5.3.1, not an optional extra. ConvergentDS can help you with pen testing through its highly qualified team pen testers. Whether it applies to your assessment depends on your specific environment, but most vendors with internet-facing systems, data centre infrastructure, or remote access workflows will have penetration testing controls in scope.
The key MPA controls that mandate penetration testing are:
For Studio direct assessments, individual studios may apply their own specific requirements — some mandate penetration testing as a prerequisite to engagement, regardless of TPN status. ConvergentDS can advise on what your specific studio client requires and whether your existing pen test evidence will satisfy their criteria.
If penetration testing is found to be required during your Readiness Pre-Assessment, ConvergentDS can provide it directly — there is no need to source a separate provider. Our offensive security team will scope and deliver the test, and the results can be used as evidence during your formal TPN assessment.
Important: A penetration test and a vulnerability scan are not the same thing. A pen test is an active, human-led attempt to exploit your systems. A vulnerability scan is an automated check for known weaknesses. The MPA Best Practices require both, and one cannot substitute for the other.
Yes — regular vulnerability scanning is a defined requirement under the MPA Content Security Best Practices v5.3.1, and the framework specifies different minimum frequencies depending on whether the systems are externally or internally facing.
The MPA Best Practices scanning requirements are:
During your TPN assessment, your assessor will ask for evidence of vulnerability scanning — typically scan reports and records showing the frequency and coverage of scans. Simply stating that scans take place is not sufficient; you will need documented results.
It is also important to understand that vulnerability scanning is not a substitute for penetration testing. Scanning identifies known weaknesses automatically; a penetration test requires a qualified human tester to attempt to exploit those weaknesses and others that automated tools miss. The MPA requires both as separate controls.
If your organisation does not currently have a vulnerability scanning programme in place, ConvergentDS's Vulnerability Management service can establish one ahead of your assessment.
Contact us at tpn@convergentds.com to discuss your requirements.
ConvergentDS is the principal TPN assessment provider globally, with more combined assessment experience than any other firm, a worldwide team of assessors, transparent fixed pricing, and integrated offensive security services that most assessment-only providers cannot offer. Six specific advantages set the company apart:
1. Scale and depth of experience. ConvergentDS has carried out more TPN assessments than any other provider. Many assessors previously worked for Studios or post-production vendors, giving them first-hand knowledge of the environments they evaluate. Individual TPN assessors may handle a handful of assessments per year and cannot offer the same depth.
2. True global reach. With representation across EMEA, Asia Pacific, and the Americas, ConvergentDS can assess multi-site organisations consistently — as demonstrated by supporting DNEG across 17 VFX sites on three continents.
3. Integrated offensive security. Most TPN firms are purely compliance-focused. ConvergentDS provides the full range of assessment, penetration testing, vulnerability management, advisory, and code review services — meaning pen testing required for your assessment can be delivered in-house.
4. Transparent fixed pricing. ConvergentDS operates on a fixed-price model. Individual assessors negotiate pricing case by case, with TPN having no control over their rates.
5. End-to-end support. ConvergentDS provides guidance before, during, and after the assessment — including readiness pre-assessment, remediation support, and ongoing strategic partnership.
6. Cross-sector compliance breadth. ConvergentDS serves clients across M&E, Financial Services, Healthcare, Leisure, Manufacturing, and Critical National Infrastructure, with advisory services covering ISO 27001, SOC 2, NIST, GDPR, Zero Trust, and the NCBA Committed to Security Programme.
Contact ConvergentDS directly at tpn@convergentds.com or via convergentds.com/contact-us. We will ask a few straightforward questions about your environment and timeline, recommend the right assessment type, match you with an experienced assessor, and provide transparent pricing — with no obligation at the initial stage.
Whether you are approaching your first assessment or preparing for a renewal, the process starts the same way. We will ask whether you operate a physical facility, a cloud-native or hybrid workflow, or both, and whether you have studio deadlines or contract requirements driving your timeline.
If you are not yet certain whether you need an assessment — for example, if a studio or content owner has flagged TPN as a requirement but you are unsure what it means for your operation — we can help you work through that too.
Preparing for a TPN assessment involves six key steps: completing a Readiness Pre-Assessment, documenting your security controls, involving the right internal stakeholders, addressing known gaps in advance, familiarising yourself with MPA Content Security Best Practices v5.3.1, and planning around your production schedule.
1. Complete a Readiness Pre-Assessment. A ConvergentDS consultant — a different individual from your formal assessor, as required by TPN protocol — will review your environment against the assessment criteria, identify gaps, and give you prioritised guidance. This is the single most effective way to avoid surprises.
2. Document your controls. Assessors need evidence, not just assertions. Gather documentation for your security policies, access control procedures, patch management, incident response plans, network diagrams, vulnerability scan reports, and penetration test results.
3. Involve the right people. A TPN assessment touches IT infrastructure, physical security, HR policies, and operational workflows. Ensure your IT lead, facilities manager, and operations team are available throughout — unavailable personnel are the most common cause of delays.
4. Address known gaps first. If you already know of vulnerabilities or control weaknesses, remediate them before the assessment where possible. Arriving with known unresolved issues will affect your Shield tier outcome.
5. Familiarise yourself with MPA Best Practices v5.3.1. The TPN+ platform and ttpn.org publish the questionnaire framework, so there are no hidden surprises in what will be covered. Pay particular attention to vulnerability scanning and penetration testing controls, which are commonly underprepared.
6. Plan around your production schedule. ConvergentDS offers flexible scheduling — avoid your busiest production periods where possible.
For support with any of these steps, contact us at tpn@convergentds.com to discuss your timeline and requirements.
Once your assessment is complete, results are submitted to TPN and your organisation receives a verified Shield status visible to content owners in the TPN registry. If remediation is required to achieve or maintain your target Shield tier, ConvergentDS can support you through Managed Remediation — a structured programme to address identified gaps with expert guidance.
ConvergentDS assessors remain available after the report is delivered to answer questions and support your remediation programme — the relationship does not end with the assessment.
Yes a penetration test of your network IP infrastructure or in-house developed web application is an MPA/TPN best practice guideline and should be completed before the date of your assessment. If you have not previously had a pen test conducted by an independent third party or if the last pen test was more than 12 months ago, this will not meet best practice and will show as an important remediation item. Convergent provides pen testing services to many of its customers at competitive prices.