When will Gateco achieve SOC 2 Type II certification?

We are currently undergoing the SOC 2 Type II audit process, targeting H2 2026. Enterprise customers can request current security artifacts and evidence at enterprise@gateco.ai.

Can I get Gateco's current security controls documentation before SOC 2 is complete?

Yes. Enterprise customers can request the current security controls documentation, architecture overview, and evidence artifacts directly at enterprise@gateco.ai.

SOC 2

Audit in progress — target H2 2026

Gateco is undergoing SOC 2 Type II certification. The audit covers the Security trust service criterion as the baseline, with Availability and Confidentiality criteria included given our role as a retrieval security layer.

Audit scope

Trust service criteria

Security (CC), Availability (A), Confidentiality (C)

Audit period

12 months, H1–H2 2026

Target completion

H2 2026

Auditor

Independent third-party CPA firm (name disclosed to Enterprise customers under NDA)

System boundary

Gateco retrieval API, policy engine, connector credential store, IDP sync, billing, and audit log subsystems

Current controls evidence

Enterprise customers can request the following artifacts at enterprise@gateco.ai:

→Security architecture overview and threat model
→Encryption and key management documentation (KMS envelope encryption)
→Access control and authentication documentation
→Incident response and business continuity plans
→Penetration test scope and recent findings summary
→Vendor and subprocessor list with DPA status
→CI test suite coverage for security-critical paths

Key controls already in place

Encryption at rest

AES-256 column-level encryption on all sensitive fields. Connector credentials use KMS envelope encryption with per-organization EncryptionContext.

Encryption in transit

TLS 1.3 enforced for all connections.

Fail-closed default

Policy evaluation errors produce denials, not allows. Every error-time denial is recorded with decision=error_deny in the audit log.

Credential log redaction

CI gate (test_credential_log_redaction.py) blocks merges if any credential pattern reaches stdout, stderr, log buffers, or HTTP responses.

Audit trail

25 event types covering every retrieval, denial, policy change, connector modification, and billing event.

Rate limiting

Per-org per-minute caps on all high-frequency endpoints (retrieval, answer synthesis, simulator).

Frequently asked questions

When will Gateco achieve SOC 2 Type II certification?: We are currently undergoing the SOC 2 Type II audit process, targeting H2 2026. Enterprise customers can request current security artifacts and evidence at enterprise@gateco.ai.
What trust service criteria does the Gateco SOC 2 audit cover?: The audit covers the Security trust service criterion as the baseline, with Availability and Confidentiality criteria included given Gateco's role as a retrieval security layer handling sensitive organizational data.
Can I get Gateco's current security controls documentation before SOC 2 is complete?: Yes. Enterprise customers can request the current security controls documentation, architecture overview, and evidence artifacts directly at enterprise@gateco.ai.

Request security artifacts

Enterprise customers can access current security documentation, evidence artifacts, and the audit timeline directly from our team.

Contact enterprise team Security overview