Security you can verify

SOC 2 Type II

Audit underway — target H2 2026. Enterprise customers can request current security artifacts. enterprise@gateco.ai

GDPR

Data residency supported. Data Processing Agreement (DPA) available on request. privacy@gateco.ai

HIPAA

HIPAA BAA is on our roadmap. Gateco's deny-by-default model, audit trails, and ABAC policies structurally support the minimum necessary standard. Contact us for details on current controls.

Encryption at rest

AES-256 for all stored data. Column-level encryption applied to sensitive fields including credentials, tokens, and API keys.

Encryption in transit

TLS 1.3 enforced for all connections — API, dashboard, and SDK traffic.

Data residency

Hosted on a cloud infrastructure provider. EU-region deployment available on Enterprise for customers with data residency requirements.

Sensitive field handling

SCIM tokens, OAuth credentials, and API keys are bcrypt-hashed or column-level encrypted at rest. Plaintext values are never stored after the initial exchange.

Default: fail-closed

If the policy engine encounters an error, retrievals are denied. Every error-time denial is recorded in the audit log with decision=error_deny. No ambiguous access.

Fail-open (Enterprise)

Available on Enterprise via signed agreement. Every error-time allow is flagged in the audit log with decision=error_allow_open for full visibility.

Circuit breaker

Per-connector circuit breaker: 5 errors in 30 seconds trips the breaker; half-opens after 2 minutes to allow recovery.

Uptime SLA

99.9% uptime for Enterprise customers per signed agreement.

• 1Isolated policy evaluation. The policy engine runs in a dedicated compute path. A retrieval error cannot bypass authorization — the two paths share no mutable state.
• 2Encrypted connector credentials. API keys and connection strings to your vector DBs are AES-256 encrypted at rest. They are never forwarded to end users or written to logs.
• 3Token zero-log policy. JWTs and session tokens are never written to audit logs or error messages. Token lifetimes are bounded and not renewable without re-authentication.
• 4Read-only outbound credentials. Connections to vector DBs use credentials scoped to search and read operations only. The write path is never opened during retrieval.

Full threat model documentation is in progress. Contact security@gateco.ai with specific questions.

Gateco uses the following third-party subprocessors. Each is bound by a Data Processing Agreement.

Stripe

Payment processing — card data is handled entirely by Stripe and never touches Gateco servers.

Cloud infrastructure provider

Compute, storage, and networking. Contact legal@gateco.ai for current provider details and DPA documentation.

Audit log retention

90-day default on standard plans. Configurable retention period on Enterprise under signed agreement.

Event coverage

25 audit event types. Every retrieval is logged with principal ID, resource ID, policy ID, decision, search mode, and timestamp.

Export

Growth and Enterprise plans include audit log export in CSV and JSON formats with date-range and event-type filtering.

SIEM integration

Enterprise plans support real-time SIEM streaming for integration with existing security monitoring infrastructure.

Report a vulnerability

Contact security@gateco.ai. We acknowledge all reports within 24 business hours and coordinate disclosure timelines with researchers.

Pen test coordination

Enterprise customers can schedule authorized penetration tests. Contact security@gateco.ai to coordinate scope and timing.

A self-hosted runner and Private Data Plane for VPC or on-premises deployment are on the roadmap for Q3 2026. Enterprise customers can join the waitlist now to shape the deployment model.

Cancellation

You can cancel at any time from the billing portal. Your subscription remains active through the end of the current billing period.

Refunds

Gateco does not offer refunds. Cancellation takes effect at the end of the billing period. No charges are made after cancellation.