Is a Data Processing Agreement (DPA) available for Gateco?

Yes. A DPA is available on request for customers who process personal data through Gateco. Contact privacy@gateco.ai to request the DPA.

Does Gateco support EU data residency?

EU-region deployment is available on Enterprise plans for customers with data residency requirements. Contact enterprise@gateco.ai to discuss your requirements.

Does Gateco store personal data from retrieved documents?

Gateco stores principal identifiers (user IDs, email addresses synced from your IDP) and audit records (which principal retrieved which resource). It does not store the content of retrieved documents. Audit log retention is 90 days by default, configurable on Enterprise.

GDPR

Supported — DPA available

Gateco can be deployed in a GDPR-compliant configuration. A Data Processing Agreement is available on request, EU-region deployment is available on Enterprise, and the Gateco architecture is designed to minimize personal data processing at the retrieval layer.

Data processing summary

Role

Gateco acts as a data processor when processing personal data (principal identifiers, audit records) on behalf of your organization.

Personal data processed

Principal identifiers and attributes synced from your IDP (email, display name, groups, department). Audit records (principal ID, resource ID, policy ID, decision, timestamp). No retrieved document content is stored.

Data residency

EU-region deployment available on Enterprise. Contact enterprise@gateco.ai.

DPA

Available on request at privacy@gateco.ai.

Data retention

Audit records: 90-day default, configurable on Enterprise. Principal data: retained while IDP sync is active, deleted on connector removal.

Sub-processors

Listed in the DPA and on the /security page. Each is bound by a Data Processing Agreement.

GDPR Article alignment

→Article 5 (data minimisation): Gateco stores principal identifiers and audit records only. Retrieved document content is not persisted.
→Article 25 (privacy by design): Fail-closed default means policy errors produce denials. No ambiguous access. Audit trail records every decision.
→Article 28 (processor obligations): DPA available. Sub-processor list maintained and disclosed.
→Article 32 (security of processing): AES-256 encryption at rest, TLS 1.3 in transit, KMS envelope encryption for connector credentials with per-tenant EncryptionContext.
→Article 17 (right to erasure): Principal records can be deleted via the API. Audit records for deleted principals are anonymized (principal ID replaced with [deleted]) on request.

Frequently asked questions

Is a Data Processing Agreement (DPA) available for Gateco?: Yes. A DPA is available on request for customers who process personal data through Gateco. Contact privacy@gateco.ai to request the DPA.
Does Gateco support EU data residency?: EU-region deployment is available on Enterprise plans for customers with data residency requirements. Contact enterprise@gateco.ai to discuss your requirements.
Does Gateco store personal data from retrieved documents?: Gateco stores principal identifiers (user IDs, email addresses synced from your IDP) and audit records (which principal retrieved which resource). It does not store the content of retrieved documents. Audit log retention is 90 days by default, configurable on Enterprise.

Data processing questions

Contact privacy@gateco.ai for DPA requests, data processing questions, or EU-region deployment information.

Request DPA Security overview