Security you can verify

SOC 2 Type II

Audit underway, target H2 2026. Enterprise customers can request current security artifacts. enterprise@gateco.ai

GDPR

Data residency supported. Data Processing Agreement (DPA) available on request. privacy@gateco.ai

HIPAA

HIPAA BAA is on our roadmap. Gateco's deny-by-default model, audit trails, and ABAC policies structurally support the minimum necessary standard. Contact us for details on current controls.

Encryption at rest

AES-256 for all stored data. Column-level encryption applied to sensitive fields including credentials, tokens, and API keys.

Encryption in transit

TLS 1.3 enforced for all connections: API, dashboard, and SDK traffic.

Data residency

Hosted on a cloud infrastructure provider. EU-region deployment available on Enterprise for customers with data residency requirements.

Sensitive field handling

SCIM tokens, OAuth credentials, and API keys are bcrypt-hashed or column-level encrypted at rest. Plaintext values are never stored after the initial exchange.

Default: fail-closed

If the policy engine encounters an error, retrievals are denied. Every error-time denial is recorded in the audit log with decision=error_deny. No ambiguous access.

Fail-open (Enterprise)

Available on Enterprise via signed agreement. Every error-time allow is flagged in the audit log with decision=error_allow_open for full visibility.

Circuit breaker

Per-connector circuit breaker: 5 errors in 30 seconds trips the breaker; half-opens after 2 minutes to allow recovery.

Uptime SLA

99.9% uptime for Enterprise customers per signed agreement.

• 1Isolated policy evaluation. The policy engine runs in a dedicated compute path. A retrieval error cannot bypass authorization. The two paths share no mutable state.
• 2Encrypted connector credentials. API keys and connection strings to your vector DBs are AES-256 encrypted at rest. They are never forwarded to end users or written to logs.
• 3Token zero-log policy. JWTs and session tokens are never written to audit logs or error messages. Token lifetimes are bounded and not renewable without re-authentication.
• 4Read-only outbound credentials. Connections to vector DBs use credentials scoped to search and read operations only. The write path is never opened during retrieval.

Full threat model documentation is in progress. Contact security@gateco.ai with specific questions.

KMS per-tenant binding

Every connector credential DEK is now wrapped with an EncryptionContext keyed to the organization ID. AWS KMS rejects any decrypt request that supplies a different context. Cross-org credential access is impossible at the key-management layer.

Expanded credential redaction

All log writes and error responses now strip five additional credential patterns: OpenAI keys (sk-…), Anthropic keys (sk-ant-…), GitHub PATs (ghp_/ghs_/gho_), Google OAuth (GOCSPX-), and Slack tokens (xoxb-/xoxp-/xoxe-). A CI gate (test_credential_log_redaction.py) fails the build if any sentinel credential reaches stdout, stderr, log buffers, or HTTP responses.

Vendor error sanitization

All calls to embedding providers and LLM answer synthesis now pass through sanitize_vendor_error() before any logging or API response. Raw vendor exceptions, which may contain API keys in their message payloads, are replaced with safe, structured error codes.

Fail-closed as org default

All newly created organizations now default to failure_mode=closed. On any policy evaluation error, access is denied and a decision=error_deny event is written to the audit log. Fail-open remains available on Enterprise under a signed agreement.

Per-org LLM API key (BYOK)

Organizations can now configure their own OpenAI API key in Organization Settings. Keys are stored with the same envelope encryption as connector credentials: KMS-wrapped DEK, AES-256 at rest, never written to logs.

Resource-limit advisory lock

The team member and connector resource-limit checks now acquire a PostgreSQL advisory lock before the count-and-check query. This eliminates the TOCTOU race where concurrent invite requests could all pass the cap check simultaneously.

Startup price validation

When deployed with a live Stripe key (sk_live_), the backend now validates that all six Stripe price IDs are configured at boot. A missing price ID raises a RuntimeError immediately, so checkout failures from misconfiguration are caught before any customer traffic.

New CI gates

Three new mandatory CI tests block merges on security regressions: test_credential_log_redaction.py, test_credential_isolation.py (KMS cross-tenant isolation), and test_admin_routes_authenticated.py (every admin endpoint requires an auth token).

Gateco uses the following third-party subprocessors. Each is bound by a Data Processing Agreement.

Stripe

Payment processing. Card data is handled entirely by Stripe and never touches Gateco servers.

Cloud infrastructure provider

Compute, storage, and networking. Contact legal@gateco.ai for current provider details and DPA documentation.

Audit log retention

90-day default on standard plans. Configurable retention period on Enterprise under signed agreement.

Event coverage

50+ audit event types. Every retrieval is logged with principal ID, resource ID, policy ID, decision, search mode, and timestamp.

Export

Growth and Enterprise plans include audit log export in CSV and JSON formats with date-range and event-type filtering.

SIEM integration

Enterprise plans support real-time SIEM streaming for integration with existing security monitoring infrastructure.

Report a vulnerability

Contact security@gateco.ai. We acknowledge all reports within 24 business hours and coordinate disclosure timelines with researchers.

Pen test coordination

Enterprise customers can schedule authorized penetration tests. Contact security@gateco.ai to coordinate scope and timing.

A self-hosted runner and Private Data Plane for VPC or on-premises deployment are on the roadmap for Q3 2026. Enterprise customers can join the waitlist now to shape the deployment model.

Cancellation

You can cancel at any time from the billing portal. Your subscription remains active through the end of the current billing period.

Refunds

Gateco does not offer refunds. Cancellation takes effect at the end of the billing period. No charges are made after cancellation.