Trust & Compliance

Audit-grade, by default.

PHI handling is the foundation of our product, not an afterthought. Gabeo operates under a strict compliance framework, signs BAAs on day one, and ships every output with a defensible audit trail.

Certifications & attestations

Where we are today.

Operational

HIPAA

Full HIPAA Privacy and Security Rule compliance. PHI handled exclusively within audited environments. BAA available to all customers and trading partners on request.

BAA · executed at engagement start
In progress · Q3 2026

SOC 2 Type II

Type I attestation complete. Type II observation window underway, with a Big-Four auditor expected to issue the report in Q3 2026. Bridge letter available on request.

Auditor · disclosed under NDA
Operational

Google Cloud Healthcare Partner

Workloads run on Google Cloud's HIPAA-eligible services. Healthcare API, BigQuery, and Cloud Storage with CMEK. Multi-region disaster recovery.

Region · us-west · us-central
Roadmap · 2027

HITRUST CSF

HITRUST CSF certification is on the 2027 roadmap. Customers requiring HITRUST-aligned controls today can review our mapping under NDA.

Target · r2 validated assessment
Security posture

How we handle your data.

Data minimization

Gabeo only ingests the claim and contract fields needed to perform attribution. We do not request, store, or process PHI beyond what is strictly necessary. Member identifiers are pseudonymized at ingestion; de-identification is available on request.

Tenant isolation

Every customer is isolated in their own logical tenant with separate encryption keys, network policies, and access controls. There is no cross-tenant data flow at any layer of the stack.

Access controls

Role-based access at the contract, line-of-business, and rule-set level. SSO via SAML or OIDC required for production access. MFA enforced for all human operators. Service-account access is short-lived and scoped to specific jobs.

Auditability

Every action - rule edit, claim review, dispute, recoupment decision - is captured to an immutable audit log retained for seven years. Exportable in CSV or JSON, and available to your internal or external auditors on request.

Subprocessors

We maintain a current list of subprocessors and the data each one handles. Material changes are communicated to customers at least 30 days in advance.

Incident response

Documented 24/7 incident response with defined RPO/RTO. Notification within 24 hours of any confirmed security incident affecting customer data, in accordance with the BAA and applicable law.

Policies & documents

Available on request.

The following documents are available under NDA to current and prospective customers. Reach out to contact@gabeo.ai with your request.

Attestation
SOC 2 Type I reportPre-Type II bridge letter included
Legal
Business Associate Agreement (BAA)Standard template · custom terms negotiable
Policy
Information Security PolicyIncludes acceptable use & access control
Policy
Privacy Policy & Data Processing AgreementHIPAA-aligned · CCPA-aligned
Policy
Incident Response PlanIncluding breach notification procedures
Policy
Business Continuity & Disaster Recovery PlanRPO 1h · RTO 4h targets
Reference
Subprocessor listUpdated quarterly · change-log included
Reference
Third-party penetration test summaryMost recent · annual cadence
Trust & Compliance

Have a security questionnaire?
Send it our way.

We respond to security and compliance reviews within 5 business days, including CAIQ, SIG, and customer-specific questionnaires.

contact@gabeo.ai