Three Gates Security Overview
Last updated: May 20, 2026
Three Gates is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us. The following controls describe the safeguards implemented today and the maturity steps planned in connection with first-customer engagement. The full security posture statement is available under NDA.
1. HIPAA Security Rule support
Three Gates is designed to support HIPAA Security Rule obligations for Covered Entities and Business Associates. Technical safeguards under §164.312 (access control, audit controls, integrity, transmission security) are implemented in the platform. Administrative safeguards under §164.308, including the formal System Security Plan, Incident Response plan, Disaster Recovery runbook, and risk register, are being formalized in connection with first-customer engagement. Physical safeguards under §164.310 are inherited from Microsoft Azure data center controls.
2. Infrastructure Security
The platform is hosted on Microsoft Azure within HIPAA-eligible services. Production workloads are isolated in virtual networks with network security groups enforcing least-privilege connectivity. Azure regions are limited to the United States to support data residency expectations.
3. Encryption Standards
All inbound and outbound traffic is encrypted using TLS 1.2 or higher with modern cipher suites. Data at rest, including databases, file storage, and backups, uses AES-256 encryption with keys managed by Azure Key Vault. Customer-managed key arrangements are available on request.
4. Access Controls
Administrative access to production systems requires single sign-on with multi-factor authentication. Access is granted based on job function. Service-to-service authentication uses short-lived credentials, and access events are logged for audit purposes.
5. Audit Logging
Three Gates captures detailed audit logs for authentication events, configuration changes, data access, AI requests, and policy decisions. Logs are written to immutable storage with a 7-year retention target. Alerting, on-call response, and SIEM forwarding are scoped to customer agreements.
6. Vulnerability and Patch Management
Automated dependency vulnerability scanning runs continuously against the codebase. Critical issues are tracked to remediation. Updates follow a change-management process with peer review and automated test gates. A software bill of materials (SBOM) is maintained for the production application.
7. Incident Response
An incident response plan defines triage, communication, and escalation. The formal IR runbook and tabletop schedule are being formalized as part of first-customer engagement. In the event of a confirmed security incident involving PHI, Three Gates will notify affected Covered Entities consistent with the executed Business Associate Agreement and applicable law.
8. Business Continuity and Disaster Recovery
Encrypted backups are stored in geographically diverse Azure regions. Recovery time and recovery point objectives are scoped to the executed customer agreement. A formal disaster recovery runbook is in development as part of first-customer engagement.
9. Personnel Security
Personnel with access to production systems sign confidentiality agreements prior to access. Formal background-check, training, and phishing-simulation programs will be implemented as the company scales beyond founder-led operations.
10. Third-Party Risk Management
Sub-processors that handle PHI execute Business Associate Agreements with Hearth and Alloy, Inc. Sub-processors are evaluated against their published security posture and compliance commitments. A current sub-processor list is available on request.
11. Penetration Testing and Assessments
Third-party penetration testing is planned, customer-engagement-gated. Internal security review and dependency vulnerability scanning are operational today. Summaries of independent assessments will be made available under NDA once conducted.
12. Coordinated Vulnerability Disclosure
We welcome reports from the security community and follow coordinated disclosure. Report potential vulnerabilities privately to security@threegates.ai. Please do not open public issues or post details on social media before a fix is in place. Start your subject line with "[security]" so the message is routed correctly. PGP is available on request; reply to the same address and we will send a public key before you share details. Please include, to the extent you have it: a description of the issue and its impact, steps to reproduce or a proof-of-concept, the affected component or version, and any logs or recordings that help us reproduce it. Our commitments: - Acknowledge your report within 3 business days. - Provide an initial assessment (accept, decline, or need more info) within 10 business days. - Keep you informed of remediation progress on a cadence we agree with you. - Credit you in the release notes for the fix, unless you ask us not to. Default disclosure window: 90 days from acknowledgement. Earlier when a fix is already shipped; longer when remediation is genuinely complex and we can show the delay is necessary. In scope: the Three Gates production application and APIs at app.threegates.ai, the marketing site at threegates.ai, and the assessment funnel. Out of scope: third-party dependencies (please report upstream), social engineering of Three Gates personnel or customers, physical attacks, volumetric denial-of-service, automated scanner output without evidence of exploitability, missing security headers on marketing pages with no sensitive surface, and best-practice advice without a concrete attack scenario. Safe harbor: if you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for security research conducted within scope, will work with you to resolve the issue, and will recognize your contribution if you wish. Good faith excludes accessing or exfiltrating data that is not your own, degrading service for other users, and persisting access beyond what is needed to demonstrate the issue. Automated discovery: see /.well-known/security.txt (RFC 9116).
13. Compliance Roadmap
The platform is designed to support HIPAA Security Rule obligations today and is BAA-ready for healthcare customers. SOC 2 Type II audit is planned, customer-engagement-gated. HITRUST i1 certification is planned to follow the initial SOC 2 Type II report. Cyber liability and tech E&O insurance procurement is in progress. The full security posture statement is available under NDA.
Have a security question or finding?
For coordinated vulnerability disclosure, emailsecurity@threegates.ai with the subject line starting [security]. Automated discovery contact lives at/.well-known/security.txt. For general security or compliance questions, the same address routes a security review under NDA.