Security & Compliance

Three Gates Security Overview

Last updated: April 26, 2026

Three Gates is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us. The following controls describe the safeguards implemented today and the maturity steps planned in connection with first-customer engagement. The full security posture statement is available under NDA.

1. HIPAA Security Rule support

Three Gates is designed to support HIPAA Security Rule obligations for Covered Entities and Business Associates. Technical safeguards under §164.312 (access control, audit controls, integrity, transmission security) are implemented in the platform. Administrative safeguards under §164.308, including the formal System Security Plan, Incident Response plan, Disaster Recovery runbook, and risk register, are being formalized in connection with first-customer engagement. Physical safeguards under §164.310 are inherited from Microsoft Azure data center controls.

2. Infrastructure Security

The platform is hosted on Microsoft Azure within HIPAA-eligible services. Production workloads are isolated in virtual networks with network security groups enforcing least-privilege connectivity. Azure regions are limited to the United States to support data residency expectations.

3. Encryption Standards

All inbound and outbound traffic is encrypted using TLS 1.2 or higher with modern cipher suites. Data at rest, including databases, file storage, and backups, uses AES-256 encryption with keys managed by Azure Key Vault. Customer-managed key arrangements are available on request.

4. Access Controls

Administrative access to production systems requires single sign-on with multi-factor authentication. Access is granted based on job function. Service-to-service authentication uses short-lived credentials, and access events are logged for audit purposes.

5. Audit Logging

Three Gates captures detailed audit logs for authentication events, configuration changes, data access, AI requests, and policy decisions. Logs are written to immutable storage with a 7-year retention target. Alerting, on-call response, and SIEM forwarding are scoped to customer agreements.

6. Vulnerability and Patch Management

Automated dependency vulnerability scanning runs continuously against the codebase. Critical issues are tracked to remediation. Updates follow a change-management process with peer review and automated test gates. A software bill of materials (SBOM) is maintained for the production application.

7. Incident Response

An incident response plan defines triage, communication, and escalation. The formal IR runbook and tabletop schedule are being formalized as part of first-customer engagement. In the event of a confirmed security incident involving PHI, Three Gates will notify affected Covered Entities consistent with the executed Business Associate Agreement and applicable law.

8. Business Continuity and Disaster Recovery

Encrypted backups are stored in geographically diverse Azure regions. Recovery time and recovery point objectives are scoped to the executed customer agreement. A formal disaster recovery runbook is in development as part of first-customer engagement.

9. Personnel Security

Personnel with access to production systems sign confidentiality agreements prior to access. Formal background-check, training, and phishing-simulation programs will be implemented as the company scales beyond founder-led operations.

10. Third-Party Risk Management

Sub-processors that handle PHI execute Business Associate Agreements with Hearth and Alloy, Inc. Sub-processors are evaluated against their published security posture and compliance commitments. A current sub-processor list is available on request.

11. Penetration Testing and Assessments

Third-party penetration testing is planned, customer-engagement-gated. Internal security review and dependency vulnerability scanning are operational today. Summaries of independent assessments will be made available under NDA once conducted.

12. Vulnerability Disclosure

We welcome reports from the security community. Please email potential vulnerabilities to security@threegates.ai with steps to reproduce, impact assessment, and any relevant logs. A formal published vulnerability disclosure policy is planned.

13. Compliance Roadmap

The platform is designed to support HIPAA Security Rule obligations today and is BAA-ready for healthcare customers. SOC 2 Type II audit is planned, customer-engagement-gated. HITRUST i1 certification is planned to follow the initial SOC 2 Type II report. Cyber liability and tech E&O insurance procurement is in progress. The full security posture statement is available under NDA.

Have a security question?