Enterprise Security & Privacy, Built for Scale

At GammaLex, data protection is foundational and we're continuously building and strengthening our multi-layered security framework. From day one, our focus has been on ensuring confidentiality, integrity, and availability to give you full confidence in safeguarding your most critical information.

Our privacy philosophy: Data minimization and client control of data

The two core philosophies of data minimization and client control consistently inform how our team — from engineering to client success — builds our vertical AI for healthcare and handles client data. Unlike many other AI/ML companies, we aim to collect the minimum data required to provide our services (and nothing more). Additionally, we always provide our healthcare clients transparency around and control over their data. They choose which healthcare systems and data sources to provide via secure API access, and can turn off API access to any data source at any time. For more information on our privacy program, please see our Privacy Policy.

Our security philosophy:

  • Confidentiality
  • Integrity
  • Availability

Our security program is aligned with SOC 2 Type II and ISO 27000 standards. While we are still working toward full certification, we maintain industry leading administrative, physical, and technical safeguards to protect healthcare client data. We continuously monitor and strengthen our vertical AI application, systems, and processes to meet the demands of a constantly evolving security landscape, with transparency and trust at the core of our approach.

Core AI Principles

Building healthcare AI that earns trust through transparency and responsible design

Data minimization philosophy

Unlike many AI companies that collect everything, we believe in collecting only what's necessary. Our vertical AI approach means we focus on specific healthcare use cases, requiring minimal data to deliver maximum impact. We're building systems that respect data boundaries while delivering powerful insights.

Privacy by design

Privacy isn't an afterthought—it's built into every layer of our system. We're designing for HIPAA compliance, GDPR readiness, and healthcare-specific privacy requirements. Our approach ensures that patient data protection is foundational, not retrofitted.

Building trust through transparency

Trust in healthcare AI requires more than certifications—it requires transparency. We're committed to showing our work, explaining our decisions, and being open about our processes. This transparency builds the foundation for long-term trust with healthcare providers.

Security & Infrastructure

Enterprise-grade security and robust infrastructure for healthcare AI

Security foundation

We're building with enterprise-grade security principles from day one. While we're in beta, our architecture is designed for the security requirements of healthcare organizations. We're implementing robust encryption, secure API access, and comprehensive audit trails—laying the groundwork for future compliance certifications.

Cloud-native infrastructure

We're building on distributed cloud infrastructure, which enables speed and security through highly-rated third-party vendors like AWS, GCP, and Azure. We plan to use these cloud-native platforms based on client requirements and needs, helping customers stay secured, resilient, and scalable through good engineering practices.

Robust data encryption

We encrypt your healthcare data using AES-256-bit data-at-rest encryption and TLS 1.3 SHA-256 data-in-transit protection. The keys for these systems are frequently rotated to comply with industry standard KMS practices and are secured by KMS protections. We implement the latest encryption standards to ensure optimal security and efficiency.

Compliance & Standards

Building toward enterprise-grade compliance and regulatory standards

Compliance roadmap

We are on track for SOC 2 Type II certification and key healthcare compliance standards. During our beta phase, we're focused on building a strong, scalable foundation with a clear path to enterprise-grade compliance. We're committed to transparency—sharing where we are today and where we're headed as we work toward full certification.

GDPR and CCPA compliance

GammaLex is actively working toward compliance with GDPR, CCPA, and other applicable privacy regulations. Our healthcare AI products are being developed with a strong focus on data minimization, transparency, and client control. Privacy is a core design principle, and we are committed to building systems that respect and protect personal information. For more details, please see our Privacy Policy.

SOC 2 Type II in progress

At GammaLex, we are committed to earning your trust through transparency and strong data stewardship. While we are not yet SOC 2 Type II certified, we are actively aligning our systems and processes with the standards set by the AICPA. Our goal is to meet and exceed key controls around security, availability, and confidentiality as we continue building a platform that's both responsible and resilient.

Data Privacy Framework in progress

GammaLex is actively preparing for participation in the CAN–U.S. Data Privacy Frameworks. These frameworks, developed by the U.S. Department of Commerce in collaboration with international partners including the Government of Canada are designed to enable secure, lawful transfers of personal data across borders. While we are not yet certified, we are building toward full alignment to ensure our cross-border data practices meet the highest standards of privacy, transparency, and trust.