// Trust & Security Report
Documate, Inc. d/b/a Gavel
Gavel (AI Contract Review and Document Automation for Legal Teams)
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on gavel.io“Gavel is SOC 2 Type I certified, independently verified by a third-party auditor. This certification confirms that Gavel's security controls meet the AICPA's Trust Services Criteria for security, availability, and confidentiality.”
Verify on gavel.io“Homepage states 'SOC 2 and HIPAA-compliant databases' but the privacy policy explicitly states Gavel does not knowingly collect protected health information (PHI). No BAA offering found, no HIPAA certification page. The 'HIPAA-compliant' claim appears to reference AWS infrastructure eligibility, not a Gavel-level HIPAA program.”
> Show 3 unconfirmed / not-held certifications
source: gavel.ioNo mention of SOC 2 Type II on Gavel's security page or elsewhere on their domain. Only Type I is claimed.
source: gavel.ioGavel's security page states AWS data centers are 'managed in accordance with SOC 1-3, PCI DSS Level 1 and ISO 9001/ISO 27001' but this is the AWS infrastructure certification, not a Gavel-held ISO 27001 certificate.
source: gavel.ioGavel only uses and integrates with payment vendors who are operating in accordance with PCI legislation. Gavel does not store any payment information. Gavel itself is not PCI-certified; it delegates payment processing to PCI-compliant vendors (Stripe).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS, default). Optional hosting in EU, Canada, Australia, or any AWS region on request.
Gavel has entered into Zero Data Retention Agreements with AI models it uses, including OpenAI. Gavel does not use customer data, prompts, or document content to train any AI models. All data stays segregated and private to the customer and is used only to generate results for that individual customer. AI features (Gavel Exec, AI-assisted workflows) are entirely optional.
// Security controls
Encryption at rest
AES-256 via AWS. Each customer has an isolated database and file storage. All data is protected by real-time 256-bit AES encryption.
gavel.ioEncryption in transit
TLS (Transport Layer Security). Only HTTPS via SSL encryption to web app and service endpoints is permitted.
gavel.ioPenetration testing
Annual third-party penetration testing by a leading cybersecurity firm. Includes static/dynamic source code analysis, OWASP checklist, CSRF, injection attacks, session management, and pre/post-authentication attack scenarios.
gavel.ioBug bounty program
None identified. No HackerOne or Bugcrowd listing found.
Authentication
Two-factor authentication (2FA) and SSO supported. Strong password enforcement, account lockout after failed attempts, and regular mandatory password resets.
gavel.ioCustomer data isolation
Each customer is set up on their own subdomain and isolated database.
gavel.ioEmployee security training
All employees receive security and compliance training upon onboarding and at least annually thereafter.
gavel.ioInternal security protocols
Two-factor authentication, background checks, regular employee security training, and secure access policies enforced across the organization.
gavel.ioZero Data Retention with AI providers
Contractual Zero Data Retention Agreements with OpenAI and other AI model providers. Data is processed only for each request and then deleted; not stored or used to train AI models.
gavel.ioAcquisition context
Gavel was acquired by Relativity (a legal data intelligence company with enterprise compliance posture) on June 12, 2026. Integration into RelativityOne is ongoing. Future compliance posture may strengthen under Relativity's umbrella.
relativity.com// Products & data scope
data: Processes contract documents and legal content via OpenAI under a Zero Data Retention Agreement. Gavel does not store documents. Customer data is not used to train AI models. Provides first-pass review, redlining, clause drafting, playbooks, and market benchmarking.
AI features are optional. 25 free queries per user on trial. $160/month per user for 1,000 completions. Available as a Word add-in and browser-based tool.
data: Processes client intake responses and generates legal documents (wills, NDAs, court forms, etc.). Can be used without enabling AI. Customer data stored in isolated, AES-256 encrypted AWS databases per tenant. Customers retain full control and can delete data immediately.
Used by 2,000+ law firms and legal teams. Supports estate planning, family law, real estate, corporate, probate, bankruptcy, and employment practice areas. Offers a client-facing portal with encryption. AI in Workflows is optional and subject to the same ZDR commitments.
// What to watch
- HIPAA marketing claim on homepage ('SOC 2 and HIPAA-compliant databases') is misleading: this refers to the underlying AWS infrastructure being HIPAA-eligible, not a Gavel-held HIPAA certification or BAA program. No Business Associate Agreement offering was found. Legal teams handling PHI should clarify before use.
- Only SOC 2 Type I (design-point snapshot), not Type II (operating effectiveness over time). For regulated industries, Type II is typically required.
- No public bug bounty program (HackerOne, Bugcrowd, or otherwise) identified.
- DPA is not automatic: customers collecting third-party data must complete a survey to determine DPA eligibility. Not a frictionless process for GDPR compliance.
- Acquired by Relativity in June 2026. Integration is in progress. Future data handling policies, compliance posture, and product roadmap may change. Buyers should monitor post-acquisition policy updates.
- Liability cap is very low: capped at $100 or amounts paid in the previous 12 months, whichever is greater. This is a significant exposure risk for law firms processing sensitive client data.
- Privacy policy collector captured HubSpot and Microsoft privacy pages instead of Gavel's own policy (evidence of third-party tracker footers). Gavel's own policy is confirmed at gavel.io/privacy.
// At a glance
Pricing model
Freemium with paid tiers. Free trial (no credit card required). Gavel Exec: $160/month per user for 1,000 completions. Gavel Workflows: pricing available on request; template library offers plans at under one billable hour per month.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Documate, Inc. d/b/a Gavel's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
gavel.io