// Trust & Security Report

    Documate, Inc. d/b/a Gavel logo

    Documate, Inc. d/b/a Gavel

    Gavel (AI Contract Review and Document Automation for Legal Teams)

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Gavel is SOC 2 Type I certified, independently verified by a third-party auditor. This certification confirms that Gavel's security controls meet the AICPA's Trust Services Criteria for security, availability, and confidentiality.

    Verify on gavel.io
    HIPAA
    HELD

    Homepage states 'SOC 2 and HIPAA-compliant databases' but the privacy policy explicitly states Gavel does not knowingly collect protected health information (PHI). No BAA offering found, no HIPAA certification page. The 'HIPAA-compliant' claim appears to reference AWS infrastructure eligibility, not a Gavel-level HIPAA program.

    Verify on gavel.io
    > Show 3 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No mention of SOC 2 Type II on Gavel's security page or elsewhere on their domain. Only Type I is claimed.

    source: gavel.io
    ISO 27001
    NOT CONFIRMED

    Gavel's security page states AWS data centers are 'managed in accordance with SOC 1-3, PCI DSS Level 1 and ISO 9001/ISO 27001' but this is the AWS infrastructure certification, not a Gavel-held ISO 27001 certificate.

    source: gavel.io
    PCI DSS
    NOT CONFIRMED

    Gavel only uses and integrates with payment vendors who are operating in accordance with PCI legislation. Gavel does not store any payment information. Gavel itself is not PCI-certified; it delegates payment processing to PCI-compliant vendors (Stripe).

    source: gavel.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS, default). Optional hosting in EU, Canada, Australia, or any AWS region on request.

    Gavel has entered into Zero Data Retention Agreements with AI models it uses, including OpenAI. Gavel does not use customer data, prompts, or document content to train any AI models. All data stays segregated and private to the customer and is used only to generate results for that individual customer. AI features (Gavel Exec, AI-assisted workflows) are entirely optional.

    // Security controls

    Encryption at rest

    AES-256 via AWS. Each customer has an isolated database and file storage. All data is protected by real-time 256-bit AES encryption.

    gavel.io

    Encryption in transit

    TLS (Transport Layer Security). Only HTTPS via SSL encryption to web app and service endpoints is permitted.

    gavel.io

    Penetration testing

    Annual third-party penetration testing by a leading cybersecurity firm. Includes static/dynamic source code analysis, OWASP checklist, CSRF, injection attacks, session management, and pre/post-authentication attack scenarios.

    gavel.io

    Bug bounty program

    None identified. No HackerOne or Bugcrowd listing found.

    Authentication

    Two-factor authentication (2FA) and SSO supported. Strong password enforcement, account lockout after failed attempts, and regular mandatory password resets.

    gavel.io

    Customer data isolation

    Each customer is set up on their own subdomain and isolated database.

    gavel.io

    Employee security training

    All employees receive security and compliance training upon onboarding and at least annually thereafter.

    gavel.io

    Internal security protocols

    Two-factor authentication, background checks, regular employee security training, and secure access policies enforced across the organization.

    gavel.io

    Zero Data Retention with AI providers

    Contractual Zero Data Retention Agreements with OpenAI and other AI model providers. Data is processed only for each request and then deleted; not stored or used to train AI models.

    gavel.io

    Acquisition context

    Gavel was acquired by Relativity (a legal data intelligence company with enterprise compliance posture) on June 12, 2026. Integration into RelativityOne is ongoing. Future compliance posture may strengthen under Relativity's umbrella.

    relativity.com

    // Products & data scope

    Gavel ExecAI Contract Review (Microsoft Word add-in and web)

    data: Processes contract documents and legal content via OpenAI under a Zero Data Retention Agreement. Gavel does not store documents. Customer data is not used to train AI models. Provides first-pass review, redlining, clause drafting, playbooks, and market benchmarking.

    AI features are optional. 25 free queries per user on trial. $160/month per user for 1,000 completions. Available as a Word add-in and browser-based tool.

    Gavel WorkflowsLegal Document Automation (no-AI mode available)

    data: Processes client intake responses and generates legal documents (wills, NDAs, court forms, etc.). Can be used without enabling AI. Customer data stored in isolated, AES-256 encrypted AWS databases per tenant. Customers retain full control and can delete data immediately.

    Used by 2,000+ law firms and legal teams. Supports estate planning, family law, real estate, corporate, probate, bankruptcy, and employment practice areas. Offers a client-facing portal with encryption. AI in Workflows is optional and subject to the same ZDR commitments.

    // What to watch

    • HIPAA marketing claim on homepage ('SOC 2 and HIPAA-compliant databases') is misleading: this refers to the underlying AWS infrastructure being HIPAA-eligible, not a Gavel-held HIPAA certification or BAA program. No Business Associate Agreement offering was found. Legal teams handling PHI should clarify before use.
    • Only SOC 2 Type I (design-point snapshot), not Type II (operating effectiveness over time). For regulated industries, Type II is typically required.
    • No public bug bounty program (HackerOne, Bugcrowd, or otherwise) identified.
    • DPA is not automatic: customers collecting third-party data must complete a survey to determine DPA eligibility. Not a frictionless process for GDPR compliance.
    • Acquired by Relativity in June 2026. Integration is in progress. Future data handling policies, compliance posture, and product roadmap may change. Buyers should monitor post-acquisition policy updates.
    • Liability cap is very low: capped at $100 or amounts paid in the previous 12 months, whichever is greater. This is a significant exposure risk for law firms processing sensitive client data.
    • Privacy policy collector captured HubSpot and Microsoft privacy pages instead of Gavel's own policy (evidence of third-party tracker footers). Gavel's own policy is confirmed at gavel.io/privacy.

    // At a glance

    Pricing model

    Freemium with paid tiers. Free trial (no credit card required). Gavel Exec: $160/month per user for 1,000 completions. Gavel Workflows: pricing available on request; template library offers plans at under one billable hour per month.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Documate, Inc. d/b/a Gavel's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    gavel.io

    > Browse all vendor trust reports