// Trust & Security Report
Nabla Technologies (Nabla Technologies SAS, France / Nabla Technologies Inc., Delaware, USA)
Ambient AI clinical documentation and dictation assistant for healthcare providers (Nabla Copilot core product), plus Nabla Connect (plug-and-play ambient AI module embedded directly in EHR workflows) and EHR/API integrations (e.g. athenahealth)
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.nabla.com“Compliance: SOC 2 Type 2 / Request. Resources: SOC 2 Type II Report, November 2024 to October 2025”
Verify on trust.nabla.com“Compliance: ISO 27001 / Request. Resources: ISO/IEC 27001, September 2025”
Verify on trust.nabla.com“Nabla follows HIPAA, GDPR, SOC2, ISO27001 and NIST Cybersecurity standards for security and privacy. ... you will be required to agree to the Business Associate Agreement made available to you in appendix I.”
Verify on trust.nabla.com“Compliance: GDPR / Request. DPA: 'Where this is not the case, NABLA ensures that the transfer is conducted in accordance with the Standard Contractual Clauses (SCCs).'”
Verify on trust.nabla.com“Does Nabla follow the EU AI Act? Yes. While Nabla is not considered high risk under the EU AI Act, we still follow requirements including published transparency standards on our model.”
Verify on trust.nabla.com“Texas RAMP / Request. TX-RAMP Certificate, Level 2, January 2026”
> Show 5 unconfirmed / not-held certifications
source: trust.nabla.comNo public evidence. Trust center lists an 'AI Model Card (CHAI version 2)' and an 'AI Governance Whitepaper' as self-published AI governance artifacts, but ISO/IEC 42001 is not named anywhere on the trust center or compliance list.
source: trust.nabla.comNo public evidence found on trust center, privacy policy, or DPA.
source: trust.nabla.comNo public evidence. Only a Texas state-level 'TX-RAMP Level 2' certificate is listed; this is a state government authorization program and must not be conflated with federal FedRAMP.
source: trust.nabla.comNo public evidence and not applicable; Nabla is a clinical documentation SaaS with no consumer payment processing surfaced on vendor pages.
source: trust.nabla.comNo public evidence found; only ISO/IEC 27001 (core information security management) is listed on the trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US clients: data hosted in Google Cloud (GCP) US region. Non-US clients: Google Cloud (GCP) Belgium/EU region. Speech-to-text processing via Microsoft Azure (trust center states 'U.S. Regions'; the signed DPA appendix instead names 'Microsoft Ireland Operations Ltd' as the subprocessor for EU contracts) -- minor naming inconsistency between the public trust center subprocessor list and the DPA appendix, likely reflecting region-specific subprocessor entities rather than a contradiction.
Nabla states audio is not stored by default and is not used for training. The Data Protection Agreement (Section 13) permits Nabla to anonymize client data for 'continuous improvement of the Solution' only 'subject to the prior express authorization of the DATA CONTROLLER,' and 'only the DATA CONTROLLER shall determine which reports it wishes to transmit to NABLA for anonymization' -- i.e. an opt-in carve-out, not a default. Directory copy should reflect 'no training by default, opt-in only' rather than an unqualified 'never trains on data' claim, to avoid overstating the marketing framing found on the blog/FAQ.
// Security controls
Continuous monitoring
Trust center continuously monitored via Secureframe (third-party GRC platform)
trust.nabla.comPenetration testing
Third-party penetration test performed; executive summary available on request, dated April 2026
trust.nabla.comData retention
Audio is not stored by default. Clinical notes/transcripts retained 14 days by default, configurable by client per geographic region requirements
trust.nabla.comSecurity governance
Dedicated Information Security and Privacy team; 25 documented information security policies, reviewed at minimum annually; formal vendor risk management program with annual audits of critical/high vendors
trust.nabla.comSubprocessors
Google Cloud (infrastructure hosting: Central Region USA; Belgium for non-USA); Microsoft Azure (speech-to-text operations, US regions per trust center / Microsoft Ireland Operations Ltd per signed DPA); Front (support ticketing, explicitly no PHI)
trust.nabla.com// Products & data scope
data: Real-time transcription of patient encounters; audio not stored by default; generated clinical notes retained 14 days by default (configurable)
Deployed in 190+ health organizations per vendor homepage; core product used by individual clinicians and health systems
data: Same underlying processing and retention policies as core product, embedded directly inside the customer's existing EHR workflow
Plug-and-play module positioned for any EHR, reducing separate-app friction for clinicians
data: Same contractual DPA/BAA terms extend to API-based usage per Nabla's terms and BAA documents
Used by EHR vendors and partners to embed Nabla's ambient AI capability directly into third-party clinical platforms
// What to watch
- TX-RAMP Level 2 is a Texas state-government risk/authorization certification, not a national FedRAMP equivalent; list separately and do not display as 'FedRAMP' or imply federal authorization.
- HIPAA and GDPR are contractual compliance postures (backed by a signed BAA and a DPA with SCCs) rather than third-party audited certifications like SOC 2 / ISO 27001; the directory should badge them distinctly from audited certs (e.g. 'HIPAA: BAA available' / 'GDPR: DPA available').
- AI training claim nuance: marketing/FAQ framing ('audio never stored or used for training') should be paired with the DPA's opt-in carve-out (anonymized data may be used for product improvement only with the customer's prior express authorization) to avoid an over-claim of an unconditional no-training policy.
- No third-party AI-governance certification (ISO/IEC 42001, CSA STAR AI) found; Nabla's AI governance program is evidenced only by a self-published AI Model Card (CHAI v2) and an AI Governance Whitepaper, which are not equivalent to an audited AI-management-system certification.
- 'CIS Level 2' is listed on the trust center compliance panel with no linked report or further detail found; likely an internal benchmark self-attestation rather than an externally audited certification -- flagged for lower confidence than the audited SOC 2 / ISO 27001 items.
// At a glance
Pricing model
Not publicly published; enterprise/subscription pricing via sales contact ('Talk to our team'), no self-serve pricing page found
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Nabla Technologies (Nabla Technologies SAS, France / Nabla Technologies Inc., Delaware, USA)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.nabla.com