Skip to main content
gavAI’s ISO 27001 program is scoped to follow the SOC 2 attestation. The control set overlaps significantly (around 80%), and our gap analysis tracks the deltas (Annex A controls not already covered by SOC 2 TSC).

Current status

ItemStatus
Statement of Applicability (Annex A)Draft (sequenced after SOC 2 Type I)
ISMS scope definitionIn progress
Risk assessment + treatment planDrafted
Internal auditNot yet scheduled
External certification bodyNot yet engaged

Adjacencies

  • The SOC 2 page covers Trust Services Criteria evidence collection. Most of those artifacts feed both certifications.
  • HIPAA / GDPR / state-privacy compliance (data minimisation, breach notification, data-subject rights) is handled in the contract layer; see the DPA at /legal/dpa (control-plane domain).

Contact

compliance@gavai.io for vendor-risk questionnaires or audit-evidence requests.