> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ISO 27001

> gavAI's ISO 27001 program status

gavAI's ISO 27001 program is scoped to follow the SOC 2 attestation. The control set overlaps significantly (around 80%), and our gap analysis tracks the deltas (Annex A controls not already covered by SOC 2 TSC).

## Current status

| Item                                 | Status                               |
| ------------------------------------ | ------------------------------------ |
| Statement of Applicability (Annex A) | Draft (sequenced after SOC 2 Type I) |
| ISMS scope definition                | In progress                          |
| Risk assessment + treatment plan     | Drafted                              |
| Internal audit                       | Not yet scheduled                    |
| External certification body          | Not yet engaged                      |

## Adjacencies

* The SOC 2 [page](/compliance/soc2) covers Trust Services Criteria evidence collection. Most of those artifacts feed both certifications.
* HIPAA / GDPR / state-privacy compliance (data minimisation, breach notification, data-subject rights) is handled in the contract layer; see the DPA at `/legal/dpa` (control-plane domain).

## Contact

`compliance@gavai.io` for vendor-risk questionnaires or audit-evidence requests.
