Nabla Trust Center
Security and compliance are the backbone of healthcare. At Nabla, we place security and privacy at the top of our agenda because it is fundamentally tied to our customers' experience of our products. Within the Nabla Trust Center, you can request key documentation and explore detailed security control adherence.
Request Reports
Compliance

SOC 2 Type 2

ISO 27001

HIPAA

CCPA

GDPR

EU AI Act
PIPEDA

CIS Level 2
Resources
SOC 2 Type II Report
October 2023 to September 2024
ISO/IEC 27001
Refresh October 2024
Pentest Executive Summary
April 2025
AI Model Card
CHAI version 1
AI Governance Whitepaper
Vulnerability Disclosure Policy
FAQs
Where is my data stored?
Nabla is a global organization and has clients across the world. U.S. based clients have data stored in U.S. regions; all other clients are stored in EU data centers.
What data does Nabla retain?
Nabla does not store audio. We retain clinical notes for a short period of time, which is configurable by client based on geographic region requirements.
How does Nabla conform to AI regulations?
Nabla tracks current AI regulations in relation to our product at a state and federal level. We have a dedicated AI Governance team and documented policy which includes a published model card.
Does Nabla follow the EU AI Act?
Yes. While Nabla is not considered high risk under the EU AI Act, we still follow requirements including published transparency standards on our model.
Does Nabla have documented Security policies?
Yes, Nabla has a collection of Information Security policies (25) that makes up our cybersecurity and compliance program. All policies are updated at minimum, annually.
Are new compliance reports published when available?
Nabla will update all documents automatically in the Trust Portal once available. Further document requests can be sent to [email protected].
Monitoring
Continuously monitored by Secureframe
Subprocessors
Nabla has worldwide operations. Separate data hosting environments are used for our U.S. clients.

Google Cloud
Infrastructure Hosting Central Region (USA) Belgium (All Non-USA)

Azure
API Management, Speech to Text Operations (No PHI)

Front
Support Ticketing (No PHI)