Security
Last updated June 1, 2026
Compliance professionals trust our platform with sensitive company documents. This page describes the specific technical and operational controls we use to protect your data.
Architecture Overview
The platform is built on a strict multi-tenant architecture. Every customer account is completely isolated from every other. This isolation is enforced at the database layer — not just the application layer — making it structurally impossible for one account to access another's data.
The platform is built on Next.js (App Router) deployed on a global edge network, with a cloud database and file storage layer. All components are cloud-native and operate under the security controls of their respective providers; our hosting and database providers each hold SOC 2 Type II certification as infrastructure subprocessors. The platform itself has not yet undergone an independent certification audit.
Data Residency
Your account data, uploaded documents, and audit history are stored and encrypted at rest within the European Union — specifically the AWS Europe (Ireland) region (eu-west-1). Because the UK and EU maintain mutual data-adequacy decisions, EU-hosted data remains within the UK/EU adequacy zone recognised under UK GDPR. The application is served from a global edge network, but company data at rest — profiles, documents, audits, findings — resides in the EU.
Database & file storage
AWS Europe (Ireland) · eu-west-1
Data at rest
European Union (UK/EU adequacy zone)
Storage vs. processing: your data is stored in the EU. The one exception is AI analysis — a minimised text extract is processed by our AI sub-processor, which may occur outside the EU.
To perform a gap analysis, a truncated extract of a document’s text (never the raw file, capped at 12,000 characters) is sent to Anthropic’s Claude API over TLS. That inference is performed by Anthropic as a sub-processor under its commercial API terms and may occur outside the EU. Anthropic does not use API-submitted content to train its models, and your documents are never used to train AI models. See the AI and Document Processing section below for exactly what is and is not transmitted.
Data Isolation (Multi-Tenant)
Row-Level Security (RLS). Every table in the database has RLS policies enabled. These policies ensure that every SQL query — regardless of where it originates — is automatically scoped to the authenticated user's account ID. Even if a software bug caused an incorrect query to be issued, the database would refuse to return another user's rows.
Unique immutable profile IDs. Every user is assigned a UUID at registration by our authentication provider. This ID is immutable, unique across the system, and is the foreign key that all data — documents, audits, findings, profile data — is associated with.
Storage isolation. Uploaded documents are stored in secure cloud storage with per-user path namespacing and RLS policies that prevent any user from accessing another's files, even if they construct a direct URL.
No shared state. There is no application-level cache or session state that could leak data between accounts. Every request is independently authenticated and independently authorised.
Encryption
In transit
TLS 1.3 enforced on all connections
At rest
AES-256-GCM
Document storage
Encrypted at rest, per-user access policies
Session tokens
httpOnly, Secure, SameSite=Lax cookies
All communication between your browser, the application, infrastructure providers, and Anthropic occurs over TLS 1.3. TLS 1.0 and 1.1 are explicitly disabled. HSTS is enforced with a minimum one-year max-age.
Authentication
Authentication methods. The platform supports email and password sign-in and Google OAuth. Optional TOTP multi-factor authentication (MFA) can be enrolled in account settings; once a verified factor exists, an AAL2 challenge is required before dashboard access. Passwords are never stored by the application — they are hashed and managed entirely by the authentication service.
Session management. Sessions are managed server-side via cookies. Session tokens cannot be accessed by browser JavaScript, which eliminates XSS-based session hijacking as an attack vector.
Route protection. All authenticated routes are protected at two independent layers: the Next.js middleware (which runs at the edge before any page renders) and the application layout (which performs a server-side auth check). An invalid or expired session at either layer redirects immediately to the login page.
AI and Document Processing
Given that compliance documents may contain sensitive company information, we are explicit about how document data is handled when performing AI analysis.
- ✓Document text is extracted server-side using a local PDF parser (pdf-parse). The raw file is never sent to Anthropic.
- ✓Extracted text is truncated to 12,000 characters before being sent to the Anthropic API. This minimises the amount of company data transmitted per request.
- ✓Per Anthropic's API data usage terms, content submitted via the API is not used to train models. See Anthropic's published commercial terms for current detail on API data handling.
- ✓All API calls to Anthropic are made over TLS from our server environment. The Anthropic API key is stored as a server-side environment variable and is never exposed to the browser.
- ✓When drafting remediation policy language, only the relevant finding's details are sent to the API — never the full source document.
- ✓Analysis results and any AI-drafted policy language (the findings, not the original document text) are stored in your account's audit history under the same row-level security guarantees as all other data.
Users should not upload highly sensitive personal, legal, financial, medical, or confidential client information unless proper agreements and controls are in place. AI outputs are informational and should be reviewed by qualified professionals.
Data Retention & Deletion
You control retention. Regis does not impose a fixed retention window on your active account — your uploaded documents and the audits and findings derived from them remain available until you choose to remove them. This reflects the UK GDPR storage-limitation principle: your firm carries the record-keeping obligation (e.g. FCA SYSC), and we hold your data only as long as you need it.
- ✓Uploaded documents: retained only while your account is active. You can delete any document at any time from within the app — deletion permanently removes both the stored PDF from encrypted file storage and the document record from the database.
- ✓Analysis outputs and findings: retained with your account history until you delete them or close your account. Save or copy anything you may need for your own audit trail before deleting.
- ✓Cascade on delete: deleting a document permanently removes everything derived from it — its audits and their findings — in the same operation, enforced at the database layer (ON DELETE CASCADE).
- ✓Account closure: on request, all associated records — profile, documents, audits, findings — are permanently deleted within 30 days. Encrypted backups age out on the infrastructure provider's standard rotation thereafter.
- ✓Server logs and metadata: retained for 30 days for security monitoring, then purged.
- ✓Deletions are immediate and irreversible; there is no soft-delete or recycle bin.
Your documents are never used to train AI models. To request deletion of your account and all associated data, contact us at hello@regisai.dev.
Role-Based Access (Roadmap)
The current platform supports single-user access per account. Multi-user support (Professional and Enterprise plans) is in active development. When released, it will include:
- ✓Admin role: full account access, can invite and remove users, manage billing.
- ✓Editor role: can upload documents, run analyses, and manage findings. Cannot change billing or user seats.
- ✓Viewer role: read-only access to audit history and monitoring feed. Cannot upload documents or run analyses.
- ✓All roles enforce the same data isolation guarantees: users within an organisation account can only access that organisation's data.
Vulnerability Disclosure
We follow a responsible disclosure model. If you discover a security vulnerability in the platform, please report it to us before public disclosure so we can investigate and remediate.
Report a vulnerability
Email: security@regisai.dev
We acknowledge all reports within 48 hours and aim to release a fix within 14 days for critical issues. We do not pursue legal action against researchers who act in good faith.
Incident Response
In the event of a security incident that affects your data:
- ✓We will notify affected customers by email within 72 hours of confirming a breach.
- ✓Notifications will describe the nature of the incident, the data potentially affected, and the steps we have taken.
- ✓We maintain an incident response runbook and conduct an annual review of our response procedures.
For security questions or concerns that are not vulnerability disclosures, contact us at security@regisai.dev.