PUBLIC WEBSITE
Trust Center

Security & Compliance

ReguShield AI is built on a foundation of security, data protection and regulatory accountability. This page documents our current security posture, data practices, compliance roadmap and AI governance framework honestly — without overclaiming certifications we have not yet obtained.

Questions? Contact us at hello@regushield.ai

Active — implemented and operational
In Progress — work underway
Planned — on roadmap with target date
🔐

Security Overview

Active
Data in Transit

TLS 1.3 enforced across all API and web endpoints

Data at Rest

AES-256 encryption via Supabase managed database

Authentication

Supabase Auth — email/password with session token management and invite-only pilot access

Access Control

Role-based pilot access with email-scoped session keys; admin approval workflow for new users

Audit Logging

All case analysis, ingestion batches and decisions are logged with timestamps and case reference codes

Secrets Management

API keys and DB credentials managed via Vercel environment variables; never exposed in client bundle

🗄️

Data Processing & Storage

Active
Database

PostgreSQL via Supabase — EU region (Dublin / Amsterdam)

Data Residency

All case data, analysis logs and audit records stored within the European Union

PII Handling

No PII is stored in AI analysis outputs. Case records reference anonymised transaction fields only

Data Retention

Pilot workspace data: 90-day default. Enterprise: configurable per Data Processing Agreement

Third-Party Sharing

No case data is shared with third-party analytics, advertising or data broker services

Data Minimisation

Only the fields required for compliance analysis are ingested (transaction, KYC, risk signals)

🇪🇺

GDPR Readiness

In Progress
Lawful Basis

Contract performance (pilot agreement) and Legitimate Interest (compliance analytics)

Data Subject Rights

Right to access, rectification and erasure: contact hello@regushield.ai. Target response: 72 hours

Data Processing Agreement

DPA template available for enterprise customers on request

Privacy Policy

Full privacy notice in preparation — target: Q3 2026

DPIA

Data Protection Impact Assessment scoped for high-risk processing — in progress

Representative Appointment

EU GDPR representative identified — formal appointment Q3 2026

📋

ISO 27001 Roadmap

In Progress

ReguShield AI is not yet ISO 27001 certified. The roadmap below reflects our planned path toward certification.

Phase 1 — Gap AssessmentQ2 2026

Internal gap assessment against ISO 27001:2022 Annex A controls completed

Phase 2 — Controls ImplementationQ3 2026

Security controls, policies and procedures being documented and implemented

Phase 3 — Internal AuditQ4 2026

Internal audit of ISMS against ISO 27001:2022 requirements

Phase 4 — External Certification AuditQ1 2027

Stage 1 and Stage 2 certification audit with accredited certification body

🛡️

SOC 2 Roadmap

Planned

ReguShield AI does not hold a SOC 2 report at this time. The roadmap below reflects our planned path.

Scoping & ReadinessQ3 2026

Define Trust Services Criteria in scope (Security, Availability, Confidentiality)

Controls Design & ImplementationQ3–Q4 2026

Gap remediation and control evidence collection for Type I period

SOC 2 Type I ReportQ4 2026

Point-in-time assessment of control design by independent auditor

SOC 2 Type II Audit Period2027

12-month operational effectiveness observation period

🤖

AI Governance

Active
Decision Engine

Fully deterministic rule engine (no black-box LLM decisions). All rule hits grounded in the Sprint B obligation catalog with article-level citations

Explainability

Every AI output includes: regulation reference, article, triggered rule, affected obligations, confidence level and reasoning narrative (EU AI Act Art. 13)

Human Oversight

High-risk and critical cases require human compliance officer review before any regulatory filing or enforcement action (EU AI Act Art. 14)

Confidence Scoring

Rule hits are assigned deterministic confidence levels (high: direct field match; medium: second-order inference). No confidence is asserted without a grounded obligation citation

Bias & Fairness Review

Rule engine audit for demographic and jurisdictional bias — planned Q3 2026

EU AI Act Compliance

System classified as high-risk AI (Annex III — AML, credit, fraud detection). Conformity assessment and FRIA in preparation for Q4 2026

🔍

Penetration Testing Status

In Progress

No external penetration test has been completed. An internal security review and external test are planned.

OWASP Top 10 ReviewQ2 2026

Internal review against OWASP Top 10 (injection, broken auth, XSS, CSRF, misconfiguration) completed

Dependency Vulnerability Scanning

npm audit runs on every dependency update; critical/high CVEs are patched before deployment

External Penetration TestQ3 2026

Full-scope web application penetration test with accredited third-party provider

API Security AssessmentQ3 2026

Dedicated REST API security assessment covering authentication, rate limiting and injection vectors

⚙️

Infrastructure Overview

Active
Application Hosting

Vercel — global edge network with EU-accessible PoPs; DDoS protection and automatic TLS

Database

Supabase managed PostgreSQL — EU region; automated backups with point-in-time recovery

Authentication Service

Supabase Auth — email/password, magic-link and row-level security

CDN & Edge

Vercel Edge Network — static assets served from nearest PoP; server-side rendering on demand

Monitoring & Uptime

Vercel deployment logs and error tracking; uptime monitoring planned Q3 2026

Disaster Recovery

Supabase automated daily backups retained for 7 days. Formal DR runbook in preparation

This Trust Center reflects the current state of ReguShield AI security and compliance posture as of June 2026. Information is updated regularly as our programme matures. ReguShield AI provides decision-support technology, not legal or regulatory advice. Certifications and assessments listed as Planned or In Progress have not been completed.

© 2026 ReguShield AI · hello@regushield.ai