Security & Compliance
ReguShield AI is built on a foundation of security, data protection and regulatory accountability. This page documents our current security posture, data practices, compliance roadmap and AI governance framework honestly — without overclaiming certifications we have not yet obtained.
Questions? Contact us at hello@regushield.ai
Security Overview
TLS 1.3 enforced across all API and web endpoints
AES-256 encryption via Supabase managed database
Supabase Auth — email/password with session token management and invite-only pilot access
Role-based pilot access with email-scoped session keys; admin approval workflow for new users
All case analysis, ingestion batches and decisions are logged with timestamps and case reference codes
API keys and DB credentials managed via Vercel environment variables; never exposed in client bundle
Data Processing & Storage
PostgreSQL via Supabase — EU region (Dublin / Amsterdam)
All case data, analysis logs and audit records stored within the European Union
No PII is stored in AI analysis outputs. Case records reference anonymised transaction fields only
Pilot workspace data: 90-day default. Enterprise: configurable per Data Processing Agreement
No case data is shared with third-party analytics, advertising or data broker services
Only the fields required for compliance analysis are ingested (transaction, KYC, risk signals)
GDPR Readiness
Contract performance (pilot agreement) and Legitimate Interest (compliance analytics)
Right to access, rectification and erasure: contact hello@regushield.ai. Target response: 72 hours
DPA template available for enterprise customers on request
Full privacy notice in preparation — target: Q3 2026
Data Protection Impact Assessment scoped for high-risk processing — in progress
EU GDPR representative identified — formal appointment Q3 2026
ISO 27001 Roadmap
ReguShield AI is not yet ISO 27001 certified. The roadmap below reflects our planned path toward certification.
Internal gap assessment against ISO 27001:2022 Annex A controls completed
Security controls, policies and procedures being documented and implemented
Internal audit of ISMS against ISO 27001:2022 requirements
Stage 1 and Stage 2 certification audit with accredited certification body
SOC 2 Roadmap
ReguShield AI does not hold a SOC 2 report at this time. The roadmap below reflects our planned path.
Define Trust Services Criteria in scope (Security, Availability, Confidentiality)
Gap remediation and control evidence collection for Type I period
Point-in-time assessment of control design by independent auditor
12-month operational effectiveness observation period
AI Governance
Fully deterministic rule engine (no black-box LLM decisions). All rule hits grounded in the Sprint B obligation catalog with article-level citations
Every AI output includes: regulation reference, article, triggered rule, affected obligations, confidence level and reasoning narrative (EU AI Act Art. 13)
High-risk and critical cases require human compliance officer review before any regulatory filing or enforcement action (EU AI Act Art. 14)
Rule hits are assigned deterministic confidence levels (high: direct field match; medium: second-order inference). No confidence is asserted without a grounded obligation citation
Rule engine audit for demographic and jurisdictional bias — planned Q3 2026
System classified as high-risk AI (Annex III — AML, credit, fraud detection). Conformity assessment and FRIA in preparation for Q4 2026
Penetration Testing Status
No external penetration test has been completed. An internal security review and external test are planned.
Internal review against OWASP Top 10 (injection, broken auth, XSS, CSRF, misconfiguration) completed
npm audit runs on every dependency update; critical/high CVEs are patched before deployment
Full-scope web application penetration test with accredited third-party provider
Dedicated REST API security assessment covering authentication, rate limiting and injection vectors
Infrastructure Overview
Vercel — global edge network with EU-accessible PoPs; DDoS protection and automatic TLS
Supabase managed PostgreSQL — EU region; automated backups with point-in-time recovery
Supabase Auth — email/password, magic-link and row-level security
Vercel Edge Network — static assets served from nearest PoP; server-side rendering on demand
Vercel deployment logs and error tracking; uptime monitoring planned Q3 2026
Supabase automated daily backups retained for 7 days. Formal DR runbook in preparation
This Trust Center reflects the current state of ReguShield AI security and compliance posture as of June 2026. Information is updated regularly as our programme matures. ReguShield AI provides decision-support technology, not legal or regulatory advice. Certifications and assessments listed as Planned or In Progress have not been completed.
© 2026 ReguShield AI · hello@regushield.ai