PUBLIC WEBSITE
← Trust Center

Assurance & ISMS

Assurance Center

Our information-security management posture and assurance programme. ReguShield UAB is not yet ISO/IEC 27001 or SOC 2 certified — the programmes below track control coverage toward future assurance, transparently.

69%

ISMS coverage

4/7

Control families

0

Pentests completed

3

Open risks

ISMS

ISMS Dashboard

The ReguShield AI platform, its EU cloud infrastructure and supporting processes.

10

Policies

4

Control themes

69%

Avg coverage

In progress

Status

Program

ISO/IEC 27001 Program

ReguShield UAB is NOT yet ISO/IEC 27001 certified. The programme below tracks Annex A control coverage toward a future certification.

A.5 · Organisational controls

Planned
62%

Policies, roles, supplier and incident management being formalised.

A.6 · People controls

Planned
55%

Screening, awareness and responsibilities.

A.7 · Physical controls

Implemented
80%

Managed cloud — physical security inherited from EU providers.

A.8 · Technological controls

Implemented
78%

Encryption, access control, RLS isolation, logging, secrets management.

Roadmap

SOC 2 Roadmap

No SOC 2 report exists yet — Type I is a roadmap item.

Trust services criteria in scope: Security · Availability · Confidentiality

1. Scoping & readiness assessmentRoadmap
2. Control implementation & evidenceRoadmap
3. Type I observationRoadmap
4. Type II observation windowRoadmap

Library

Control Library

Access Control

Implemented
  • Role-based access control
  • Least privilege
  • Tenant isolation (RLS)
  • Session management

Cryptography

Implemented
  • TLS 1.3 in transit
  • AES-256 at rest
  • Server-side secrets

Logging & Monitoring

Implemented
  • Append-only audit trails
  • Acceptance audit (immutable)
  • Admin action log

Operations Security

Planned
  • Managed backups
  • Change management
  • Vulnerability disclosure

Supplier Security

Planned
  • Sub-processor register
  • DPA flow-down
  • Periodic review

Incident Management

Implemented
  • Detection & triage
  • Customer notification
  • Coordinated disclosure

Business Continuity

Planned
  • Managed backups
  • Formal BCP/DR (RTO/RPO)

Testing

Penetration-Test Registry

ScopeProviderWindowStatusResult
External application & API penetration testIndependent (to be appointed)Q3 2026Planned
Continuous dependency & SCA scanningAutomatedOngoingImplementedMonitored

Vendors

Supplier Reviews

SupplierPurposeLocationReviewStatus
SupabaseManaged PostgreSQL database & authenticationEUAnnual due-diligence reviewPlanned
VercelApplication hosting & edge deliveryEU / Global edgeAnnual due-diligence reviewPlanned
ResendTransactional email deliveryEU / USAnnual due-diligence reviewPlanned
OpenAIAI reasoning for compliance decision-supportUSAnnual due-diligence reviewPlanned

Risk

Risk Register

No third-party security certification yet (ISO 27001 / SOC 2)

Open

Impact Medium (procurement gating) · Transparent disclosure; ISMS programme + external pentest planned; DPA + technical measures available now.

AI sub-processor processes data in the US (OpenAI)

Mitigated

Impact Medium · EU Standard Contractual Clauses + supplementary measures; no model training on customer data; EU-inference option under evaluation.

Sub-processor concentration (managed cloud)

Monitored

Impact Medium · Named register, due-diligence review, exit-readiness documentation (DORA-aligned, planned).

Formal BCP/DR not yet documented with tested RTO/RPO

Open

Impact Medium · Managed backups in place today; formal BCP/DR planned.

Legal documents pending qualified-counsel sign-off

Open

Impact Low/Medium · Framework content published transparently; counsel review before external binding.

Calendar

Audit Calendar

ActivityTypeStatusWindow
External penetration testSecurity assessmentPlannedQ3 2026
ISMS gap assessment (ISO 27001)AssuranceRoadmapTBC
Sub-processor due-diligence reviewVendor riskPlannedAnnual
Policy & DPA reviewLegal/governancePlannedAnnual / on change
Access & RLS control reviewSecurityPlannedPeriodic

Forward

Security Roadmap

EU data residency & tenant isolation (RLS) · LiveImplemented
GDPR DPA, sub-processor register, data-subject rights · LiveImplemented
Immutable acceptance audit & policy versioning · LiveImplemented
External penetration test · Q3 2026Planned
DORA ICT risk mapping · 2026Planned
EU AI Act classification / FRIA scaffolding · 2026Planned
ISO/IEC 27001 (ISMS) certification · Not yet certifiedRoadmap
ISO/IEC 27701 (privacy) certification · Not yet certifiedRoadmap
SOC 2 (Type I → II) · Not yet certifiedRoadmap
Qualified e-signature (eIDAS 2) on agreements · FutureRoadmap

ReguShield UAB · Republic of Lithuania. Not ISO 27001 / 27701 / SOC 2 certified — programmes in progress, disclosed transparently. See also: Procurement Center · Identity & Access.