Assurance & ISMS
Assurance Center
Our information-security management posture and assurance programme. ReguShield UAB is not yet ISO/IEC 27001 or SOC 2 certified — the programmes below track control coverage toward future assurance, transparently.
69%
ISMS coverage
4/7
Control families
0
Pentests completed
3
Open risks
ISMS
ISMS Dashboard
The ReguShield AI platform, its EU cloud infrastructure and supporting processes.
10
Policies
4
Control themes
69%
Avg coverage
In progress
Status
Program
ISO/IEC 27001 Program
ReguShield UAB is NOT yet ISO/IEC 27001 certified. The programme below tracks Annex A control coverage toward a future certification.
A.5 · Organisational controls
PlannedPolicies, roles, supplier and incident management being formalised.
A.6 · People controls
PlannedScreening, awareness and responsibilities.
A.7 · Physical controls
ImplementedManaged cloud — physical security inherited from EU providers.
A.8 · Technological controls
ImplementedEncryption, access control, RLS isolation, logging, secrets management.
Roadmap
SOC 2 Roadmap
No SOC 2 report exists yet — Type I is a roadmap item.
Trust services criteria in scope: Security · Availability · Confidentiality
Library
Control Library
Access Control
Implemented- • Role-based access control
- • Least privilege
- • Tenant isolation (RLS)
- • Session management
Cryptography
Implemented- • TLS 1.3 in transit
- • AES-256 at rest
- • Server-side secrets
Logging & Monitoring
Implemented- • Append-only audit trails
- • Acceptance audit (immutable)
- • Admin action log
Operations Security
Planned- • Managed backups
- • Change management
- • Vulnerability disclosure
Supplier Security
Planned- • Sub-processor register
- • DPA flow-down
- • Periodic review
Incident Management
Implemented- • Detection & triage
- • Customer notification
- • Coordinated disclosure
Business Continuity
Planned- • Managed backups
- • Formal BCP/DR (RTO/RPO)
Testing
Penetration-Test Registry
| Scope | Provider | Window | Status | Result |
|---|---|---|---|---|
| External application & API penetration test | Independent (to be appointed) | Q3 2026 | Planned | — |
| Continuous dependency & SCA scanning | Automated | Ongoing | Implemented | Monitored |
Vendors
Supplier Reviews
| Supplier | Purpose | Location | Review | Status |
|---|---|---|---|---|
| Supabase | Managed PostgreSQL database & authentication | EU | Annual due-diligence review | Planned |
| Vercel | Application hosting & edge delivery | EU / Global edge | Annual due-diligence review | Planned |
| Resend | Transactional email delivery | EU / US | Annual due-diligence review | Planned |
| OpenAI | AI reasoning for compliance decision-support | US | Annual due-diligence review | Planned |
Risk
Risk Register
No third-party security certification yet (ISO 27001 / SOC 2)
OpenImpact Medium (procurement gating) · Transparent disclosure; ISMS programme + external pentest planned; DPA + technical measures available now.
AI sub-processor processes data in the US (OpenAI)
MitigatedImpact Medium · EU Standard Contractual Clauses + supplementary measures; no model training on customer data; EU-inference option under evaluation.
Sub-processor concentration (managed cloud)
MonitoredImpact Medium · Named register, due-diligence review, exit-readiness documentation (DORA-aligned, planned).
Formal BCP/DR not yet documented with tested RTO/RPO
OpenImpact Medium · Managed backups in place today; formal BCP/DR planned.
Legal documents pending qualified-counsel sign-off
OpenImpact Low/Medium · Framework content published transparently; counsel review before external binding.
Calendar
Audit Calendar
| Activity | Type | Status | Window |
|---|---|---|---|
| External penetration test | Security assessment | Planned | Q3 2026 |
| ISMS gap assessment (ISO 27001) | Assurance | Roadmap | TBC |
| Sub-processor due-diligence review | Vendor risk | Planned | Annual |
| Policy & DPA review | Legal/governance | Planned | Annual / on change |
| Access & RLS control review | Security | Planned | Periodic |
Forward
Security Roadmap
ReguShield UAB · Republic of Lithuania. Not ISO 27001 / 27701 / SOC 2 certified — programmes in progress, disclosed transparently. See also: Procurement Center · Identity & Access.