Procurement & Vendor Trust Package
Procurement Center
Everything a European enterprise security, legal and procurement review needs — security and architecture overviews, sub-processors, retention, shared responsibility, a pre-answered security questionnaire, incident response, BCP, AI governance, roadmap, audit calendar and a vendor risk register — plus a one-click Trust Package.
Legal Entity
ReguShield UAB — Private limited liability company (uždaroji akcinė bendrovė)
Jurisdiction · Data Residency
Republic of Lithuania (EU member state) · European Union
Contacts
hello@regushield.ai · security@regushield.ai · privacy@regushield.ai
Website
https://www.regushield.ai
Download Center
Board-grade PDF packages, or the consolidated Markdown pack.
Index
Procurement Document Index
Every artifact in this package, with links to the published legal documents.
Full Trust Package ⤓
Consolidated security, legal and procurement pack.
Security Overview
Technical & organisational measures.
Architecture Overview
Hosting, data, auth, AI, email layers.
Sub-processor Registry
Named sub-processors + purpose + location.
Retention Matrix
Data categories, retention, basis.
Shared Responsibility Matrix
ReguShield vs Customer responsibilities.
Security Questionnaire (SIG/CAIQ-style)
Pre-answered diligence questionnaire.
Incident Response Summary
Detection, notification, disclosure.
BCP / Resilience Summary
Backups & recovery posture.
AI Governance Statement ↗
EU AI Act-aligned posture.
Data Processing Agreement (v1) ↗
GDPR Article 28 DPA.
Enterprise Agreement (v1) ↗
Master enterprise subscription terms.
Pilot Agreement (v1) ↗
Time-boxed evaluation terms.
Privacy Policy ↗
GDPR privacy notice.
Terms of Service ↗
Platform master terms.
Acceptable Use Policy ↗
Permitted/prohibited use.
Trust Roadmap
Implemented / Planned / Roadmap.
Audit Calendar
Upcoming assurance milestones.
Vendor Risk Register
Risks + mitigations.
Security
Security Overview
Technical and organisational measures. Maturity labelled Implemented / Planned / Roadmap.
Encryption in transit
ImplementedTLS 1.3 for all client and API traffic.
Encryption at rest
ImplementedAES-256 at rest on managed EU infrastructure.
Tenant isolation
ImplementedPostgreSQL row-level security keyed to the verified workspace-owner email; one email = one isolated workspace.
Authentication
ImplementedSupabase Auth (email/password); session-scoped access.
Role-based access control
ImplementedPer-workspace roles (Owner, Compliance Officer, Risk, Auditor, Viewer) with a permission matrix.
Immutable audit trails
ImplementedAppend-only compliance and agreement-acceptance audit; acceptance audit is permanent and tamper-evident (hashed).
Secrets management
ImplementedServer-side secrets only; never shipped to the client bundle.
Coordinated vulnerability disclosure
ImplementedReport to security@regushield.ai; acknowledgement target 72 hours.
External penetration test
PlannedIndependent assessment targeted for Q3 2026.
Information Security Management System (ISO 27001)
RoadmapFormal ISMS programme — not yet certified.
Architecture
Architecture Overview
| Layer | Detail |
|---|---|
| Application | Next.js (App Router) / React, server-rendered; hosted on Vercel (EU / edge). |
| Database | Managed PostgreSQL via Supabase, EU region; row-level security enforces tenant isolation. |
| Authentication | Supabase Auth; JWT session; access scoped by verified email. |
| AI reasoning | OpenAI API for AI-assisted reasoning under contractual terms + Standard Contractual Clauses (US transfer); customer data is not used to train provider foundation models. |
| Transactional email | Resend for activation and lifecycle email (EU/US). |
| Data flow | Customer uploads operational/compliance data → processed in the EU workspace → AI/deterministic analysis → audit-ready reporting. No third-party data sharing beyond the named sub-processors. |
Vendors
Sub-processor Registry
GDPR Article 28(2) named sub-processors.
| Sub-processor | Purpose | Location | Category |
|---|---|---|---|
| Supabase | Managed PostgreSQL database & authentication | EU | Infrastructure |
| Vercel | Application hosting & edge delivery | EU / Global edge | Infrastructure |
| Resend | Transactional email delivery | EU / US | Communications |
| OpenAI | AI reasoning for compliance decision-support | US | AI processing |
Data
Retention Matrix
| Data Category | Retention | Basis |
|---|---|---|
| Customer workspace data | 365 days (default, configurable per tenant) | Contract / legitimate interest |
| Security & compliance audit logs | ~7 years | Legal obligation / accountability |
| Governance acceptance audit | Permanent (legal record — never auto-deleted) | Evidence of agreement acceptance |
| Pilot evaluation data | 90 days | Pilot agreement |
| Account & identity data | Duration of the contract + statutory minimums | Contract / legal obligation |
| Backups | Per managed-infrastructure backup policy | Resilience |
Diligence
Security Questionnaire
Pre-answered SIG / CAIQ-style questionnaire — honest, including what is not yet certified.
Data Protection
Where is customer data stored?
In the European Union (managed PostgreSQL via Supabase, EU region).
Data Protection
Is data encrypted in transit and at rest?
Yes — TLS 1.3 in transit, AES-256 at rest.
Data Protection
Is there a Data Processing Agreement?
Yes — a GDPR Article 28 DPA is available (see Legal Agreements).
Access Control
How is tenant data isolated?
PostgreSQL row-level security keyed to the verified workspace-owner email; one email = one isolated workspace.
Access Control
Is role-based access control supported?
Yes — five workspace roles with a documented permission matrix.
Access Control
How are administrative secrets handled?
Server-side only; never exposed to the client bundle.
Infrastructure
Who are your sub-processors?
Supabase, Vercel, Resend, OpenAI — see the Sub-processor Registry.
Infrastructure
Do you transfer data outside the EEA?
Workspace data is hosted in the EU. Where a sub-processor (e.g. OpenAI) processes data in the US, transfers are made under EU Standard Contractual Clauses with supplementary measures.
Incident Response
Do you have an incident response process?
Yes — detection, triage, customer notification without undue delay, and coordinated disclosure (see Incident Response Summary).
Incident Response
How are vulnerabilities reported?
Coordinated disclosure to security@regushield.ai; acknowledgement target 72 hours.
Resilience
Are backups performed?
Yes — managed database backups via the infrastructure provider. A formal BCP/DR with tested RTO/RPO is Planned.
AI Governance
Is the AI making autonomous regulated decisions?
No. The platform is decision-support; a qualified person makes the final decision, with mandated human oversight (EU AI Act Art. 14).
AI Governance
Is customer data used to train your AI models?
No. Customer data is processed to generate the customer's own analysis; it is not used to train provider foundation models.
Certifications
Are you ISO 27001 / ISO 27701 / SOC 2 certified?
No — these are Roadmap items and are not yet certified. We disclose this transparently; an ISMS programme and an independent penetration test are in progress/planned.
Certifications
Which regulations does the platform support?
AMLA 2027, AMLR, MiCA, DORA, EU AI Act, Travel Rule and GDPR (as decision-support; not a regulatory determination).
Resilience
Incident Response Summary
- Detection: Monitoring of platform and infrastructure signals; reports via the security contact.
- Triage: Severity assessment and scoping by the security contact on a coordinated-disclosure basis.
- Customer notification: Affected customers are notified without undue delay after we become aware of a personal-data breach affecting their data, with the information reasonably available to support their own notification duties.
- Authority context: As processor, ReguShield assists the Customer (controller), who owns the GDPR 72-hour authority-notification obligation.
- Disclosure: Coordinated disclosure via security@regushield.ai; acknowledgement target 72 hours.
Resilience
Business Continuity / Resilience
backups
ImplementedManaged database backups via the infrastructure provider (Supabase).
recovery
PlannedA formal business-continuity and disaster-recovery plan with tested recovery objectives (RTO/RPO) is being documented.
redundancy
ImplementedManaged cloud infrastructure with provider-level redundancy.
Responsible AI
AI Governance Statement
Decision-support, not autonomous regulated decisioning. EU AI Act-aligned.
- Nature: Decision-support — informs but does not replace qualified compliance judgement.
- Human oversight: Mandated human oversight; outputs are reviewed before any regulated action (EU AI Act Art. 14).
- Explainability: Deterministic rule logic with regulatory citations and confidence indicators.
- Classification: Formal EU AI Act classification and, where applicable, a Fundamental Rights Impact Assessment are being prepared (Planned).
- Data use: Customer data is not used to train provider foundation models.
Assurance
Trust Roadmap
What is live today and what is planned — including certifications NOT yet held.
Assurance
Audit Calendar
| Activity | Type | Status | Window |
|---|---|---|---|
| External penetration test | Security assessment | Planned | Q3 2026 |
| ISMS gap assessment (ISO 27001) | Assurance | Roadmap | TBC |
| Sub-processor due-diligence review | Vendor risk | Planned | Annual |
| Policy & DPA review | Legal/governance | Planned | Annual / on change |
| Access & RLS control review | Security | Planned | Periodic |
Vendor Risk
Vendor Risk Register
Procurement-relevant risks with mitigations — transparently disclosed.
| Risk | Impact | Mitigation | Status |
|---|---|---|---|
| No third-party security certification yet (ISO 27001 / SOC 2) | Medium (procurement gating) | Transparent disclosure; ISMS programme + external pentest planned; DPA + technical measures available now. | Open |
| AI sub-processor processes data in the US (OpenAI) | Medium | EU Standard Contractual Clauses + supplementary measures; no model training on customer data; EU-inference option under evaluation. | Mitigated |
| Sub-processor concentration (managed cloud) | Medium | Named register, due-diligence review, exit-readiness documentation (DORA-aligned, planned). | Monitored |
| Formal BCP/DR not yet documented with tested RTO/RPO | Medium | Managed backups in place today; formal BCP/DR planned. | Open |
| Legal documents pending qualified-counsel sign-off | Low/Medium | Framework content published transparently; counsel review before external binding. | Open |
ReguShield UAB · Republic of Lithuania (EU member state). ReguShield AI provides compliance decision-support intelligence — not legal advice or a regulatory determination. Maturity labels: Implemented (live) · Planned (in progress) · Roadmap (intended, not yet in place).