PUBLIC WEBSITE
← Trust Center

Procurement & Vendor Trust Package

Procurement Center

Everything a European enterprise security, legal and procurement review needs — security and architecture overviews, sub-processors, retention, shared responsibility, a pre-answered security questionnaire, incident response, BCP, AI governance, roadmap, audit calendar and a vendor risk register — plus a one-click Trust Package.

Legal Entity

ReguShield UABPrivate limited liability company (uždaroji akcinė bendrovė)

Jurisdiction · Data Residency

Republic of Lithuania (EU member state) · European Union

Contacts

hello@regushield.ai · security@regushield.ai · privacy@regushield.ai

Website

https://www.regushield.ai

Download Center

Board-grade PDF packages, or the consolidated Markdown pack.

Index

Procurement Document Index

Every artifact in this package, with links to the published legal documents.

Security

Security Overview

Technical and organisational measures. Maturity labelled Implemented / Planned / Roadmap.

Encryption in transit

Implemented

TLS 1.3 for all client and API traffic.

Encryption at rest

Implemented

AES-256 at rest on managed EU infrastructure.

Tenant isolation

Implemented

PostgreSQL row-level security keyed to the verified workspace-owner email; one email = one isolated workspace.

Authentication

Implemented

Supabase Auth (email/password); session-scoped access.

Role-based access control

Implemented

Per-workspace roles (Owner, Compliance Officer, Risk, Auditor, Viewer) with a permission matrix.

Immutable audit trails

Implemented

Append-only compliance and agreement-acceptance audit; acceptance audit is permanent and tamper-evident (hashed).

Secrets management

Implemented

Server-side secrets only; never shipped to the client bundle.

Coordinated vulnerability disclosure

Implemented

Report to security@regushield.ai; acknowledgement target 72 hours.

External penetration test

Planned

Independent assessment targeted for Q3 2026.

Information Security Management System (ISO 27001)

Roadmap

Formal ISMS programme — not yet certified.

Architecture

Architecture Overview

LayerDetail
ApplicationNext.js (App Router) / React, server-rendered; hosted on Vercel (EU / edge).
DatabaseManaged PostgreSQL via Supabase, EU region; row-level security enforces tenant isolation.
AuthenticationSupabase Auth; JWT session; access scoped by verified email.
AI reasoningOpenAI API for AI-assisted reasoning under contractual terms + Standard Contractual Clauses (US transfer); customer data is not used to train provider foundation models.
Transactional emailResend for activation and lifecycle email (EU/US).
Data flowCustomer uploads operational/compliance data → processed in the EU workspace → AI/deterministic analysis → audit-ready reporting. No third-party data sharing beyond the named sub-processors.

Vendors

Sub-processor Registry

GDPR Article 28(2) named sub-processors.

Sub-processorPurposeLocationCategory
SupabaseManaged PostgreSQL database & authenticationEUInfrastructure
VercelApplication hosting & edge deliveryEU / Global edgeInfrastructure
ResendTransactional email deliveryEU / USCommunications
OpenAIAI reasoning for compliance decision-supportUSAI processing

Data

Retention Matrix

Data CategoryRetentionBasis
Customer workspace data365 days (default, configurable per tenant)Contract / legitimate interest
Security & compliance audit logs~7 yearsLegal obligation / accountability
Governance acceptance auditPermanent (legal record — never auto-deleted)Evidence of agreement acceptance
Pilot evaluation data90 daysPilot agreement
Account & identity dataDuration of the contract + statutory minimumsContract / legal obligation
BackupsPer managed-infrastructure backup policyResilience

Model

Shared Responsibility Matrix

AreaReguShieldCustomer
Platform security (infra, encryption, isolation)Owns
Availability of the managed serviceOwns
Backups & infrastructure resilienceOwnsVerify exports for critical records
Lawful basis for uploaded personal dataProcessor (acts on instructions)Controller — owns lawful basis
Accuracy of uploaded dataOwns
User & role administration within the workspaceProvides controlsOwns day-to-day administration
Human oversight of AI-assisted outputsBuilds oversight controlsOwns the final regulated decision
Regulatory filings (STR, CDD, supervisory submissions)Owns
Incident notification to data subjects / authoritiesNotifies Customer without undue delayOwns controller notification duties

Diligence

Security Questionnaire

Pre-answered SIG / CAIQ-style questionnaire — honest, including what is not yet certified.

Data Protection

Where is customer data stored?

In the European Union (managed PostgreSQL via Supabase, EU region).

Data Protection

Is data encrypted in transit and at rest?

Yes — TLS 1.3 in transit, AES-256 at rest.

Data Protection

Is there a Data Processing Agreement?

Yes — a GDPR Article 28 DPA is available (see Legal Agreements).

Access Control

How is tenant data isolated?

PostgreSQL row-level security keyed to the verified workspace-owner email; one email = one isolated workspace.

Access Control

Is role-based access control supported?

Yes — five workspace roles with a documented permission matrix.

Access Control

How are administrative secrets handled?

Server-side only; never exposed to the client bundle.

Infrastructure

Who are your sub-processors?

Supabase, Vercel, Resend, OpenAI — see the Sub-processor Registry.

Infrastructure

Do you transfer data outside the EEA?

Workspace data is hosted in the EU. Where a sub-processor (e.g. OpenAI) processes data in the US, transfers are made under EU Standard Contractual Clauses with supplementary measures.

Incident Response

Do you have an incident response process?

Yes — detection, triage, customer notification without undue delay, and coordinated disclosure (see Incident Response Summary).

Incident Response

How are vulnerabilities reported?

Coordinated disclosure to security@regushield.ai; acknowledgement target 72 hours.

Resilience

Are backups performed?

Yes — managed database backups via the infrastructure provider. A formal BCP/DR with tested RTO/RPO is Planned.

AI Governance

Is the AI making autonomous regulated decisions?

No. The platform is decision-support; a qualified person makes the final decision, with mandated human oversight (EU AI Act Art. 14).

AI Governance

Is customer data used to train your AI models?

No. Customer data is processed to generate the customer's own analysis; it is not used to train provider foundation models.

Certifications

Are you ISO 27001 / ISO 27701 / SOC 2 certified?

No — these are Roadmap items and are not yet certified. We disclose this transparently; an ISMS programme and an independent penetration test are in progress/planned.

Certifications

Which regulations does the platform support?

AMLA 2027, AMLR, MiCA, DORA, EU AI Act, Travel Rule and GDPR (as decision-support; not a regulatory determination).

Resilience

Incident Response Summary

  • Detection: Monitoring of platform and infrastructure signals; reports via the security contact.
  • Triage: Severity assessment and scoping by the security contact on a coordinated-disclosure basis.
  • Customer notification: Affected customers are notified without undue delay after we become aware of a personal-data breach affecting their data, with the information reasonably available to support their own notification duties.
  • Authority context: As processor, ReguShield assists the Customer (controller), who owns the GDPR 72-hour authority-notification obligation.
  • Disclosure: Coordinated disclosure via security@regushield.ai; acknowledgement target 72 hours.

Resilience

Business Continuity / Resilience

backups

Implemented

Managed database backups via the infrastructure provider (Supabase).

recovery

Planned

A formal business-continuity and disaster-recovery plan with tested recovery objectives (RTO/RPO) is being documented.

redundancy

Implemented

Managed cloud infrastructure with provider-level redundancy.

Responsible AI

AI Governance Statement

Decision-support, not autonomous regulated decisioning. EU AI Act-aligned.

  • Nature: Decision-support — informs but does not replace qualified compliance judgement.
  • Human oversight: Mandated human oversight; outputs are reviewed before any regulated action (EU AI Act Art. 14).
  • Explainability: Deterministic rule logic with regulatory citations and confidence indicators.
  • Classification: Formal EU AI Act classification and, where applicable, a Fundamental Rights Impact Assessment are being prepared (Planned).
  • Data use: Customer data is not used to train provider foundation models.
Full AI Governance Policy →

Assurance

Trust Roadmap

What is live today and what is planned — including certifications NOT yet held.

EU data residency & tenant isolation (RLS) · LiveImplemented
GDPR DPA, sub-processor register, data-subject rights · LiveImplemented
Immutable acceptance audit & policy versioning · LiveImplemented
External penetration test · Q3 2026Planned
DORA ICT risk mapping · 2026Planned
EU AI Act classification / FRIA scaffolding · 2026Planned
ISO/IEC 27001 (ISMS) certification · Not yet certifiedRoadmap
ISO/IEC 27701 (privacy) certification · Not yet certifiedRoadmap
SOC 2 (Type I → II) · Not yet certifiedRoadmap
Qualified e-signature (eIDAS 2) on agreements · FutureRoadmap

Assurance

Audit Calendar

ActivityTypeStatusWindow
External penetration testSecurity assessmentPlannedQ3 2026
ISMS gap assessment (ISO 27001)AssuranceRoadmapTBC
Sub-processor due-diligence reviewVendor riskPlannedAnnual
Policy & DPA reviewLegal/governancePlannedAnnual / on change
Access & RLS control reviewSecurityPlannedPeriodic

Vendor Risk

Vendor Risk Register

Procurement-relevant risks with mitigations — transparently disclosed.

RiskImpactMitigationStatus
No third-party security certification yet (ISO 27001 / SOC 2)Medium (procurement gating)Transparent disclosure; ISMS programme + external pentest planned; DPA + technical measures available now.Open
AI sub-processor processes data in the US (OpenAI)MediumEU Standard Contractual Clauses + supplementary measures; no model training on customer data; EU-inference option under evaluation.Mitigated
Sub-processor concentration (managed cloud)MediumNamed register, due-diligence review, exit-readiness documentation (DORA-aligned, planned).Monitored
Formal BCP/DR not yet documented with tested RTO/RPOMediumManaged backups in place today; formal BCP/DR planned.Open
Legal documents pending qualified-counsel sign-offLow/MediumFramework content published transparently; counsel review before external binding.Open

ReguShield UAB · Republic of Lithuania (EU member state). ReguShield AI provides compliance decision-support intelligence — not legal advice or a regulatory determination. Maturity labels: Implemented (live) · Planned (in progress) · Roadmap (intended, not yet in place).