Security and Trust
Last reviewed 11 July 2026
RegisAI applies practical controls for an MVP that handles compliance-workflow data. This page distinguishes controls that exist today from assurance work that has not yet been completed.
Current architecture
Application delivery
Identity and data
AI processing
Payments and email
Account and data isolation
- ✓Authenticated dashboard routes perform server-side session checks.
- ✓Database row-level security scopes customer records to the authenticated user.
- ✓Document storage uses per-user paths and access policies.
- ✓Server-only credentials are kept out of browser bundles and public responses.
- ✓Deleting a document removes the stored file and database record; associated audit data is removed through database relationships.
The current MVP is designed around individual accounts. It does not yet claim a completed organisation-wide role and permission model.
Encryption and transport
Public and authenticated traffic is served over HTTPS using provider-managed transport security. Supabase and other infrastructure providers manage encryption for stored database and file data. Authentication sessions use secure, server-managed cookies.
Cryptographic protocols and ciphers can change as hosting providers update their managed platforms. RegisAI therefore does not promise a fixed protocol or algorithm beyond encrypted transport and provider-managed encryption at rest.
AI and sensitive content
- ✓AI requests originate on the server, not directly from the browser.
- ✓Remediation drafting uses the relevant finding context rather than the entire source document.
- ✓Anthropic's commercial API terms state that API inputs and outputs are not used to train its models by default.
- ✓Users should remove unnecessary personal, privileged, medical, financial, or client-confidential information before submission.
- ✓AI outputs may be wrong or incomplete and require qualified human review.
Operational safeguards
- ✓Input size limits, file-type checks, and server-side validation reduce misuse and unintended data exposure.
- ✓Security headers are applied by the application and hosting platform.
- ✓Usage limits and rate controls protect selected AI and application routes.
- ✓Operational logs and provider dashboards support fault and security investigation.
- ✓Dependencies and hosting services are updated as part of ongoing MVP maintenance.
Assurance boundaries
No online system can guarantee absolute security. Organisations remain responsible for deciding whether the MVP is suitable for their data, applying their own retention and access policies, and obtaining any required approvals before use.
Incident and vulnerability reporting
If we confirm an incident affecting personal data, we will investigate, contain it, meet applicable notification duties, and tell affected users when required. Timing depends on the facts and legal obligations; we do not publish an unsupported fixed remediation SLA.
Please report a suspected vulnerability privately and include enough detail for us to reproduce it. Do not access data that is not yours, disrupt the service, or publicly disclose an unresolved issue.
Security contact
Email: security@regisai.dev