MVP security posture

Security and Trust

Last reviewed 11 July 2026

RegisAI applies practical controls for an MVP that handles compliance-workflow data. This page distinguishes controls that exist today from assurance work that has not yet been completed.

Current architecture

Application delivery

Vercel hosts and delivers the application. Cloudflare is the authoritative DNS provider and is currently configured as DNS-only, so RegisAI application requests go directly to Vercel.

Identity and data

Supabase provides authentication, a PostgreSQL database, and document storage. Primary project data is hosted in AWS Europe (Ireland).

AI processing

Anthropic processes bounded text and finding context only when an analysis or drafting action is requested. Provider credentials remain server-side.

Payments and email

Stripe handles payment-card processing. Resend delivers transactional email. Neither provider receives uploaded compliance documents as part of its normal role.

Account and data isolation

  • Authenticated dashboard routes perform server-side session checks.
  • Database row-level security scopes customer records to the authenticated user.
  • Document storage uses per-user paths and access policies.
  • Server-only credentials are kept out of browser bundles and public responses.
  • Deleting a document removes the stored file and database record; associated audit data is removed through database relationships.

The current MVP is designed around individual accounts. It does not yet claim a completed organisation-wide role and permission model.

Encryption and transport

Public and authenticated traffic is served over HTTPS using provider-managed transport security. Supabase and other infrastructure providers manage encryption for stored database and file data. Authentication sessions use secure, server-managed cookies.

Cryptographic protocols and ciphers can change as hosting providers update their managed platforms. RegisAI therefore does not promise a fixed protocol or algorithm beyond encrypted transport and provider-managed encryption at rest.

AI and sensitive content

i
For PDF analysis, the raw file remains in RegisAI storage. The server extracts text and sends no more than 12,000 characters to the configured AI provider for the requested analysis.
  • AI requests originate on the server, not directly from the browser.
  • Remediation drafting uses the relevant finding context rather than the entire source document.
  • Anthropic's commercial API terms state that API inputs and outputs are not used to train its models by default.
  • Users should remove unnecessary personal, privileged, medical, financial, or client-confidential information before submission.
  • AI outputs may be wrong or incomplete and require qualified human review.

Operational safeguards

  • Input size limits, file-type checks, and server-side validation reduce misuse and unintended data exposure.
  • Security headers are applied by the application and hosting platform.
  • Usage limits and rate controls protect selected AI and application routes.
  • Operational logs and provider dashboards support fault and security investigation.
  • Dependencies and hosting services are updated as part of ongoing MVP maintenance.

Assurance boundaries

!
RegisAI has not represented the MVP as SOC 2, ISO 27001, Cyber Essentials, or penetration-test certified. Provider certifications do not automatically certify RegisAI itself.

No online system can guarantee absolute security. Organisations remain responsible for deciding whether the MVP is suitable for their data, applying their own retention and access policies, and obtaining any required approvals before use.

Incident and vulnerability reporting

If we confirm an incident affecting personal data, we will investigate, contain it, meet applicable notification duties, and tell affected users when required. Timing depends on the facts and legal obligations; we do not publish an unsupported fixed remediation SLA.

Please report a suspected vulnerability privately and include enough detail for us to reproduce it. Do not access data that is not yours, disrupt the service, or publicly disclose an unresolved issue.

Security contact

Email: security@regisai.dev