Security & data protection
A readable summary of our security posture. Most of this is already table stakes for EU B2B — we write it down so you can paste it into a DPA review without having to ask us twice.
All customer data — company profiles, product profiles, classification briefs, audit trails, and uploaded regulation text — lives in Supabase's EU-Frankfurt region. Postgres is encrypted at rest (AES-256) and in transit (TLS 1.3). We do not replicate data outside the EU.
Supabase Auth with email+password, Google OAuth, and TOTP MFA. Sessions are short-lived JWTs verified server-side via JWKS. Session state is not persisted on our API servers — a removed team member loses access immediately, not at natural token expiry.
Multi-tenancy is enforced server-side via a central Express middleware that validates company membership against the company_members table on every request. We deliberately do not rely on Supabase RLS alone because Drizzle's server-side queries bypass RLS — belt-and-suspenders by design.
Every classification brief is labelled AI-DRAFTED — REVIEW REQUIRED in the UI, and the full Article 50 disclosure sentence is burned into every PDF footer plus XMP metadata. The Reginald Q&A assistant announces its AI nature at first use and at the system-chrome level on every subsequent interaction.
Card data never touches our servers. All payments route through Stripe Checkout and the Stripe Customer Portal. Webhook events are verified via HMAC-SHA256, deduplicated by event ID, and idempotent on retry.
Server and client errors flow to Sentry with strict PII redaction — auth headers, cookies, password fields, and user emails are scrubbed before events leave the process. We do not enable Sentry Performance (no traces).
You can export every brief, every override, every citation as JSON and PDF at any time — no fees, no delay, no "sales team" gatekeeping. Cancellation triggers an immediate export + 30-day grace window + full deletion afterwards (GDPR Article 17 compliant).
We use Supabase (database + auth, Frankfurt), Railway (API hosting, EU region), Vercel (frontend + marketing site, global CDN), Stripe (payments), Resend (transactional email, EU region), Anthropic (LLM inference, EU endpoints where available), and Sentry (error tracking). Current DPAs with all of the above.
Material security incidents are disclosed to affected customers within 72 hours, consistent with GDPR Article 33. Contact security@regsapplied.com for responsible disclosure. We do not currently run a paid bug bounty; fixes are in scope of our standard engineering roadmap.
SOC 2 Type 1 audit is planned for Year 2. Business-tier SSO, DPA, dedicated CSM, and formal SLA unlock on Type 1 completion. ISO 27001 is on the longer roadmap.
Security due-diligence reviews welcome — send a DPA, SIG-Lite, or custom questionnaire and we usually turn it around inside 3 business days.
security@regsapplied.comLast updated: 17 April 2026. See also: /pricing.