Security & Trust

Built to the standard your auditors expect.

REGARA handles regulatory submissions, IP, and PHI. We've designed the platform — and the company — around the assumption that an inspector will eventually want to see how it works.

Audited & certified
ISO 27001Certified SOC 2Type II HIPAABAA-ready
Data protection

Your submissions are yours. Always.

We don't train shared models on customer data. We don't sell aggregated insights. We don't ship a product whose business model depends on either.

  • 01
    No training on customer data.

    Customer submissions, claims, and correspondence are isolated per tenant and never used to train shared foundation models. Customer-specific fine-tuning is opt-in and scoped to that customer's models only.

  • 02
    Encryption everywhere.

    TLS 1.3 in transit. AES-256 at rest. Customer-managed encryption keys (CMEK) available on enterprise plans — bring your own KMS root in AWS, Azure, or GCP.

  • 03
    Single-tenant deployment.

    For sensitive programs, REGARA deploys as a fully isolated single-tenant stack in the region of your choice. Available on enterprise plans.

  • 04
    PHI-safe by default.

    HIPAA-compliant infrastructure with a BAA available on all paid plans. Automatic PHI detection and redaction at ingest, with detection results available in the audit log.

Compliance program

A program, not a one-time audit.

ISO 27001 · ISO 27701
Information security & privacy

ISO 27001 (ISMS) and ISO 27701 (PIMS) certified. Statement of Applicability available under NDA.

Request SoA
SOC 2 Type II
Continuous monitoring

Type II report covering Security, Availability, and Confidentiality. Refreshed annually with continuous control monitoring between audits.

Request report
HIPAA · BAA
PHI-handling commitments

Business Associate Agreement available on Pro and Enterprise plans. Architecture review with your privacy team on request.

Request BAA
Penetration testing
Annual third-party tests

Annual penetration test by a CREST-certified vendor. Executive summary shareable under NDA; remediation closes within published SLAs.

Request summary
Model governance

An AI you can defend in front of an auditor.

REGARA's outputs are designed to be inspectable. Every generation is reproducible from its inputs and the model state at the time it was produced.

  • ·
    Versioned model state.

    Every model — base, fine-tuned, and retrieval index — is pinned to a version. Re-running a generation from six months ago produces an output identical to the original.

  • ·
    Citation provenance.

    Every cited document is hash-anchored. If a guidance document is updated, prior citations resolve to the version that was current at generation time.

  • ·
    Hallucination controls.

    Retrieval-grounded generation with claim-level verification. Outputs that can't be anchored to a source are flagged, not surfaced.

  • ·
    Human-in-the-loop required.

    REGARA does not submit to agencies. Every output passes through a reviewer with approval logged in the audit trail.

Trust center

Documents you can share with your security team.

Audit
SOC 2 Type II report (2026)

Annual independent attestation. Available under NDA.

PDF · NDA required
Policy
Information Security Policy

High-level summary of REGARA's information security program.

PDF · Public
Policy
Subprocessors list

Current list of subprocessors, with location and purpose.

Web · Public
Architecture
Security & architecture whitepaper

Detailed architecture, data flows, and control mappings.

PDF · NDA required
Status
Status page

Live availability, incidents, and maintenance windows.

Web · Public
Security questionnaire?

Send it. We answer within 48 hours.

CAIQ, SIG, custom — our security team handles the response. Walkthrough with your team on request.

Talk to security