Skip to main content
24 frameworks · 16 platform capabilities · honest status on each

What you get, what it solves, what the ROI is.

Every capability below carries an honest status badge — live means wired end-to-end in production; the others tell you exactly where they sit. No catalogue gymnastics, no “coming Q4” surprises after you sign.

Live11

Wired end-to-end, in production, observable.

Beta1

Wired and deployed. Limited observability or scale.

Coming soon2

Built, not yet deployed to production.

Request access2

Catalogued and scoped. Production code not started.

Compliance engine

1 capability · 1 live

Backed by: packages/frameworks · /v1/frameworks

Framework rule packs

Live
What you get
24 framework rule packs ship populated — SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, FedRAMP and more — no empty schemas to fill in.
Problem solved
Buying a compliance tool and finding the rule library empty. Six weeks lost to copy-pasting control text from PDFs before the platform produces anything useful.
ROI
6 weeks saved on first-control-to-evidence onboarding.
Assumes: compared to building one control library per framework in-house.
Use it

Evidence

3 capabilities · 3 live

Backed by: packages/engines/evidence-ranker · /v1/evidence/rank

Evidence ranker

Live
What you get
Ranks every artefact you upload against the control it best satisfies — across 24 frameworks at once.
Problem solved
GRC manager spends 8h/week mapping evidence to controls by hand. Most artefacts satisfy 4–7 controls; manual mapping captures one.
ROIinteractive
8h/wk of compliance-manager time reclaimed
Assumes: team of 50, 3 frameworks in scope, monthly evidence refresh.
Use it
Backed by: packages/engines/pack-sealer · /v1/evidence/pack

Sealed evidence packs

Live
What you get
Content-addressed (sha256) evidence bundle the auditor pulls via URL. Replayable byte-for-byte from any timestamp.
Problem solved
Auditor email chain: 'send me the December evidence again, this time with the policy header'. Three round-trips per request.
ROIinteractive
$120k audit-prep cost avoided
Assumes: 3 framework audit, $250/h loaded GRC rate, baseline ~480h of prep.
Use it
Backed by: services/api/audit-trail · D1 audit_events table

WORM hash-chained audit trail

Live
What you get
Every action against your tenant logged immutably with a per-row hash chain. Tampering with one row breaks verification of every later row.
Problem solved
Regulator asks 'who approved that change on March 4?' and the answer is a Slack search and a memory.
ROI
Zero regulator findings on access-control evidence.
Assumes: banking-grade auditor sample (typically 25 events) verified against hash chain.
Use it

Reporting

1 capability · 1 live

Backed by: services/api/reporting · /v1/reporting/generate

Regulator + auditor report packs

Live
What you get
Seven stakeholder-shaped report packs (board, regulator, auditor, customer DPA, internal audit, …) generated from your live D1 records.
Problem solved
Four days re-formatting the same data for the board pack, the regulator submission, and the customer security questionnaire.
ROIinteractive
$96k of GRC time saved annually on report assembly
Assumes: 48 stakeholder-days/yr of report formatting at $250/h.
Use it

Code governance

3 capabilities · 3 live

Backed by: services/github-app · github-app.regunav.com

Code Constitution™ GitHub App

Live
What you get
Compliance checks run inline on every PR (≤90s). Findings appear as line+column annotations in the review UI.
Problem solved
Compliance review happens quarterly. By the time the auditor flags a missing model card, it has been in production for 60 days.
ROIinteractive
$110k of audit-prep + remediation time saved annually
Assumes: ~20 engineers × 220 working days × 5% PR finding rate × 2h post-hoc cost at $250/h.
Use it
Backed by: services/github-app/lib/verification · check-run API

Inline PR verdicts

Live
What you get
Pass / fail verdict posted as a GitHub check-run with structured findings the developer can click through to.
Problem solved
Developer ships, ops team scans the PR three weeks later, files a ticket nobody reads, audit cycle repeats.
ROI
100% of compliance findings surfaced before merge.
Assumes: required check enabled; merge protection enforced on default branch.
Use it
Backed by: services/github-app/handlers/constitution

Bring-your-own constitution.yaml

Live
What you get
Layer your house rules on top of the framework floor — naming conventions, banned dependencies, ABAC policy gates.
Problem solved
Compliance team writes a 40-page coding standards doc. Nobody reads it. Drift is invisible until audit.
ROI
Day 1 of new joiner — same enforcement as a senior engineer.
Assumes: constitution.yaml committed to repo root; CC runs as required check.
Use it

EU AI Act

2 capabilities · 1 live

Backed by: packages/frameworks/EU_AI_ACT · /v1/frameworks/EU_AI_ACT

EU AI Act conformity engine

Live
What you get
EU AI Act Annex IV technical documentation generated from your model registry + evidence. Article 13 transparency, Article 9 risk management, Article 27 FRIA — all crosswalked.
Problem solved
August 2026 deadline. Legal counsel says you need an Annex IV file per high-risk system. Nobody knows what one looks like.
ROIinteractive
$3.5M max EU AI Act fine exposure addressed
Assumes: 7% of $50M annual revenue (EU AI Act max non-compliance penalty under Art. 99).
Use it
Backed by: services/github-app/handlers/hf-models (deployed, no SLO yet)

HuggingFace model-card evaluator

Beta
What you get
Every HuggingFace README push runs through the EU AI Act Art. 13 transparency checklist + NIST AI RMF.
Problem solved
Model card says 'TBD' on intended use, training data sources, and known limitations. Auditor finds it three months later.
ROI
Pre-merge vs 3 months post-deployment surfacing.
Assumes: HuggingFace integration enabled on the org; CC required-check on README path.
Join beta

Integrations

5 capabilities · 1 live

Backed by: services/github-app · cc_installations table

GitHub integration

Live
What you get
Install the Code Constitution GitHub App on your org. Inline PR checks, installation-token JIT minting, no long-lived secrets.
Problem solved
Existing tools want a personal access token with org-wide admin. Security says no.
ROI
Zero long-lived secrets stored. BYOC vault pattern.
Assumes: OIDC-based installation tokens; tokens minted JIT and cached ≤50min in-memory only.
Use it
Backed by: packages/engines/integration catalogue · OAuth flow not deployed

Slack integration

Coming soon
What you get
Compliance alerts, audit events, and report-generated notifications routed to a configurable Slack channel.
Problem solved
Audit findings sit in a dashboard nobody opens. Critical drift goes unnoticed.
ROI
<5min mean time to alert vs ad-hoc email digest.
Assumes: Slack workspace configured; alert routing enabled on the obligations workflow.
Notify me
Backed by: packages/engines/integration catalogue · OAuth flow not deployed

Jira integration

Coming soon
What you get
Open obligations and remediation tasks sync as Jira issues. Status reflects back to your compliance dashboard.
Problem solved
Compliance tracker lives in one tool, engineering work in another. Nobody knows the real backlog.
ROI
1 list of open work, vs two diverging trackers.
Assumes: Jira project key configured; bidirectional sync on ticket transitions.
Notify me
Backed by: packages/engines/integration catalogue · catalogued, not built

AWS cloud-evidence sync

Request access
What you get
AWS Config + CloudTrail + Security Hub findings pulled into the evidence pack daily. No agent.
Problem solved
Auditor asks 'show me your S3 bucket policies as of Jan 1'. Three hours in CloudTrail later, partial answer.
ROI
Daily snapshot vs ad-hoc CloudTrail queries.
Assumes: AssumeRole into customer account; read-only Config + CloudTrail read perms.
Request access
Backed by: packages/engines/integration catalogue · catalogued, not built

Microsoft Azure evidence sync

Request access
What you get
Azure Policy + activity-log evidence pulled into your compliance pack daily.
Problem solved
Each cloud has its own evidence model. Auditor expects them normalised.
ROI
1 schema across clouds, vs N per-cloud workflows.
Assumes: Service principal with Reader role; activity-log retention ≥ audit window.
Request access

Partner network

1 capability · 1 live

Backed by: services/api/engagement/directory · /v1/engagement/directory

Specialist + auditor directory

Live
What you get
Search the approved specialist, trainer, and external-auditor directory. Filter by framework + jurisdiction.
Problem solved
Need a SOC 2 Type II auditor in São Paulo who's done a fintech before. Five LinkedIn searches and a referral chain.
ROI
Same day shortlist vs 2-3 week referral chain.
Assumes: directory includes ≥1 vetted specialist per (framework, jurisdiction) you query.
Use it

How to decide if ReguNav fits.

  1. 1. Pick your driver. EU AI Act deadline · SOC 2 Type II · ISO 27001 cert · FedRAMP ATO · GDPR Art. 30 register.
  2. 2. Check the “Live” column. Filter capabilities you need by status. Anything not marked Live is a roadmap item — we'll quote a date for “Coming soon” and gauge demand for “Request access”.
  3. 3. Run the ROI math. Every card shows the assumption behind the number — substitute your team size and audit cost. If the value doesn't close, the deal shouldn't either.
  4. 4. Ask for a walkthrough. We'll demo against a synthetic tenant with your framework selection. Same engine that runs your production tenancy — no Powerpoint.