Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

Legal — Data Processing Agreement

Data Processing Agreement (Art. 28 GDPR)

Version 1.0 · Effective: 2026-05-19 · Last updated: 2026-05-19 · Document id: regunav-dpa-v1

This Data Processing Agreement ("DPA") is entered into between Regunav Inc. ("Processor") and the customer identified in the executed Order Form ("Controller"). It governs Regunav's processing of Personal Data on behalf of the Controller in connection with the ReguNav™ Service and forms an integral part of the master agreement (the "Agreement") between the parties.

This DPA is designed to comply with EU GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and substantively similar privacy laws including the California Consumer Privacy Act (CCPA / CPRA), Brazil's LGPD, India's DPDP Act, and the Saudi PDPL.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Personal Data Breach" have the meanings in Art. 4 GDPR.

2. Scope and roles (Art. 28(3))

The Controller appoints Regunav as a Processor to Process Personal Data solely to provide the Service. Where the parties are jointly accountable for any Processing, the parties shall act as independent Controllers and not as Joint Controllers.

2.1 Subject-matter, nature and duration

Subject-matter: Provision of the ReguNav™ compliance-management Service.
Nature: Storage, organisation, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure or destruction (Art. 4(2) GDPR).
Purpose: Operate the Service the Controller has subscribed to; provide support; deliver evidence packs and audit-trail outputs.
Duration: For the duration of the Agreement plus the period required for return or deletion of Personal Data under Section 11.
Categories of Data Subjects: Controller's employees, contractors, customers, end-users, vendors, auditors, and counterparties whose Personal Data the Controller submits to the Service.
Categories of Personal Data: Identifiers (name, business email, employee id), professional information, activity logs, IP addresses, audit-trail events, evidence-pack attachments (which may incidentally contain Personal Data the Controller controls). Regunav does NOT process special-category data under Art. 9 unless the Controller voluntarily uploads it; see Section 4.4.

3. Processing instructions (Art. 28(3)(a))

Regunav shall Process Personal Data only on the Controller's documented instructions, including with regard to transfers to a third country or international organisation. The Agreement, this DPA, the Controller's in-product configuration, and validly issued written instructions constitute the complete instruction set.

Regunav shall promptly inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection provisions, without obligation to actively monitor the Controller's instructions for compliance.

4. Confidentiality (Art. 28(3)(b))

Regunav ensures that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited on a need-to-know basis.

4.1 No use for own purposes

Regunav shall not sell, share for cross-context behavioural advertising, or use Personal Data for its own marketing, profiling, or model-training purposes. Aggregate, non-identifiable telemetry may be used for product improvement.

4.2 No training of foundation models

Customer Personal Data is NEVER used to train Regunav's engines, LLMs referenced by Regunav, or any external third-party model. Regunav deterministic engines do not require training data.

4.3 Authorised personnel

Regunav maintains a current list of authorised personnel with access to Production Personal Data, including role, scope, and access duration. Access is reviewed quarterly.

4.4 Special-category data

Where the Controller chooses to upload special-category data (Art. 9) or criminal-conviction data (Art. 10), the Controller warrants it has the lawful basis to do so. Regunav applies the same technical and organisational measures regardless of category.

5. Security of Processing (Art. 28(3)(c) + Art. 32)

Regunav implements the technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk. Measures include:

Encryption in transit (TLS 1.2+ minimum, TLS 1.3 preferred)
Encryption at rest (AES-256-GCM)
WORM (write-once-read-many) audit trail with SHA-256 hash-chain — tamper-evident at row level
Pseudonymisation where compatible with the Service
Least-privilege access controls (RBAC + ABAC) with quarterly access reviews
Multi-factor authentication for production access
Continuous vulnerability scanning + monthly third-party penetration test on the production surface
Documented incident-response procedures with maximum 24-hour breach-notification target (below the 72-hour Art. 33 ceiling)
Annual disaster-recovery exercise; nightly D1 backups to a content-addressed object store; per-evidence-pack dual-write replication
BYOC vault pattern for Enterprise customers — customer cloud secrets remain in the customer's vault, never at rest in Regunav

6. Sub-processors (Art. 28(2) + Art. 28(4))

The Controller authorises Regunav to engage the Sub-processors listed at trust.regunav.com/sub-processors (incorporated by reference). Regunav imposes on each Sub-processor data-protection obligations no less protective than this DPA.

6.1 Notice of changes

Regunav will notify the Controller of any intended addition or replacement of Sub-processors at least 30 days in advance via the Sub-processor mailing list. The Controller may object on reasonable data-protection grounds within 30 days; if no resolution, the Controller may terminate the affected Service component with pro-rata refund.

7. Data Subject rights (Art. 28(3)(e))

Taking into account the nature of the Processing, Regunav assists the Controller by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights laid down in Chapter III of GDPR (Art. 15-22). Tooling: in-product DSAR workflow + /v1/dsar API.

8. Assistance with Articles 32-36 (Art. 28(3)(f))

Regunav assists the Controller in ensuring compliance with Art. 32 (security), Art. 33-34 (breach notification), Art. 35 (DPIA), and Art. 36 (prior consultation), taking into account the nature of Processing and information available to Regunav.

8.1 Personal Data Breach (Art. 33-34)

Regunav notifies the Controller without undue delay and in any event within 24 hours after becoming aware of a Personal Data Breach. Notification includes the nature of the breach, categories and approximate number of Data Subjects + records affected, likely consequences, and measures taken or proposed to mitigate the breach.

9. International transfers (Art. 28(3)(a) + Chapter V)

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the transfer is governed by the relevant transfer mechanism in Annex III:

EU Standard Contractual Clauses (Decision (EU) 2021/914) — Module 2 (Controller → Processor) and Module 3 (Processor → Sub-processor) where applicable
UK International Data Transfer Addendum (IDTA) to the EU SCCs
Swiss FDPIC SCC supplement where Swiss law applies
EU-US Data Privacy Framework certified for US Sub-processors that maintain certification
Transfer Impact Assessment (TIA) per Schrems II and EDPB Recommendations 01/2020 — completed and available on request

The Controller agrees that the SCCs are entered into between Regunav and Controller upon DPA execution. Where the Controller is also a Processor for an upstream Controller, the parties enter into the SCCs back-to-back.

10. Audit rights (Art. 28(3)(h))

Regunav makes available to the Controller all information necessary to demonstrate compliance with Art. 28 obligations and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10.1 Evidence pack as audit substitute

Regunav's own audit-trail and evidence-pack outputs (SOC 2 Type II report, ISO 27001 certificate, ISO 42001 certificate, pen-test summary letter) may satisfy ordinary audit obligations. Regunav makes these available under NDA on request via legal@regunav.com.

10.2 On-site audit

For audits beyond the evidence pack, the Controller may request an on-site audit upon at least 60 days written notice, no more frequently than annually, except where required by a Supervisory Authority or following a confirmed Personal Data Breach. Reasonable costs of the audit are borne by the Controller.

11. Return or deletion (Art. 28(3)(g))

Upon termination of the Service, Regunav, at the choice of the Controller, deletes or returns all Personal Data to the Controller and deletes existing copies, unless EU/Member State law requires storage. The Controller may export Personal Data via the in-product export feature for 90 days post-termination; thereafter Regunav deletes Personal Data within 30 days of an erasure instruction or 365 days of contract termination, whichever is earlier.

WORM audit-trail rows are retained for the period required by the Controller's applicable retention obligations (e.g., 7 years for SOX, 10 years for EU AI Act Art. 18(1)). Retention is configurable per tenant.

12. Limitation of liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Agreement. The Parties agree that each Party's liability under this DPA shall be considered in calculating the Party's total aggregate liability under the Agreement.

13. Order of precedence

In case of conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data. The SCCs in Annex III prevail over this DPA where the SCCs apply.

14. Severability

If any provision of this DPA is held invalid or unenforceable, the remainder remains in force.

15. Governing law and jurisdiction

For EU/EEA Data Subjects, this DPA is governed by the law of the Member State of the Controller's lead Supervisory Authority. For UK Data Subjects, by the law of England and Wales. For other jurisdictions, by Delaware, USA. Disputes follow the Agreement's dispute-resolution clause.

Annex I — Roles, contact details, processing description

Controller: the entity identified in the Order Form. Contact: as recorded in the Order Form.

Processor: Regunav Inc., Delaware, USA. Contact: legal@regunav.com. Data Protection Officer (DPO): dpo@regunav.com. EU Representative (Art. 27): nominated; address available on request.

Processing description: see Section 2 above.

Annex II — Technical and Organisational Measures (Art. 32)

Full TOM document at trust.regunav.com/security, incorporated by reference. Headline measures listed in Section 5 above.

Annex III — International transfer mechanism

The parties agree to incorporate the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Standard Contractual Clauses) Module 2 (Controller-to-Processor) by reference, with the following docking:

Clause 7 (Docking clause): not applied
Clause 9(a): Option 2 — General authorisation, with the 30-day notice procedure in Section 6.1 of this DPA
Clause 11(a): Independent dispute resolution NOT included
Clause 17 (Governing law): the law of the EU Member State of the Controller
Clause 18 (Choice of forum): courts of the EU Member State of the Controller
Annex I.A (List of parties): as per the Order Form
Annex I.B (Description of transfer): as per Annex I above
Annex I.C (Competent supervisory authority): the lead Supervisory Authority of the Controller
Annex II (TOMs): as per Annex II above
Annex III (Sub-processors): as listed at trust.regunav.com/sub-processors

Signature

This DPA enters into force on the Effective Date stated at the top of this document and is deemed executed by the parties upon the Controller's acceptance of the Agreement (click-through or signed Order Form). Either party may request a counter-signed PDF copy by emailing legal@regunav.com.

For redlines or negotiated terms, contact legal@regunav.com. A Word/PDF copy of this DPA is available on request.