Security as a primitive, not a marketing page.
ReguNav™ is built on the same primitives we ask our customers to demonstrate. Live posture, not a snapshot — every signal you read here is also exposed at trust.regunav.com for your vendor-due-diligence team.
Architecture
- Edge-native runtime — no long-running servers to compromise, no SSH keys to rotate, sub-50ms p99 globally. (Sub-processor details disclosed in /legal/sub-processors.)
- Primary database with row-level security pinned to
tenant_idon every customer-data table. - Analytics warehouse in Frankfurt (eu-central-1) for OLAP + immutable audit-trail.
- Attribute-based access control (ABAC) policy engine at the edge — sub-millisecond authorization decisions on every request, every rail.
- Identity with SSO/SAML/OIDC + optional SCIM provisioning.
Encryption
- In transit: TLS 1.3, HSTS preload, ECDHE-only ciphers, public-key pinning on the API.
- At rest: AES-256-GCM across primary DB, object storage, and analytics warehouse.
- BYOK on Enterprise — customer-managed keys, HSM-backed, rotation on demand.
- BYOC on Enterprise — sovereign deployment in your VPC for tier-1 banks + regulated public sector.
Compliance posture
| Standard | Status |
|---|---|
| SOC 2 Type II | Type I report Q3 2026 · Type II observation in progress |
| ISO/IEC 27001:2022 | Stage 1 audit Q4 2026 |
| ISO/IEC 42001:2023 (AIMS) | Internal AIMS active · external audit Q1 2027 |
| GDPR | Art 32 implemented · DPO designated · DPIA template published |
| EU AI Act | Self-classified as not-high-risk · Art 50 transparency live · Art 4 AI-literacy training mandated |
| HIPAA | BAA available on Enterprise · technical safeguards in place |
| DORA | Internal ICT-risk framework deployed · third-party register live |
Incident response
24×7 paging via PagerDuty · SOC ticket triage SLA <15 min for P1 · public status page at status.regunav.com · GDPR-compliant breach notification within 72 hours · DORA major-incident reporting within the regulatory window.
Vulnerability disclosure
Responsible-disclosure email: security@regunav.com (PGP key at /.well-known/security.txt). Bug bounty on HackerOne for Enterprise customers. Safe-harbour for good-faith researchers.