Security & Compliance
We protect your regulatory data with the same rigor we help you apply to compliance. Every control, every header, every line of code — auditable and transparent.
Every request that touches your data passes through five security layers. Here's what happens end-to-end.
Every request hits our middleware layer first. Unauthenticated users are redirected to login — no exceptions. Authenticated sessions use signed JWTs with role, organization, and tier embedded. Security headers (HSTS, CSP, X-Frame-Options) are applied to every response at the edge before it reaches your browser. Rate limiting blocks brute-force attempts on login and API endpoints.
After authentication, every database query is scoped to your organization ID. There is no global query in the system — it is architecturally impossible for one tenant to access another tenant's regulations, controls, findings, or reports. Role-based access control (Admin, Compliance Officer, Auditor, Executive) determines what actions each user can perform within their organization.
When an AI agent runs — analyzing a regulation, finding gaps, drafting an exam response — your data is sent to Anthropic's Claude API over an encrypted connection. Claude processes the request and returns the result. Your data is never stored on Anthropic's servers beyond the processing window. It is never used to train or fine-tune any AI model. The data processing agreement with Anthropic guarantees this contractually.
AI agents in RegTwin don't act autonomously on critical decisions. When the Control Sentinel suggests new controls, they go into an approval queue — you review the title, description, evidence requirements, and mapping before anything is added. When the Audit Defender drafts a response letter, it passes through a multi-reviewer chain (preparer, reviewer, legal, CCO). The AI recommends. Humans decide.
Every AI agent decision is logged with the complete chain-of-thought reasoning — what data it retrieved, what it considered, what it concluded, and why. Every user action (approve, reject, edit, comment) is timestamped and attributed. The entire audit trail is exportable as CSV and JSON — a complete evidence package ready for regulators. When an examiner asks why a control was created or a response was drafted, the answer is already documented.
The result:Your regulatory data is encrypted at rest and in transit, isolated per organization, processed by AI with zero retention, gated by human approval, and documented with a complete chain-of-thought audit trail. Every layer is designed for the scrutiny of a regulatory examination — because that's exactly what our customers face.
AI agents recommend. Humans decide. Every agent action that modifies your compliance data is queued for human review and approval before execution.
Approval Queue
New regulations and remediation plans created by AI agents are placed in a pending approval queue. Compliance officers review the recommendation, then approve or reject with one click.
Multi-Reviewer Chain
Exam defense response letters pass through a sequential approval chain: preparer, reviewer, legal counsel, and CCO. Each reviewer approves independently before the response advances.
Full Audit Trail
Every approval decision is logged — who approved, when, and why. Rejections include the reason. The complete chain is exportable for regulatory examination.
TLS 1.3 in transit, AES-256 at rest. All database connections require SSL. Passwords hashed with bcrypt (cost 12).
Role-based access (Admin, Compliance Officer, Auditor, Executive). Google and Microsoft SSO. JWT session management.
Every AI agent decision logged with full chain-of-thought reasoning. Immutable audit trail exportable as CSV/JSON.
Multi-tenant architecture with org-scoped queries on every database operation. No cross-tenant data access possible.
HSTS, CSP, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, Permissions-Policy on all responses.
Zod schema validation on all API endpoints. Parameterized queries via Drizzle ORM prevent SQL injection.
IP-based rate limiting on authentication, TTS, and public endpoints. Cron endpoints protected by secret tokens.
No internal details, stack traces, or schema information exposed in API error responses.
Hosting: Vercel (SOC 2 Type II certified) — automatic scaling, DDoS protection, global edge network.
Database: Neon PostgreSQL — isolated instances, automated backups, point-in-time recovery, SSL-only connections.
AI Processing: Anthropic Claude API — data processing agreement in place. Your data is never used to train AI models. No persistent storage beyond the processing window.
Email: Resend — transactional email with DKIM and SPF verification on regtwinai.com domain.
If you discover a security vulnerability, please report it responsibly to richard@regtwinai.com.
We commit to:
Please do not publicly disclose vulnerabilities before we've had an opportunity to address them.
RegTwin AI's security architecture is designed to align with the frameworks that matter most to regulated financial institutions.
Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy
Govern, Identify, Protect, Detect, Respond, Recover — mapped to our security controls
Information Security, Audit, Business Continuity — built for examiner scrutiny
Information security management system controls — Annex A controls mapped
Documented procedures that govern how we operate, respond to incidents, retain data, and manage vendor relationships.
Classification
P1 Critical: Data breach, unauthorized access, service-wide outage. Response: immediate. Escalation: CEO + all customers within 1 hour.
P2 High: Partial service degradation, suspected vulnerability, failed authentication anomaly. Response: within 1 hour. Escalation: engineering lead.
P3 Medium: Non-critical bug, performance degradation, single-user issue. Response: within 24 hours.
Response Procedure
| Data Type | Retention | Deletion |
|---|---|---|
| User account data | Duration of account | Self-service delete in Settings, or upon written request |
| Regulations & controls | Duration of organization | Deleted with organization |
| AI agent reasoning logs | 7 years (regulatory requirement) | Automated purge after retention period |
| Audit trail | 7 years (regulatory requirement) | Automated purge after retention period |
| Uploaded evidence files | Duration of associated finding | Deleted when finding is removed or account deleted |
| Analytics events | 90 days | Automated rolling deletion |
| Session tokens | 24 hours | Automatic expiry |
| Database backups | 30 days (Neon) | Automatic rotation by infrastructure |
Right to deletion: Users can delete their account at any time from Settings. Account deletion removes all personal data, nullifies audit trail attribution, and deletes the organization if no other members remain. Deletion requests via email are processed within 5 business days.
Application layer (Vercel): Multi-region deployment with automatic failover. Zero-downtime deployments with instant rollback. Global edge network ensures availability even during regional outages. 99.99% historical uptime.
Database (Neon PostgreSQL): Automated daily backups with point-in-time recovery up to 30 days. Database branching enables instant recovery to any point in time. Storage-level replication across availability zones.
Recovery objectives: RPO (Recovery Point Objective): < 1 hour. RTO (Recovery Time Objective): < 15 minutes for application, < 1 hour for full database restore.
Secrets management: All credentials stored in Vercel encrypted environment variables. No secrets in source code or version control. Rotation procedures documented for each credential type.
| Vendor | Purpose | Data Processed | Certifications |
|---|---|---|---|
| Vercel | Application hosting & CDN | Application code, request logs | SOC 2 Type II, ISO 27001 |
| Neon | PostgreSQL database | All application data | SOC 2 Type II |
| Anthropic | AI processing (Claude) | Regulation text, control data (transient) | SOC 2 Type II, no training on customer data |
| Resend | Transactional email | Email addresses, notification content | SOC 2 Type II |
| ElevenLabs | Text-to-speech (marketing) | Marketing narration text only | No customer data processed |
| Vercel Blob | Evidence file storage | Uploaded documents | SOC 2 Type II (Vercel) |
All vendors are evaluated annually for security posture, compliance certifications, and data handling practices. Data processing agreements are in place with all sub-processors that handle customer data.
Transparent progress toward SOC 2 Type II certification across all five Trust Services Criteria.
96%
26 of 27 controls
Industry-standard policy templates for financial institutions. Use these as a starting point for your own compliance program.
Framework for protecting information assets, defining roles, and establishing security controls.
Sections included
Step-by-step procedures for detecting, responding to, and recovering from security incidents.
Sections included
Defines how long data is retained, when it is deleted, and procedures for data subject requests.
Sections included
Framework for assessing, monitoring, and managing risks from third-party service providers.
Sections included
Rules governing who can access what, how access is granted, and when it is revoked.
Sections included
Procedures for requesting, reviewing, approving, and implementing changes to systems.
Sections included
We're happy to discuss our security posture, complete vendor questionnaires, or schedule a security review.