RegAlgn®
Sandbox

Inbox intake policy

Status: pilot v1 — published 2026-06-17.

The cultural reality

Trust company businesses run on email. A new finding from auditors lands as a PDF attached to a Friday-afternoon email. A JFSC notice lands as an email from the relationship manager. A Board challenge lands as an email from the Chair. If RegAlign cannot ingest from email on day one, users will keep the old habit — file the email, "I'll do RegAlign later" — and the system of record decays.

What we ship for the pilot

The pilot does not ship an automated email-forwarding ingestion path. We deliberately chose against it for v1 for three reasons:

  1. Provenance. A forwarded email loses signatures, sender headers, and often attachment integrity (Outlook re-encodes). Anything we ingested would have a weaker chain than anything captured in-product. The hash chain is the headline trust signal — we will not dilute it.
  2. DP surface. A public inbox that accepts attachments from anyone is a data-protection blast radius we are not equipped to staff for a single pilot.
  3. Spam / spoofing. An unguarded intake@ becomes a credential-phish target the moment it is published.

The documented workaround

Every pilot tenant gets a one-page intake convention published with their onboarding pack:

  • Findings — drag-and-drop the PDF into/findings → New. The drop zone computes SHA-256 client-side, signer is the signed-in user, the evidence row is created in the same transaction. Time-to-capture is ~15 seconds.
  • Regulatory correspondence — forward the email as a .eml or .msg attachment to the dedicated /correspondence upload. Headers are preserved, and a derivation entry is written so the chain is intact end-to-end.
  • Board challenge — paste the email body into/challenge-notes → New, attach the original message, and link it to the decision or risk it challenges.

When this changes

Once a pilot tenant asks for it in writing and we have a named deliverability partner, we will publish a signed-sender allowlist inbox per tenant (DKIM/SPF/DMARC enforced, attachments scanned, headers preserved, derivation entry written). Until then, the in-product capture is the only supported path.

See also: Known Limitations, Trust Centre, Legal.

RegAlgn®

Defensible compliance monitoring for Jersey-regulated firms.

© 2026 RegAlign Limited · Registered in Jersey No. 165263 · 9 Bond Street, St. Helier, JE2 3NP
RegAlign® is a registered UK trade mark used under licence by RegAlign Limited.
Built in Jersey · pilot stage
RegAlign® is an independent product. It is not affiliated with, endorsed by, certified by or otherwise connected to the Jersey Financial Services Commission (JFSC), and references to the JFSC, its Codes of Practice, AML/CFT/CPF Handbook, Money Laundering Order or published guidance describe the regulatory framework RegAlign helps firms evidence — they do not imply any JFSC review of, or position on, RegAlign.