How buyers verify RegAlign®
Everything procurement, infosec and legal teams typically ask for in the first 24 hours of diligence — gathered in one place so you can verify us without an email round-trip.
Public registers
Hash-chain verifier
Every audit-trail entry, evidence record and finding can be verified without an account. Hashes are exposed as JSON; chain integrity is auditor-verifiable end-to-end.
GET /api/public/audit-trail.verifyGET /api/public/evidence.verifyGET /api/public/controls.verifyGET /api/public/findings.verifyGET /api/public/issues.verifyGET /api/public/decisions.verifyLive operational snapshot: /api/public/status — schema version, obligation coverage by jurisdiction, evidence-hash coverage and monitoring coverage.
For your auditor: Chain Verifier Auditor Runbook (PDF) — step-by-step independent integrity check, with working-papers template.
Diligence pack (PDF)
See full versioned index →Certification roadmap
- JFSC entity registrationLive
RegAlign Limited, Jersey No. 165263.
- UK IPO registered trade markLive
RegAlign®, UK00004283882.
- JOIC data protection registrationLive
Jersey Office of the Information Commissioner, registration No. 103914.
- Hash-chained audit trail (tamper-evident)Live
SHA-256 chain over audit_trail_entries; every evidence record carries an integrity hash.
- Public verification endpointsLive
Auditors verify hashes without an account at /api/public/audit-trail.verify, /evidence.verify, /controls.verify, /findings.verify, /issues.verify and /decisions.verify.
- DPIA template + BCP outline + pen-test SoWLive
Pilot pack PDFs available for download below.
- Continuous security scanning (Aikido)Live
Aikido runs SAST, secrets, IaC and dependency (SCA) scans across the codebase at workspace level. Findings surface in the build pipeline and are triaged before release. No customer data is shared with the scanner — code only.
- Cloud security posture management (CSPM)Planned
Trigger-tied: CSPM (e.g. Wiz) evaluated and selected within 90 days of first paying customer onboarding, or first enterprise procurement requirement. Platform-level posture today is inherited from Cloudflare Workers and managed Postgres controls.
- Pen test (independent)Planned
Trigger-tied: vendor selected on first paid pilot or first enterprise procurement requirement. Scope of work already published. Report shared under NDA on request.
- SOC 2 Type IPlanned
Trigger-tied: observation window opened within 6 months of Series A close, or before second enterprise customer onboarding. Control set already designed to map onto the Trust Services Criteria.
- SOC 2 Type IIPlanned
Trigger-tied: 12 months after Type I report issued.
- ISO 27001Planned
Trigger-tied: ISMS initiated once headcount supports a dedicated security function (≥1 FTE). ISMS scaffolding already lives in the platform.
Data residency & recovery
Primary database and file storage in EU (Ireland). Edge routing global; no payload retained at edge. AI gateway egress from EU. See the sub-processor list.
RTO 24h / RPO 1h for the typical sub-processor outage scenario. Full scenario matrix and honest limitations in the BCP outline.
Security policies
Machine-readable security contact: /.well-known/security.txt.
Need something else?
For deeper diligence (architecture diagrams, data flow maps, vendor security questionnaires, draft pen-test report), write to hello@regalign.app. Full corporate and IP licence chain on the legal page.