Security & Procurement

Last updated: July 2026

Regris is built for water utilities subject to America's Water Infrastructure Act (AWIA) Section 1433. We treat utility-submitted assessment data — including any information that may constitute sensitive operational data under AWIA §1433(a)(5) — with the same seriousness the statute does. This page describes our current security posture, our sub-processors, and what we have and have not yet been certified to.

Your RRA and ERP documents are not submitted to EPA through Regris. They remain your utility's records unless you choose to share them. EPA receives your certification statement through EPA's certification process, not the full underlying RRA or ERP document.

We aim to be transparent rather than promotional. If your procurement process requires something we don't cover here, email customerservice@getregris.com and we'll respond directly.

Data Classification

Regris recognizes three classes of customer data:

  • Account & profile data — name, email, job title, utility name, system size, state.
  • Compliance assessment data — your structured responses to the RRA and ERP question sets, gap descriptions, and remediation inputs. We treat this as sensitive operational data consistent with AWIA §1433(a)(5).
  • Generated documentation — RRA reports, ERP documents, gap analyses, remediation roadmaps, and certification-support documents produced from your inputs.

Compliance assessment data and generated documentation are not publicly listed or shared with other customers. Regris does not use customer data to train its own models. When an AI-assisted feature is used, relevant data may be processed by the configured API provider as described below.

What EPA Receives

Under AWIA, utilities certify that their RRA and ERP work has been completed, reviewed, or revised. Regris does not submit the underlying RRA or ERP to EPA. Those records are maintained by your utility and should be handled as sensitive operational documentation.

Encryption

  • In transit: TLS 1.2 or higher for all client-server traffic, including assessment submissions, report generation, and authentication flows.
  • At rest: Database storage is encrypted at rest by our database provider (Supabase, on AWS) using AES-256.
  • Passwords: Hashed with bcrypt at a cost factor of 12. Plaintext passwords are never stored, logged, or transmitted to any third-party service.

Authentication & Access Control

  • Account access requires email + password. Sessions are server-issued and signed.
  • All assessment data is scoped to the authenticated user's utility — users can only access data belonging to their own organization.
  • Server-side authorization and utility/user scoping run before customer-facing reads or writes of assessment, report, service-engagement, or payment-status data.
  • The browser does not connect directly to the database. Server-side application routes use database credentials held in the hosting platform's secrets store and apply utility/user scoping before reads or writes.

Payment Data

Regris does not store, process, or transmit card numbers or CVVs on our servers. Payment collection is handled by Stripe. Regris retains provider transaction references, purchased offer, amount, payment/subscription state, service-fulfillment state, and timestamps needed for receipts, access, refunds, and customer support.

Hosting & Region

The Regris application is hosted by Vercel. Application data is stored in Supabase-managed PostgreSQL hosted on Amazon Web Services in the us-east-2 region. Backups and infrastructure controls are managed according to the applicable provider configuration and policies.

Sub-processors

Regris uses the following sub-processors. Each operates under their own published security and compliance program; links go to their security or trust pages where available.

ProviderPurposeSecurity reference
Amazon Web ServicesUnderlying cloud infrastructurePublished program — see provider link
VercelApplication hosting and edge deliveryPublished program — see provider link
SupabaseManaged PostgreSQL databasePublished program — see provider link
StripePayment processingPublished program — see provider link
OpenRouter, Anthropic, or OpenAIConfigured API route for AI-assisted draftingProvider-specific terms and controls apply
ResendTransactional email (welcome, payment, password reset)See provider documentation

The configured provider route can change without changing the customer workflow. Regris minimizes the data sent for a requested feature and does not use customer data to train its own models. Customers should review the linked provider terms or contact Regris with procurement requirements before submitting sensitive operational details.

AI Data Handling

Regris supports server-configured OpenRouter, Anthropic, and OpenAI API routes for AI-assisted drafting. When a customer requests an AI-assisted output, the relevant subset of assessment data is transmitted to the configured provider. Regris stores the resulting customer document when needed to provide the service. Regris does not represent that provider terms are identical; procurement questions should be raised before sensitive operational details are submitted.

Compliance & Certifications

We are direct and transparent about our certification status:

  • SOC 2 Type II: Not obtained. Regris does not represent a completion date.
  • ISO 27001: Not pursued at this time.
  • FedRAMP: Not pursued. Our underlying providers (AWS) hold FedRAMP authorizations applicable to their layer of the stack.
  • HIPAA: Regris does not process Protected Health Information. We do not sign Business Associate Agreements.
  • NIST CSF / NIST 800-171: No formal third-party assessment. Our application architecture is informed by the NIST CSF subcategories that map to AWIA §1433 cybersecurity expectations.

Customers whose procurement policies require a current SOC 2 attestation or equivalent certification should contact us before purchase to discuss timing. Customers whose policies allow vendor self-attestation typically use this page plus our Data Processing Agreement (DPA) as their record.

Procurement Materials

  • Data Processing Agreement (DPA) — available for direct download from our DPA endpoint.
  • This page is the current self-attested security and sub-processor summary.

For a vendor questionnaire or architecture-information request, email customerservice@getregris.com. Regris will confirm what current material is available; this page does not promise a third-party attestation or a particular questionnaire format.

Vulnerability Disclosure

If you believe you have found a security vulnerability in Regris, please report it to customerservice@getregris.com with subject line beginning SECURITY:. Provide a description, reproduction steps, and your contact information.

We review responsible vulnerability reports and will communicate through the reporter's supplied contact information. We ask that you do not publicly disclose an issue until Regris has had a reasonable opportunity to assess and remediate it. Regris does not currently operate a paid bug bounty program.

Incident Response & Breach Notification

In the event of a security incident affecting customer data, Regris will notify affected customers as required by applicable law and any controlling customer agreement, using the contact information associated with the account or another legally permitted notice method.

Contact

Security questions, vendor reviews, and document requests: customerservice@getregris.com.