Security & Procurement

Last updated: April 2026

Regris is built for water utilities subject to America's Water Infrastructure Act (AWIA) Section 1433. We treat utility-submitted assessment data — including any information that may constitute sensitive operational data under AWIA §1433(a)(5) — with the same seriousness the statute does. This page describes our current security posture, our sub-processors, and what we have and have not yet been certified to.

Your RRA and ERP documents are not submitted to EPA through Regris. They remain your utility's records unless you choose to share them. EPA receives your certification statement through EPA's certification process, not the full underlying RRA or ERP document.

We aim to be transparent rather than promotional. If your procurement process requires something we don't cover here, email customerservice@getregris.com and we'll respond directly.

Data Classification

Regris recognizes three classes of customer data:

Account & profile data — name, email, job title, utility name, system size, state.
Compliance assessment data — your structured responses to the RRA and ERP question sets, gap descriptions, and remediation inputs. We treat this as sensitive operational data consistent with AWIA §1433(a)(5).
Generated documentation — RRA reports, ERP documents, gap analyses, remediation roadmaps, and certification-support documents produced from your inputs.

Compliance assessment data and generated documentation are never publicly listed, never shared with other customers, and never used to train AI models.

What EPA Receives

Under AWIA, utilities certify that their RRA and ERP work has been completed, reviewed, or revised. Regris does not submit the underlying RRA or ERP to EPA. Those records are maintained by your utility and should be handled as sensitive operational documentation.

Encryption

In transit: TLS 1.2 or higher for all client-server traffic, including assessment submissions, report generation, and authentication flows.
At rest: Database storage is encrypted at rest by our database provider (Supabase, on AWS) using AES-256.
Passwords: Hashed with bcrypt at a cost factor of 12. Plaintext passwords are never stored, logged, or transmitted to any third-party service.

Authentication & Access Control

Account access requires email + password. Sessions are server-issued and signed.
All assessment data is scoped to the authenticated user's utility — users can only access data belonging to their own organization.
Server-side authorization checks run on every request that touches assessment, report, or payment data.
Database access is restricted to the application service via Supabase row-level controls and connection-string credentials held in our hosting platform's secrets store.

Payment Data

Regris does not store, process, or transmit credit card numbers, CVVs, or other payment instrument data on our servers. All payment processing is handled by Stripe (PCI DSS Level 1). We retain only the transaction reference, plan type, amount, and timestamp for receipt and access-management purposes.

Hosting & Region

The Regris application runs on Vercel's edge infrastructure (US regions). Application data is stored in Supabase-managed PostgreSQL hosted on Amazon Web Services in the us-east-1 region. Backups are managed by Supabase per their documented retention policies.

Sub-processors

Regris uses the following sub-processors. Each operates under their own published security and compliance program; links go to their security or trust pages where available.

Provider	Purpose	Compliance
Amazon Web Services	Underlying cloud infrastructure	SOC 1/2/3, ISO 27001, FedRAMP
Vercel	Application hosting, edge delivery, analytics	SOC 2 Type II, ISO 27001
Supabase	PostgreSQL database, authentication primitives	SOC 2 Type II, HIPAA-eligible
Stripe	Payment processing	PCI DSS Level 1, SOC 1/2
Anthropic	AI-assisted report generation (Claude API)	SOC 2 Type II
Resend	Transactional email (welcome, payment, password reset)	See provider documentation

Anthropic does not use API inputs to train its models. AWIA §1433(a)(5) sensitive operational data passes to Anthropic only to generate your report, not to train any model.

AI Data Handling

Regris uses the Anthropic Claude API to generate compliance documentation. When you generate a report, the relevant subset of your assessment data is transmitted to Anthropic via authenticated API. Per Anthropic's API terms, this data is not used to train Anthropic's models. Regris does not retain a separate copy of the prompt-response pair beyond what is needed to render and persist your report.

Compliance & Certifications

We are direct and transparent about our certification status:

SOC 2 Type II: Not yet obtained. Planned. We will publish the report's availability here when the audit completes.
ISO 27001: Not pursued at this time.
FedRAMP: Not pursued. Our underlying providers (AWS) hold FedRAMP authorizations applicable to their layer of the stack.
HIPAA: Regris does not process Protected Health Information. We do not sign Business Associate Agreements.
NIST CSF / NIST 800-171: No formal third-party assessment. Our application architecture is informed by the NIST CSF subcategories that map to AWIA §1433 cybersecurity expectations.

Customers whose procurement policies require a current SOC 2 attestation or equivalent certification should contact us before purchase to discuss timing. Customers whose policies allow vendor self-attestation typically use this page plus our Data Processing Agreement (DPA) as their record.

Documents Available on Request

Data Processing Agreement (DPA) — also available for direct download from our Privacy Policy.
Vendor security questionnaire responses (CAIQ-style, SIG-Lite, custom utility forms).
Sub-processor list with current SOC 2 / ISO 27001 attestations from each provider.
Architecture overview suitable for IT review.

Email customerservice@getregris.com with the document(s) you need and we'll respond within two business days.

Vulnerability Disclosure

If you believe you have found a security vulnerability in Regris, please report it to customerservice@getregris.com with subject line beginning SECURITY:. Provide a description, reproduction steps, and your contact information.

We will acknowledge receipt within two business days and aim to provide an initial assessment within seven days. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to remediate. We do not currently operate a paid bug bounty program.

Incident Response & Breach Notification

In the event of a security incident affecting customer data, Regris will notify affected customers in accordance with applicable state and federal breach notification laws. Where required by law, we will provide notice within the timeframe mandated by the applicable jurisdiction — and in no event later than sixty (60) days following discovery — by email to the address associated with your account or by prominent notice on getregris.com.

Contact

Security questions, vendor reviews, and document requests: customerservice@getregris.com.