Last updated: July 2026
Regris is built for water utilities subject to America's Water Infrastructure Act (AWIA) Section 1433. We treat utility-submitted assessment data — including any information that may constitute sensitive operational data under AWIA §1433(a)(5) — with the same seriousness the statute does. This page describes our current security posture, our sub-processors, and what we have and have not yet been certified to.
Your RRA and ERP documents are not submitted to EPA through Regris. They remain your utility's records unless you choose to share them. EPA receives your certification statement through EPA's certification process, not the full underlying RRA or ERP document.
We aim to be transparent rather than promotional. If your procurement process requires something we don't cover here, email customerservice@getregris.com and we'll respond directly.
Regris recognizes three classes of customer data:
Compliance assessment data and generated documentation are not publicly listed or shared with other customers. Regris does not use customer data to train its own models. When an AI-assisted feature is used, relevant data may be processed by the configured API provider as described below.
Under AWIA, utilities certify that their RRA and ERP work has been completed, reviewed, or revised. Regris does not submit the underlying RRA or ERP to EPA. Those records are maintained by your utility and should be handled as sensitive operational documentation.
Regris does not store, process, or transmit card numbers or CVVs on our servers. Payment collection is handled by Stripe. Regris retains provider transaction references, purchased offer, amount, payment/subscription state, service-fulfillment state, and timestamps needed for receipts, access, refunds, and customer support.
The Regris application is hosted by Vercel. Application data is stored in Supabase-managed PostgreSQL hosted on Amazon Web Services in the us-east-2 region. Backups and infrastructure controls are managed according to the applicable provider configuration and policies.
Regris uses the following sub-processors. Each operates under their own published security and compliance program; links go to their security or trust pages where available.
| Provider | Purpose | Security reference |
|---|---|---|
| Amazon Web Services | Underlying cloud infrastructure | Published program — see provider link |
| Vercel | Application hosting and edge delivery | Published program — see provider link |
| Supabase | Managed PostgreSQL database | Published program — see provider link |
| Stripe | Payment processing | Published program — see provider link |
| OpenRouter, Anthropic, or OpenAI | Configured API route for AI-assisted drafting | Provider-specific terms and controls apply |
| Resend | Transactional email (welcome, payment, password reset) | See provider documentation |
The configured provider route can change without changing the customer workflow. Regris minimizes the data sent for a requested feature and does not use customer data to train its own models. Customers should review the linked provider terms or contact Regris with procurement requirements before submitting sensitive operational details.
Regris supports server-configured OpenRouter, Anthropic, and OpenAI API routes for AI-assisted drafting. When a customer requests an AI-assisted output, the relevant subset of assessment data is transmitted to the configured provider. Regris stores the resulting customer document when needed to provide the service. Regris does not represent that provider terms are identical; procurement questions should be raised before sensitive operational details are submitted.
We are direct and transparent about our certification status:
Customers whose procurement policies require a current SOC 2 attestation or equivalent certification should contact us before purchase to discuss timing. Customers whose policies allow vendor self-attestation typically use this page plus our Data Processing Agreement (DPA) as their record.
For a vendor questionnaire or architecture-information request, email customerservice@getregris.com. Regris will confirm what current material is available; this page does not promise a third-party attestation or a particular questionnaire format.
If you believe you have found a security vulnerability in Regris, please report it to customerservice@getregris.com with subject line beginning SECURITY:. Provide a description, reproduction steps, and your contact information.
We review responsible vulnerability reports and will communicate through the reporter's supplied contact information. We ask that you do not publicly disclose an issue until Regris has had a reasonable opportunity to assess and remediate it. Regris does not currently operate a paid bug bounty program.
In the event of a security incident affecting customer data, Regris will notify affected customers as required by applicable law and any controlling customer agreement, using the contact information associated with the account or another legally permitted notice method.
Security questions, vendor reviews, and document requests: customerservice@getregris.com.