Security & Trust

Last updated: March 23, 2026

1. Our Commitment

RegulaCore Inc. ("RegulaCore Inc") is built for enterprise teams that manage sensitive EHS, quality, and compliance data. Security is foundational to everything we build — not an afterthought. This page provides transparency into our security architecture, certifications, and data protection practices.

2. Certifications and Compliance

SOC 2 Type II

Annual audit covering security, availability, and confidentiality trust service criteria.

ISO 27001 Aligned

Information security management system aligned to ISO/IEC 27001:2022 controls.

GDPR

Full compliance with EU and UK General Data Protection Regulations. DPA available on request.

HIPAA

Business Associate Agreement (BAA) available for customers handling protected health information.

3. Infrastructure Security

3.1 Cloud Architecture

RegulaCore Inc runs entirely on Cloudflare's global edge network — there is no traditional origin server. This architecture provides:

300+ edge locations worldwide for low-latency access.
Cloudflare Workers for serverless compute with V8 isolate-level sandboxing.
Cloudflare R2 for object storage with zero egress fees.
Cloudflare D1 for edge-native SQLite databases with per-tenant isolation.
Cloudflare KV for configuration and session data with global replication.

3.2 Network Security

All traffic encrypted with TLS 1.3 (HTTPS enforced everywhere).
Cloudflare WAF (Web Application Firewall) protects against OWASP Top 10 vulnerabilities.
DDoS protection via Cloudflare's 280+ Tbps network capacity.
HTTP Strict Transport Security (HSTS) headers on all responses.
Content Security Policy (CSP) headers to prevent XSS attacks.

4. Data Security

4.1 Encryption

Layer	Standard
Data in transit	TLS 1.3 with forward secrecy
Data at rest	AES-256 encryption
Database connections	Encrypted connections with per-tenant isolation
Backups	AES-256 encrypted, stored in geographically distributed locations

4.2 Tenant Isolation

RegulaCore Inc uses a zero-trust, multi-tenant architecture where:

Each tenant has a dedicated database with no shared tables across tenants.
Every API request is authenticated and authorized against the tenant context.
File storage is namespaced per tenant with no cross-tenant access possible.
Audit logs are tenant-scoped and tamper-evident.

4.3 Access Controls

Role-Based Access Control (RBAC): Granular permissions at the module, feature, and data level.
Single Sign-On (SSO): Support for Google Workspace, Microsoft Entra ID, Okta, and SAML 2.0 providers.
Multi-Factor Authentication (MFA): Available for all accounts. Enforced by Tenant Admins.
Session Management: Configurable session timeout, forced logout, and device management.

5. Application Security

5.1 Secure Development

Security-focused code reviews for all changes.
Automated static analysis (SAST) and dependency vulnerability scanning in CI/CD.
OWASP Top 10 coverage in all application components.
Input validation and parameterized queries to prevent injection attacks.
Content Security Policy (CSP) and Subresource Integrity (SRI) for frontend assets.

5.2 Penetration Testing

We conduct regular penetration testing through qualified third-party firms. Findings are remediated on a risk-prioritized basis. Executive summaries are available to enterprise customers under NDA.

5.3 Vulnerability Management

We monitor the Common Vulnerabilities and Exposures (CVE) database and security advisories for all dependencies. Critical vulnerabilities are patched within 24 hours; high-severity issues within 72 hours.

6. Audit Logging

RegulaCore Inc maintains comprehensive audit logs for every tenant, including:

User authentication events (login, logout, MFA, failed attempts).
Data access and modification events with before/after snapshots.
Administrative actions (user management, role changes, settings modifications).
API access logs with request metadata.

Audit logs are immutable, timestamped, and retained for a minimum of 7 years to support regulatory compliance requirements for EHS and ISO programs.

7. Business Continuity and Disaster Recovery

Availability Target: 99.9% monthly uptime.
Redundancy: Cloudflare's edge architecture provides automatic failover across 300+ locations.
Backups: Automated daily backups with 30-day retention. Point-in-time recovery available.
Recovery Time Objective (RTO): Less than 4 hours.
Recovery Point Objective (RPO): Less than 1 hour.

8. Incident Response

RegulaCore Inc maintains a documented incident response plan that includes:

Detection: Automated monitoring and alerting for anomalous activity.
Triage: Classification by severity level with defined escalation paths.
Notification: Customer notification within 72 hours for data breaches (GDPR requirement).
Remediation: Root cause analysis and corrective actions for every incident.
Post-Incident Review: Lessons learned documented and shared with affected customers.

9. Responsible Disclosure

We value the security research community. If you discover a security vulnerability, please report it responsibly:

Email: security@regulacore.com
Include a detailed description, reproduction steps, and your contact information.
We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
We do not pursue legal action against researchers who follow responsible disclosure principles.

10. Sub-processors

A current list of sub-processors is maintained in our Data Processing Addendum. We notify customers 30 days before engaging new sub-processors.

11. Contact

For security inquiries, audit requests, or to report a vulnerability:

RegulaCore Inc.
500 Navarro St, 2nd Floor, PMB 7096
San Antonio, TX 78205
United States

Security team: security@regulacore.com
Privacy team: privacy@regulacore.com