RegRadar

Trust & Security

RegRadar is a compliance tool, so security and data minimization are foundational — not an afterthought.

The one-way mirror

RegRadar only pulls public regulatory data down to you. It never accepts your customers' nonpublic personal information (NPI) or protected health information (PHI). There are no free-text client-notes fields anywhere, and inputs actively reject SSN and policy-number patterns. This design is what keeps RegRadar outside GLBA and HIPAA scope.

Data residency

All data is stored in the United States. The database and authentication run on Supabase (US region) with row-level security enforced on every table, so one tenant can never read another's data. Evidence snapshots of each detected change are archived to Cloudflare R2.

Security practices

Encryption in transit (TLS everywhere) and at rest. Least-privilege access, with multi-factor authentication available. Every privileged action is written to an immutable audit log. Secrets live only in environment variables — never in code or version control.

Subprocessors

We rely on a small, vetted set of subprocessors to run the service. See the full list.

Contact

Security questions or vulnerability disclosures are welcome at security@naicmonitor.com. We also publish a machine-readable security.txt.