Three steps to decide if ReguNav fits Brazil.
For CFOs, COOs, Heads of Risk supervised under Brazil authority. Skip the architecture diagrams — see the regulator, the deliverable, and the ROI you'll quote to the board.
Sovereign AI ready for Brazil.
ReguNav supports AI vendors operating in Brazil under LGPD enforcement by the ANPD, ANS for supplementary healthcare, and BCB cybersecurity + open-banking standards. Portuguese-language consent flows + ANPD-formatted breach notice templates included.
Brazil regulator landscape
Every Brazil control on the platform is anchored to a named regulator artefact. When the regulator updates their guidance, the framework registry takes the bump and every dependent control inherits it.
Frameworks anchored in Brazil
Brazil LGPD
13.709/201818 clauses · 12 controlsBrazil's General Data Protection Law (LGPD). Applies to any processing of personal data carried out by a natural person or a legal entity, public or private, regardless of the means or country in which the data subject is located, provided that (i) processing is carried out in the national territory; (ii) the processing activity has the objective of offering or supplying goods or services to or processing data of individuals located in the national territory; or (iii) the personal data subject of the processing was collected in the national territory. Establishes 10 principles, 10 legal bases, the rights of the data subject, the obligations of controllers and processors, ANPD oversight, and administrative sanctions up to 2% of revenues (capped at BRL 50m per infraction).
Connected components for Brazil.
Derived from @regunav/taxonomy at request time — add a new regulator / agent / framework to its source registry and it surfaces here automatically, no copy edits required.
What you get in Brazil.
Honest status on every capability — live means wired end-to-end in production. Pick the ones your driver requires; we'll quote a date for anything not yet live.
Framework rule packs
- What you get
- 24 framework rule packs ship populated — SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, FedRAMP and more — no empty schemas to fill in.
- Problem solved
- Buying a compliance tool and finding the rule library empty. Six weeks lost to copy-pasting control text from PDFs before the platform produces anything useful.
- ROI
- 6 weeks saved on first-control-to-evidence onboarding.Assumes: compared to building one control library per framework in-house.
Evidence ranker
- What you get
- Ranks every artefact you upload against the control it best satisfies — across 24 frameworks at once.
- Problem solved
- GRC manager spends 8h/week mapping evidence to controls by hand. Most artefacts satisfy 4–7 controls; manual mapping captures one.
- ROIinteractive
- 8h/wk of compliance-manager time reclaimedAssumes: team of 50, 3 frameworks in scope, monthly evidence refresh.
Sealed evidence packs
- What you get
- Content-addressed (sha256) evidence bundle the auditor pulls via URL. Replayable byte-for-byte from any timestamp.
- Problem solved
- Auditor email chain: 'send me the December evidence again, this time with the policy header'. Three round-trips per request.
- ROIinteractive
- $120k audit-prep cost avoidedAssumes: 3 framework audit, $250/h loaded GRC rate, baseline ~480h of prep.
WORM hash-chained audit trail
- What you get
- Every action against your tenant logged immutably with a per-row hash chain. Tampering with one row breaks verification of every later row.
- Problem solved
- Regulator asks 'who approved that change on March 4?' and the answer is a Slack search and a memory.
- ROI
- Zero regulator findings on access-control evidence.Assumes: banking-grade auditor sample (typically 25 events) verified against hash chain.
Regulator + auditor report packs
- What you get
- Seven stakeholder-shaped report packs (board, regulator, auditor, customer DPA, internal audit, …) generated from your live D1 records.
- Problem solved
- Four days re-formatting the same data for the board pack, the regulator submission, and the customer security questionnaire.
- ROIinteractive
- $96k of GRC time saved annually on report assemblyAssumes: 48 stakeholder-days/yr of report formatting at $250/h.
Code Constitution™ GitHub App
- What you get
- Compliance checks run inline on every PR (≤90s). Findings appear as line+column annotations in the review UI.
- Problem solved
- Compliance review happens quarterly. By the time the auditor flags a missing model card, it has been in production for 60 days.
- ROIinteractive
- $110k of audit-prep + remediation time saved annuallyAssumes: ~20 engineers × 220 working days × 5% PR finding rate × 2h post-hoc cost at $250/h.
How to decide for Brazil.
- 1. Identify your supervisor. Autoridade Nacional de Proteção de Dados (+ 2 more on this page).
- 2. Pick the framework that closes your audit. Brazil LGPD.
- 3. Run the ROI math. Each card above shows the assumption behind the number. Plug in your team size and audit cost — if it doesn't close, neither should the deal.
- 4. Book a 30-min walk-through. We demo against a synthetic Brazil tenant — same engine that runs your production tenancy. No slide deck.
Brazil SaaS, fintech, healthcare-AI, or essential-service?
We work with organisations supervised by every regulator listed above. The jurisdiction-aware engine routes incident reports, DSARs, and FRIA submissions to the correct authority + timeline automatically.
Talk to Brazil team →Jurisdiction codes + regulator data are sourced from @regunav/jurisdictions (Apache-2.0, open-source). Adding a new market is a single registry entry — no copy-paste regulator content. See /uk for the bespoke deep-dive template.