Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

Legal — Acceptable Use Policy

Acceptable Use Policy (AUP)

Version 1.0 · Effective: 2026-05-19 · Last updated: 2026-05-19 · Document id: regunav-aup-v1

This Acceptable Use Policy ("AUP") governs Customer's use of the ReguNav™ Service and all related interfaces, APIs, and integrations operated by Regunav Inc.("Regunav"). It applies to Customer, its Authorized Users, and any third party Customer permits to access the Service. This AUP forms part of the master agreement between the parties; violation is a material breach.

1. Scope

This AUP applies to all use of the Service, including its web surfaces (regunav.com and authenticated subdomains), public and private APIs, webhooks, customer-facing audit interfaces, and any data processed by or through the Service.

2. Prohibited content

Customer must not upload, store, transmit, or process via the Service any content that:

is unlawful, defamatory, obscene, harassing, or invades privacy under applicable law;
infringes any third-party intellectual-property right (copyright, trademark, trade secret, patent);
contains malware, ransomware, worms, viruses, or any code designed to disrupt, damage, or surveil any system;
contains material exploiting or endangering minors (CSAM) — Regunav reports such content to NCMEC and law enforcement without notice;
contains payment-card data (PAN) or full magnetic-stripe / chip data unless Customer's PCI-DSS scope and contract specifically allow it;
contains protected health information (PHI) unless a BAA is executed under HIPAA;
contains export-controlled technical data, ITAR-controlled defense articles, or items on the US/EU/UK sanctions or denied-party lists.

3. Prohibited activities

Customer must not, and must not permit any Authorized User or third party to:

circumvent, disable, or interfere with security or authentication features of the Service;
attempt to access another tenant's data, accounts, or compute resources;
reverse-engineer, decompile, or extract source code or model weights from the Service, except where this restriction is prohibited by mandatory law (e.g. EU Software Directive Art. 6 interoperability);
resell, sublicense, or white-label the Service without a written reseller agreement;
use the Service to build a competing product, train a competing AI model, or benchmark for publication without prior written consent;
conduct load-testing, fuzzing, or penetration-testing without prior written authorization scoped under the program in /legal/vdp;
scrape, crawl, or harvest the Service except through documented APIs and within published rate limits;
send unsolicited bulk email, spam, or any communication that violates CAN-SPAM, CASL, GDPR e-Privacy, or equivalent local law.

4. Security & integrity rules

Customer must protect credentials (API keys, OIDC tokens, SSO seeds) with controls at least equal to those required by SOC 2 CC6.1 or ISO/IEC 27001 A.9.
Customer must report any suspected compromise to security@regunav.com within 24 hours of discovery.
Customer must keep its OS, runtime, and dependency stack patched for any agent/SDK installed in its own environment to interact with the Service.
Customer must not deliberately overwhelm the Service or its sub-processors (DoS, amplification, flood).

5. AI-system use restrictions

ReguNav™ provides compliance tooling for AI systems including EU AI Act conformity-assessment workflows. Customer represents that its use of the Service will not:

be used to provide a service that itself is a Prohibited AI Practice under EU AI Act Art. 5 (social scoring, real-time biometric ID in public space outside permitted derogations, manipulative or exploitative systems);
misrepresent the conformity status, risk tier, or fundamental-rights impact of a Customer-deployed AI system to a regulator or auditor;
use Service outputs as the sole basis for a legal, employment, credit, insurance, healthcare, or educational decision affecting a Data Subject without human review, in violation of GDPR Art. 22.

Regunav does not train foundation models on Customer Data. Service-generated AI inferences are per-tenant and isolated; see DPA §4 (no-training clause).

6. Fair use & rate limits

Programmatic interfaces enforce published rate limits. Sustained abuse, or use exceeding the published per-plan ceilings on repository count, event volume, or webhook fan-out, may be throttled or suspended after best-effort notice. Limits are listed in the Service's /pricing page and documentation.

7. Third-party services & integrations

When Customer connects third-party services (GitHub, Slack, Microsoft Entra, AWS/Azure/GCP for BYOC vault, Stripe, etc.), Customer is responsible for that third party's terms and for obtaining all consents needed before sharing Personal Data with Regunav.

8. Enforcement

Where Regunav reasonably believes Customer has violated this AUP, Regunav may, in order of preference:

contact Customer to seek voluntary remediation;
throttle, suspend, or disable the offending feature, repository, or API key;
suspend the affected tenant pending investigation;
terminate the Agreement for material breach.

Regunav will use the least intrusive measure consistent with the severity of the violation, the risk to other customers, and any legal or regulatory obligation. Where mandatory law requires immediate action (e.g. court order, sanctions hit, CSAM discovery), Regunav may act without prior notice. Every enforcement action is logged in the WORM audit trail and delivered to Customer's Trust Center.

9. Reporting abuse

To report abuse of the Service by a third party, write to abuse@regunav.com. Security vulnerabilities should be reported under the Vulnerability Disclosure Program — not via this address.

10. Changes to this AUP

Regunav may update this AUP from time to time. Material changes will be notified at least 30 days in advance via the authenticated console banner and the Customer's designated contact. Continued use after the effective date constitutes acceptance.

11. Contact

Questions about this AUP: legal@regunav.com · Abuse reports: abuse@regunav.com · Security: security@regunav.com.

Regunav Inc. · 2026.