Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

Security — Vulnerability Disclosure Program

Vulnerability Disclosure Program (VDP)

Version 1.0 · Effective: 2026-05-19 · Last updated: 2026-05-19 · Document id: regunav-vdp-v1

Regunav Inc. ("Regunav") welcomes coordinated security disclosures from independent researchers. This Vulnerability Disclosure Program ("VDP") sets the scope, the legal safe-harbor, the reporting channel, and the rules of engagement. It complements the machine-readable disclosure metadata published at /.well-known/security.txt (RFC 9116).

1. In-scope assets

regunav.com and any subdomain owned by Regunav (e.g. app.regunav.com, trust.regunav.com, status.regunav.com);
codeconstitution.com and the Code Constitution™ GitHub App;
compliancetoarchitecture.com and the public Apache-2.0 framework repositories;
Documented public APIs of the Service.

2. Out of scope

Findings that require physical access to a Regunav employee's device;
Social engineering of Regunav personnel, customers, or sub-processors;
Denial-of-service (volumetric, application-layer flood, resource exhaustion);
Findings on third-party services we use (report directly to that vendor);
Self-XSS, missing best-practice headers without an exploit path, clickjacking on pages without state-changing actions;
Theoretical vulnerabilities without a working proof-of-concept;
Findings whose only impact is reachable by a malicious GitHub App installation owner against repositories they already control (this is the documented threat model);
Reports from automated scanners without manual validation.

3. Safe-harbor

Regunav will not initiate, support, or refer for prosecution any civil or criminal action against a researcher who, in good faith:

tests only in-scope assets;
respects the rules of engagement in §4;
reports promptly under §5; and
does not exfiltrate, retain, or share customer data beyond the minimum necessary to demonstrate the issue.

This safe-harbor authorizes the research under, and is intended to satisfy the "authorized access" element of, the US Computer Fraud and Abuse Act (CFAA, 18 U.S.C. §1030), the UK Computer Misuse Act 1990, and the EU Cyber Resilience Act / CSIRT-network frameworks where applicable. Mandatory law (sanctions, export control, mandatory breach reporting) continues to apply and is unaffected by this safe-harbor.

4. Rules of engagement

Do not access, modify, or delete data belonging to anyone other than yourself or a test account you control;
Do not run automated scanners that generate sustained traffic — limit to ≤ 10 req/s per origin without prior coordination;
Stop and report the moment you confirm a vulnerability — do not pivot, escalate, persist, or move laterally beyond what is needed to demonstrate the finding;
Do not publicly disclose the finding until Regunav has confirmed remediation or 90 days have elapsed since the report (§6 timeline);
Do not extort, threaten, or condition disclosure on payment, employment, or other consideration.

5. How to report

Send reports to security@regunav.com. PGP-encrypted reports are encouraged — fingerprint and current key are published at /.well-known/security.txt.

A good report includes:

Affected asset (URL, host, package, repo) and reproducible steps;
Impact and a CVSS v3.1 estimate (or your reasoning);
Proof-of-concept (request/response, screenshot, video) limited to demonstration;
Your preferred contact, attribution name (or anonymous), and whether you want CVE credit.

6. Our response SLA

Acknowledgement: within 2 business days.
Triage + severity assignment: within 5 business days.
Status updates: at least every 14 days until closure.
Target time-to-fix from triage: Critical ≤ 7 days · High ≤ 30 days · Medium ≤ 60 days · Low ≤ 90 days.
Public coordinated disclosure: the earlier of fix-confirmation + 14 days, or 90 days from report (extension by mutual agreement).

7. Recognition

We maintain a public security-acknowledgements page for valid reports. Reporters may choose anonymous credit, a handle, or their real name with a link. Regunav does not currently operate a paid bug-bounty; we do issue swag and a written reference letter for accepted findings of High severity or above.

8. Coordinated disclosure for downstream

Where a vulnerability affects a customer's configuration or their connected third-party (e.g. an EU AI Act assessment chain), Regunav will coordinate disclosure to the affected customer (DPA §8 breach-notification clock, 24h) and, where applicable, to the appropriate CSIRT or supervisory authority.

9. Contact

Security reports: security@regunav.com · PGP key + canonical disclosure metadata: /.well-known/security.txt · Acceptable use questions: /legal/aup.

Regunav Inc. · 2026.