How your data is actually handled
Healthcare practices ask about data handling first. Here’s the plain-English answer - infrastructure, AI training, access controls, encryption, and retention. No surprises.
The six commitments
What we commit to, in plain English
Zero patient data
RegenCompliance analyzes marketing content only - website copy, social posts, ads, scripts. We never receive, process, or store PHI. Zero HIPAA implications because we never touch patient records in the first place.
Your content is not used for AI training
Our AI providers operate under contractual no-training terms for all customer content. Your content is analyzed for the scan, results are returned, and nothing feeds any model's training set. The same contractual posture applies to any future AI provider we add.
Encryption at rest and in transit
All data is encrypted at rest and in transit using current industry-standard encryption protocols. Tenant data is isolated through enforced access controls so customer data is never co-mingled.
No access by RegenCompliance staff without explicit authorization
Our staff cannot access your scan content during normal operation. Support-initiated access requires documented authorization and is logged. Your marketing content is your data, visible only to you and your team seats.
Permanent audit trail of your own usage
Every scan, every decision, every export is logged in your account. You always have visibility into what happened in your own account. This is the compliance-evidence trail, not a surveillance mechanism.
Infrastructure on enterprise-grade providers
Our infrastructure is built on SOC 2 Type II audited cloud providers with PCI DSS Level 1 payment processing. Every subprocessor we rely on operates an independently audited security program.
The full detail
Specific policies and practices
Data handling
Content you submit to RegenCompliance is stored in your account for your audit trail. It's visible only to you and your team seats. It's not shared with other customers, advertising networks, or third-party data brokers. We don't sell, rent, or distribute your content.
AI processing
Scans run through enterprise AI providers under contractual no-training terms. Scan content is processed to produce a result, the result is returned to us, and we store it in your audit trail. AI providers retain content only for their own standard operational logging, which is contractually walled off from any training pipeline.
Authentication
Account access uses email + password with industry-standard salted hashing, plus OAuth where enabled. Password resets require email verification. Sessions use secure cookies with appropriate expiration and rotation.
Access controls
Your account data is accessible only to authenticated users with valid sessions for accounts they belong to. Tenant isolation is enforced below the application layer so an application bug alone cannot return data from one account to another.
Payment processing
Payments are processed on PCI DSS Level 1 platforms. We never see, store, or process raw card data. Our payment integration uses restricted, minimum-privilege API credentials scoped to the operations required for billing and subscription management only.
Incident response
Breach or incident detection triggers our documented response process: investigation, notification to affected customers within 72 hours per GDPR-adjacent best practice, and remediation. We maintain logs sufficient to reconstruct incidents.
Data retention and deletion
Data is retained during your active subscription. After cancellation, scan history remains accessible for 90 days (you can export all records as PDF or CSV). After 90 days, data is permanently deleted. On-demand account deletion is available at any time.
Third-party subprocessors
We use a small set of subprocessors covering hosting, database and authentication, AI processing, payment processing, and error monitoring. Each subprocessor maintains a SOC 2 Type II or equivalent attestation. A current subprocessor list is available to customers on request.
Our security posture
- 256-bit encryption at rest, encrypted in transit. All customer data is encrypted using current industry-standard protocols.
- SOC 2 Type II audited cloud infrastructure. Hosting, database, authentication, and storage all run on independently audited platforms.
- Restricted-key payment processing on PCI DSS Level 1 platforms. Card data is never seen, stored, or processed by us.
- Continuous monitoring with PII scrubbing. Application telemetry is sanitized of personally identifiable information before it leaves the request lifecycle.
- Documented incident response and breach notification. We commit to investigating and notifying affected customers within 72 hours of a confirmed incident.
FAQ
Security questions
Questions we haven't answered?
Enterprise security questionnaires welcome. Vulnerability reports welcome. Reach out through our contact form and we'll route your message to the right team.