Trust & Transparency

Acts on its own.
Never out of your control.

Regor is built to change your storefront autonomously, which means it has to earn trust by default. Every change is governed, logged, and reversible. Your data is encrypted, minimized, and never sold. This page documents exactly how.

Last updated: June 2026

Security

Encryption in transit and at rest, least-privilege access, and signed webhooks across every endpoint.

Privacy & data

We collect the minimum needed to run discovery. No card data, no shopper PII, no training on your data.

Governance & reversibility

Every autonomous change is proposed, logged, and reversible with one click. You set the autonomy level.

Compliance

GDPR and CCPA/CPRA aligned today, with SOC 2 Type II in progress.

Controls

The safeguards behind every change

Encryption

  • TLS 1.2+ enforced on all API, webhook, and dashboard traffic, with HSTS
  • AES-256 encryption at rest for sensitive configuration and credentials
  • Merchant API keys encrypted before storage. Raw keys are never persisted
  • Outbound webhooks signed with per-merchant secrets

Authentication & access

  • Role-based access control with distinct Admin, Merchant, and API roles
  • Short-lived session tokens and securely hashed passwords
  • Principle of least privilege on every role
  • Key-based SSH only. Password login disabled

Infrastructure

  • Production behind HTTPS with TLS termination on every service
  • Managed DDoS protection and a WAF on all public endpoints
  • Firewall restricts inbound access to HTTPS and key-based SSH
  • Separate development and production environments and secrets

Application security

  • Input validation and sanitization on all API endpoints
  • Parameterized queries to prevent SQL injection
  • Output encoding and Content-Security-Policy to prevent XSS
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options, HSTS

Autonomous agent safety

  • Propose-then-approve model. Changes wait for your approval unless you enable low-risk auto-approval
  • Full audit trail. Every action records a forward and revert diff
  • Instant one-click rollback on any executed change
  • Daily cost caps per merchant and a health-check halt for autonomous runs

Data handling

  • We collect search events, catalog data, and account details only
  • No card data, no shopper PII, raw IP addresses hashed before storage
  • Your data is never sold and never used to train shared models
  • Export your data in JSON or CSV, and delete it on request
Compliance

Where we stand today

We show our real status, not badges we have not earned. SOC 2 Type II is in active preparation rather than complete.

GDPR
ActiveDPA available. Data minimization, purpose limitation, and deletion rights implemented.
CCPA / CPRA
ActiveAccess, deletion, and opt-out supported for consumers.
SOC 2 Type II
In progressControls in place. Formal attestation expected 2026.
ISO 27001
PlannedTargeted for 2027.
PCI DSS
Not applicableNo card data processed. Payments handled by Stripe.

Incident response

We detect, triage promptly, contain, and notify affected customers within 72 hours of a confirmed incident, in line with GDPR. Every incident closes with a documented post-mortem covering root cause and preventive measures. Report a concern or a vulnerability to security@regor.ai.

Documentation

Security documentation on request

Our detailed security overview and a completed assessment questionnaire are available to customers and prospects under NDA. For a signed DPA or a custom security review, reach out and we will turn it around quickly.

Request security documentation