Security & compliance
built for regulated firms
Regulated financial services firms have the highest security requirements. RegOak is built to meet them.
Data residency
All customer data is stored in UK-based infrastructure. We do not transfer personal or compliance data outside the UK/EEA under any circumstances.
Encryption at rest
All data is encrypted at rest using AES-256. Database encryption is enforced at the storage layer — not just at the application level.
Encryption in transit
All data in transit is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and reject older protocol versions.
SOC 2 Type II readiness
RegOak is built to SOC 2 Type II standards across Security, Availability, and Confidentiality trust service criteria. Formal certification in progress.
GDPR compliance
RegOak acts as a data processor under GDPR. We maintain a full data processing agreement (DPA) available on request. Data subject rights are supported.
Role-based access control
Granular RBAC with five distinct roles. Every action is attributed to a named user. Principle of least privilege enforced throughout.
Immutable audit logs
Every compliance action — review, approval, rejection, rule change — is written to an immutable audit log. Tamper-evident and exportable for regulatory inspection.
Multi-tenant isolation
Strict tenant isolation enforced at the database level using Row Level Security. No cross-tenant data access is architecturally possible.
Certifications & compliance status
Full GDPR compliance with DPA available
Post-Brexit UK GDPR requirements met
Type II audit scheduled Q3 2026
Planned for 2027
Request our Data Processing Agreement
Enterprise customers and firms conducting due diligence can request our full DPA, security questionnaire responses, and penetration test summaries.
Request security documentation