Healthcare practices ask about data handling first. Here’s the plain-English answer - infrastructure, AI training, access controls, encryption, and retention. No surprises.
The six commitments
RegenCompliance analyzes marketing content only - website copy, social posts, ads, scripts. We never receive, process, or store PHI. Zero HIPAA implications because we never touch patient records in the first place.
Our AI providers operate under contractual no-training terms for all customer content. Your content is analyzed for the scan, results are returned, and nothing feeds any model's training set. The same contractual posture applies to any future AI provider we add.
All data is encrypted at rest and in transit using current industry-standard encryption protocols. Tenant data is isolated through enforced access controls so customer data is never co-mingled.
Our staff cannot access your scan content during normal operation. Support-initiated access requires documented authorization and is logged. Your marketing content is your data, visible only to you and your team seats.
Every scan, every decision, every export is logged in your account. You always have visibility into what happened in your own account. This is the compliance-evidence trail, not a surveillance mechanism.
Our infrastructure is built on SOC 2 Type II audited cloud providers with PCI DSS Level 1 payment processing. Every subprocessor we rely on operates an independently audited security program.
The full detail
Content you submit to RegenCompliance is stored in your account for your audit trail. It's visible only to you and your team seats. It's not shared with other customers, advertising networks, or third-party data brokers. We don't sell, rent, or distribute your content.
Scans run through enterprise AI providers under contractual no-training terms. Scan content is processed to produce a result, the result is returned to us, and we store it in your audit trail. AI providers retain content only for their own standard operational logging, which is contractually walled off from any training pipeline.
Account access uses email + password with industry-standard salted hashing, plus OAuth where enabled. Password resets require email verification. Sessions use secure cookies with appropriate expiration and rotation.
Your account data is accessible only to authenticated users with valid sessions for accounts they belong to. Tenant isolation is enforced below the application layer so an application bug alone cannot return data from one account to another.
Payments are processed on PCI DSS Level 1 platforms. We never see, store, or process raw card data. Our payment integration uses restricted, minimum-privilege API credentials scoped to the operations required for billing and subscription management only.
Breach or incident detection triggers our documented response process: investigation, notification to affected customers within 72 hours per GDPR-adjacent best practice, and remediation. We maintain logs sufficient to reconstruct incidents.
Data is retained during your active subscription. After cancellation, scan history remains accessible for 30 days (you can export all records as PDF or CSV). After 30 days, data is permanently deleted. On-demand account deletion is available at any time.
We use a small set of subprocessors covering hosting, database and authentication, AI processing, payment processing, and error monitoring. Each subprocessor maintains a SOC 2 Type II or equivalent attestation. A current subprocessor list is available to customers on request.
FAQ
Enterprise security questionnaires welcome. Vulnerability reports welcome. Reach out through our contact form and we'll route your message to the right team.