Security at Regent

Your emails contain your most sensitive professional communications. We built Regent with security as a foundational requirement, not an afterthought.

Last updated: March 15, 2026

AES-256-GCM

Encryption

TLS 1.3

Transit

RLS per tenant

Isolation

72 hours

Deletion

Encryption

Military-grade encryption protects your data at rest and in transit.

AES-256-GCM encryption for stored credentials (IMAP passwords, OAuth tokens)
Per-tenant encryption keys derived via HKDF from a master key
Master encryption key stored in environment variables, never in the database
TLS 1.3 for all data in transit
HSTS with preload for all web connections

Multi-Tenant Isolation

Database-level isolation ensures your data can never be accessed by other users.

PostgreSQL Row-Level Security (RLS) on every data table
Compile-time TenantContext enforcement in backend code
Every query scoped to your tenant at the database level
Automated cross-tenant isolation tests in CI/CD
Zero cross-tenant data leakage by architecture, not just convention

Authentication

Enterprise-grade authentication with multiple security layers.

Supabase Auth with Google and Microsoft OAuth support
PKCE flow for secure authorization code exchange
JWT/JWKS validation with 1-hour key cache rotation
15-minute access tokens with 7-day single-use refresh tokens
Rate limiting: 5 login attempts/min/IP, lockout after 10 failures
Secure cookies: HttpOnly, Secure, SameSite=Strict

AI Security

Your email data is processed on private infrastructure, never shared with third-party AI.

Ollama Cloud on private infrastructure (not OpenAI, not third-party)
Email content never leaves controlled infrastructure
AI models do not train on your data
Content truncation: categorization uses first 500 chars, summarization uses 2,000
Google Gemini Flash used only as rare fallback with minimal data

Infrastructure

Hardened infrastructure with multiple layers of protection.

Docker containers with distroless base images (minimal attack surface)
CGO_ENABLED=0 for pure Go binaries with no C dependencies
Cloudflare CDN for DDoS protection and edge security
CSP headers and security headers on all responses
Supabase-managed PostgreSQL with automatic patching
Sub-20MB backend Docker images

Access Control

Fine-grained access controls and session management.

CSRF protection on all state-changing endpoints
CORS configured per environment (no wildcard origins)
Rate limiting on all public API endpoints
Feature gating based on subscription tier
PII redacted from all application logs

Audit and Compliance

Complete audit trail and compliance with major regulatory frameworks.

SOC 2 Type I preparation in progress
GDPR compliant with full data export and 72-hour deletion
CCPA compliant
AI audit log records every AI decision with model, tokens, confidence
Authentication and admin event audit logging
Dependency vulnerability scanning (Snyk/Dependabot)

Data Sovereignty

Full control over your data with export and deletion capabilities.

Complete data export in JSON format at any time
Account deletion within 72 hours of request
ON DELETE CASCADE for complete data removal
Backup data purged within 30 days of deletion
No data lock-in: your data is always portable

Self-Host Option

For organizations with strict data residency requirements, Regent can be self-hosted on your own infrastructure. The Go backend compiles to a single binary under 20MB, deployable via Docker on any Linux server.

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Email: security@regent.ai
Response time: We acknowledge reports within 24 hours and provide an initial assessment within 72 hours.
Scope: All Regent services, APIs, and infrastructure are in scope.
Policy: We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.