Regingada UG (haftungsbeschränkt) i.G.

Regingada Trust Center

We hold no SOC 2 and no ISO certificate. This page shows what we actually do — and what we deliberately don't.

Last updated: 2026-06-12

T2 · Posture

Posture at a glance

Data residency	EU production residency is the target (Frankfurt) — a goal, not yet live. The core tool runs in your browser either way.
Hosting	To be named at go-live (TBD). It will be listed here and in the subprocessor table before launch.
AI processing	Opt-in only. Requests go through a Cloudflare Worker proxy to Anthropic (Claude). No AI request leaves the browser without your explicit action.
Accounts required	None. The suite has no login.
Tracking / ads	None. No analytics vendor, no ad network, no CRM pixel — on the product and on this site.
Core data model	Local-first: profile and settings live in your browser (LocalStorage). The core tool has no server-side persistence.

Data we touch — and data we don't

✓Funnel inputs — transient, purpose-bound, only when you submit them
✓Functional browser storage only (LocalStorage: language, theme, profile)
✗Payment data — never collected
✗Health data — never collected
✗Tracking cookies — none
✗Profiling / behavioral scoring — none

What exactly sits in your browser

Language	Your UI language (EN/DE). Never leaves the browser.
Theme	Light/dark preference. Never leaves the browser.
Profile	Your self-assessment profile. Leaves the browser only as part of a submission you actively trigger.
Deleting	One click in the suite's settings — or your browser's site-data controls. No request to us needed; we could not delete it for you even if asked, because we never hold it.

By default the Regingada Compliance Suite frontend loads zero external resources — open your own DevTools network tab and verify it. The only network paths are the opt-in AI request and your deliberate funnel submission.

How data flows — the whole picture

Your browser — the default boundary

The Regingada Compliance Suite runs entirely here. LocalStorage holds language, theme and profile. Zero external loads at boot.

↓ data crosses this line only on your action ↓

Path A · opt-in AI question

Browser → Cloudflare Worker → Anthropic (Claude)

Only what you type, only after consent. Not stored by us.

Path B · deliberate funnel submission

Browser → artifact service → DRAFT artifact

Transient processing; the artifact expires automatically — deleted after 14 days at the latest (current default).

T3 · Two products, one boundary

The software ↔ mandate boundary, explained

Software output is a DRAFT and is not legal advice. FINAL exists only after you engage Kanzlei Theo Funk under a separate mandate and a lawyer has reviewed the matter. This is not small print — it is the architecture.

Product 1 · public

Regingada Compliance Suite — Regingada UG (haftungsbeschränkt) i.G.

Regime: GDPR + RDG (structured self-assessment, decision support)
No mandate, no legal advice, no professional-secrecy claim
Output: DRAFT artifacts, visibly labeled

Mandate · on engagement

Kanzlei Theo Funk

Regime: § 203 StGB + BORA/BRAO professional secrecy
Protected by professional secrecy once you become a client
Output: FINAL artifacts after lawyer review

Why the boundary protects you

No pseudo-advice: the software never pretends to be your lawyer.
A clear liability address in every phase — software company or law firm, never a blur.
The mandate handoff is a deliberate, documented act — no silent server coupling between product and firm.

T4 · Controls

Controls — self-assessed, verifiable in code

We run no continuous-monitoring product, so you will find no green “Passing” theater here. Each control is stated as a fact, labeled honestly, and reviewed manually. Frontend controls you can verify yourself (DevTools); for server-side controls we share the relevant code excerpts on request by email.

Last reviewed: 2026-06-12 · status label for every control: self-assessed · verifiable in code

Data minimization

The suite requires no account; no user database exists for the public product.
No third-party trackers, analytics or advertising scripts are embedded.
Funnel inputs are processed for the stated purpose only and are not reused.

Transport & access

API authentication fails closed: an empty or missing server token yields HTTP 503 — never an open endpoint.
The lawyer-only endpoint (DRAFT→FINAL flip) is bearer-token-protected and rejects empty credentials.
CORS origins are an explicit allowlist set via environment configuration; credentials are not shared cross-origin.

Artifact security

Download identifiers carry 128 bits of randomness; enumeration is computationally infeasible.
Malformed identifiers are rejected before any file access (404 before filesystem).
Identifier format checks and deletion allowlists are kept in lockstep, so expired artifacts are always swept.

View 2 more categories

Retention

Generated artifacts expire automatically — after 14 days at the latest (current default) — and an automated sweep deletes expired files.
AI conversations are not stored by us; profile data stays in your browser until you delete it.

Frontend isolation

The Regingada Compliance Suite frontend performs zero external loads at boot and is offline-capable; network traffic occurs only for opt-in AI requests and deliberate funnel submissions.
Fonts, icons and data ship inside the application — no CDN dependency.

T5 · Subprocessors & AI chain

The entire list

Vendor	Purpose · what flows	Region
Hosting provider — TBD	Serving this site and the static product files. Named here before go-live.	EU targeted
Cloudflare	Worker proxy for AI requests — carries opt-in AI prompts only, no funnel documents.	Global edge (USA-based vendor)
Anthropic PBC	Claude — answers for the opt-in AI assistant only. Nothing flows without your explicit consent and action.	USA

That is the entire list. No analytics vendor, no ad network, no CRM pixel.

DRAFT status note (zur Prüfung RA Funk): contractual safeguards with the AI provider (data-processing agreement, zero-data-retention) are being finalized. Until then, AI features remain strictly opt-in and clearly labeled.

T6 · Documents

View, or request by email

No portal, no NDA modal, no access tiers. Public documents open directly; sensitive ones are a short email away — answered by the lawyer, not a ticket queue.

Impressum (provider identification) Draft As of: June 2026 View

Data-processing agreement (AVV/DPA) template In preparation Request by email

Detailed technical & organizational measures (TOMs) On request Request by email

T7 · FAQ

The questions procurement actually asks

Is the Regingada Compliance Suite legal advice?

No. The Regingada Compliance Suite is structured self-assessment and decision support under the German Legal Services Act (RDG) — not legal advice. Legal advice is provided exclusively by Kanzlei Theo Funk under a separate engagement. See the boundary section above.

What happens to my funnel inputs?

They stay in your browser until you actively submit them. After submission they are processed for the stated purpose only; generated artifacts expire automatically — after 14 days at the latest (current default) — and are swept by an automated deletion job.

What does the AI see, and when?

Only what you type into the opt-in AI assistant, only after you consent, and only for that request. The request travels through a Cloudflare Worker proxy to Anthropic (Claude). The map, cockpits and search work entirely without AI.

Where is data stored?

Profile and settings: in your browser (LocalStorage). The core tool has no server-side persistence. Server-side features (artifact generation) hold data transiently with automatic expiry. EU production residency is the stated target for go-live.

How long is anything retained?

Browser data: until you delete it (one click in settings). Generated artifacts: 14 days at the latest (current default), enforced by a deletion sweep. AI conversations: not stored by us. If the default retention ever changes, it will be posted in the Updates feed.

Who is the controller?

For tool-usage data: Regingada UG (haftungsbeschränkt) i.G. Once you engage the firm, mandate data is handled by Kanzlei Theo Funk under professional-secrecy rules (§ 203 StGB, BORA/BRAO). The two roles never blur.

How does the mandate handoff work?

You decide to engage the firm — a deliberate, documented act. There is no silent server coupling between the public product and the firm's systems. Identity data carries over; everything mandate-relevant is collected fresh under the mandate's own rules.

Why no SOC 2?

Honest answer: we are a single-product company, and a SOC 2 audit currently buys less risk reduction than the architecture itself — no accounts, no tracking, local-first data, fail-closed auth. Certification stays under evaluation; if that changes, it will appear in the Updates feed first.

What happens if there is a security incident?

We contain and assess the incident first. Where the GDPR requires it, we notify the supervisory authority without undue delay — where feasible within 72 hours (Art. 33 GDPR) — and affected persons without undue delay (Art. 34 GDPR). Every security-relevant incident also becomes a dated entry in the Updates feed on this page. The architecture keeps the blast radius small: no accounts, no central user database, artifacts expire automatically.

How do I report a vulnerability?

Email the lawyer directly — see Contact & Responsible Disclosure below. Good-faith research is welcome; we commit to acknowledging reports and will not pursue good-faith reporters.

T8 · Updates

Security changelog — real entries, real dates

Cadence over volume: few entries, each one true. Completed roadmap items from “What we don't have (yet)” land here with a date.

2026-06-11Transparency§

Trust Center published

First publication of this page. Posture, controls and subprocessor list self-assessed as of this date; DRAFT items marked for lawyer review.

2026-06-07Security§

Download identifiers hardened to 128-bit entropy

Artifact download IDs moved from 32 to 128 bits of randomness; malformed identifiers are now rejected before any file access; the retention deletion allowlist was updated in lockstep.

2026-06-07Security§

API auth fail-closed; CORS allowlist via environment

A deployment path that could leave the lawyer endpoint with an empty token was closed: empty token now returns 503 (fail-closed). CORS origins moved to an explicit environment allowlist.

Want update notices? One email, no newsletter tool, no new data flow: request updates by email.

T9 · The honest gap list

What we don't have (yet)

Absence stated openly, with a dated status — not a hidden gap. Every finished item moves to the Updates feed with a date.

Not yet Status as of 2026-06-12

Certifications (SOC 2 / ISO 27001)

Under evaluation — a sober cost/benefit question for a single-product firm whose architecture minimizes data in the first place.

Not yet Status as of 2026-06-12

EU production residency

Target: Frankfurt region for all server-side features. Tracked as a go-live milestone; completion lands in the Updates feed.

Not yet Status as of 2026-06-12

AI provider DPA & zero-data-retention

Contractual safeguards with Anthropic are being finalized. Until signed, AI stays opt-in only and this entry stays here.

Not yet Status as of 2026-06-12

External penetration test

Planned. The executive summary will be published on this page — findings status included.

T10 · Contact & Responsible Disclosure

Talk to a person, not a portal

Responsible	Theo Funk, Rechtsanwalt (Rechtsanwaltskammer Bamberg)
Security contact	office@theofunklaw.com
What to report	Vulnerabilities in the Regingada Compliance Suite, this website, the public API or the embed widget — with steps to reproduce if possible.
What we commit to	Acknowledgment of your report, a serious look at every good-faith submission, and no legal action against good-faith security research.
Machine-readable contact	security.txt (RFC 9116) at /.well-known/security.txt — the same contact, machine-readable.