Does RegLeg train on customer data?

No. RegLeg uses tenant scoped AI architecture. Customer data is processed, not retained. Tenant scoped models are guardrailed at the foundation model boundary so customer content is never absorbed into base model training.

Where is customer data hosted?

In production, customer data is hosted by the deploying partner inside the partner's infrastructure boundary. RegLeg hosts only betas, demos, and proofs of concept.

What encryption posture does RegLeg use?

TLS 1.3 in transit and AES-256 at rest for all retained operational metadata. Customer content is processed in memory and not retained by architecture.

Is RegLeg SOC 2 audited?

Type 1 in progress with publication expected at completion. Security disclosures route to security@regleg.com.

TRUST AND ARCHITECTURE

The architecture your CISO, DPO, and procurement team will ask for.

Tenant scoped AI. Zero retention. Partner hosted production. Foundation model traffic guardrailed and audited. The same commitments your buyer’s risk function would write themselves if they were building the platform.

Request the trust package See the platform

Zero retention architectural seal with flowing data streams suggesting tenant scoped processing without retention.

ZERO RETENTION ARCHITECTURE

Customer data is processed. Not retained.

Inputs are processed inside the customer’s tenant. Outputs route back to the customer. Working memory persists only as long as the active operation. Reviewer dispositions train the tenant model, not the foundation model. Foundation model traffic is guardrailed by tenant policy and logged for audit.

The three commitments.

Tenant scoped AI

Every customer gets a dedicated tenant. Training, learning, reviewer feedback, and policy corpus stay inside that tenant. No cross tenant data flow. The architecture is enforced at the tenant boundary, not at a permission layer that could be misconfigured.

Zero retention of customer data

Customer source documents, customer policy text, customer reviewer feedback, and customer outputs are processed and returned. Working memory persists only for the duration of the operation. Long term retention is a deliberate, contracted exception, not a default.

Partner hosted production

Production deployments are hosted by the partner of record inside the partner’s environment, the customer’s environment, or a partner managed environment that meets the customer’s hosting requirements. RegLeg™ operates only betas, demos, and proofs of concept.

AI POSTURE

Foundation model traffic is guardrailed, logged, and auditable.

When the platform routes a request to a foundation model, the request is bounded by tenant policy: which models are eligible, which content classes may transit, which jurisdictions are out of bounds, which prompts require human review. The traffic is logged with the prompt, the response, the model, the latency, and the disposition. The log is available to the customer’s audit function.

RegLeg does not say we never train. RegLeg says: tenant scoped training is positive, foundation model interactions are guardrailed, and the audit trail is yours to inspect.

What you can read here. What is partner only.

Public surface

Partner only on request

Service Level Agreement (intake)
Data Processing Agreement, request via legal@regleg.com
Partner Program Terms (public summary)
Subprocessor list and security questionnaire

NOTICE ROUTING

Two addresses. Each gets to the right person.

legal@regleg.com

Routes to the Chief Legal Officer. Legal notices, contract questions, public document clarifications, press, analyst, investor.

security@regleg.com

Routes to the Chief Information Security Officer. Vulnerability disclosures, incident reports, abuse, security questions.