AI-assisted compliance audits for UK businesses.
Regis AI is an AI-powered compliance audit platform for UK businesses. Organisations add company context, upload policies or compliance evidence, and run structured reviews against sector-specific compliance packs. Regis maps evidence to relevant requirements, surfaces potential gaps with risk ratings, generates remediation recommendations, and drafts policy language for human review.
Initial market: UK businesses with recurring compliance work, including financial services, media and advertising, technology, professional services, and compliance consultancies.
Long-term vision: A company-aware compliance operating platform that combines public company data, uploaded evidence, sector-specific frameworks, audit reporting, and remediation workflows.
Stage: Early Access / Design Partner Programme.
Live app: regisai.dev
Demo (no login required): /demo/clearview · /demo/gdpr
See MVP_SCOPE.md for the full scope definition. Summary:
- UK jurisdiction (FCA Handbook, Consumer Duty, Operational Resilience, SMCR) — live
- US jurisdiction (32 requirements) — live
- EU jurisdiction (34 requirements) — live
- Company intelligence, PDF upload, AI gap analysis, framework scoping, re-scan delta, posture score, policy drafting, human review workflow, regulatory monitoring
- Out of scope: PDF export, multi-user orgs, Stripe billing, API access
See ARCHITECTURE.md for the full module map. See ROADMAP.md for the phased expansion plan.
- A company adds its organisation profile and uploads policies, manuals, or compliance evidence.
- Regis extracts the text and runs it through a Claude-powered gap analysis engine.
- The engine checks the evidence against jurisdiction and sector-specific compliance libraries — 32 US requirements (FINRA, SEC, AML/BSA, Reg BI, BCP), 34 EU requirements (MiFID II, GDPR, AMLD6, DORA, SFDR, MAR), or 19 UK requirements (FCA Rules, UK AML, UK GDPR, SM&CR, FCA OpRes).
- A structured audit report is returned with:
- Executive summary
- Gap findings with risk level (High / Medium / Low), rule citation, and remediation recommendation
- Strengths identified in the manual
- Priority action list
- Per-finding policy drafting — Claude generates ready-to-paste compliance manual language that closes each gap. Persisted to the database, copy-to-clipboard inline in the report.
- Findings are stored per-user with Supabase RLS so each company's evidence and review history are isolated.
| Layer | Choice | Notes |
|---|---|---|
| Framework | Next.js 16 (App Router) | TypeScript strict mode throughout |
| Database & Auth | Supabase | Postgres + Storage + Auth (email+password, Google OAuth, TOTP MFA) |
| AI | Anthropic Claude API | claude-sonnet-4-20250514 for gap analysis and policy drafting |
| PDF Parsing | pdf-parse |
Server-side only — do not use pdf.js server-side |
| Styling | Tailwind CSS | Custom design system (editorial compliance aesthetic) |
| Resend | Transactional email — weekly regulatory digest | |
| Deployment | Vercel | Auto-deploy from main branch; geo headers used for currency detection |
| Payments | Stripe | Phase 4 — not yet integrated |
Canonical facts for security questionnaires and the public trust pages (/trust-security, /privacy). Keep this section, those pages, and docs/DATA-RESIDENCY.md in sync whenever the posture changes.
- Residency: all account data, uploaded documents, and audit history are stored and encrypted at rest in the EU — AWS Europe (Ireland),
eu-west-1(the Supabase project region). This sits within the UK/EU adequacy zone recognised under UK GDPR. Claim "EU data residency," not "UK." - Storage vs. processing: data is stored in the EU. The one exception is AI analysis — a truncated text extract (≤ 12,000 chars, never the raw file) is processed by Anthropic (a sub-processor) and may occur outside the EU. Anthropic does not train on API-submitted content; documents are never used to train AI models.
- Sub-processors: Supabase (DB/storage/auth, EU), Anthropic (AI inference), Resend (transactional email — address + message only, never documents), Vercel (hosting/edge). Keep the list on
/privacymatched to this. - Retention: no fixed window on an active account; documents are user-deletable at any time and deletion cascades to derived audits/findings (
ON DELETE CASCADE). Account closure → all records deleted within 30 days; logs 30 days. - Open decisions (see
docs/REMAINING.md): (1) stay oneu-west-1vs migrate toeu-west-2(London) for genuine UK residency while data volume is low; (2) 90-day auto-delete for pilot-audit documents is not built — do not claim it until implemented; (3) DPA + privacy policy legal review before first enterprise client.
Full dependency list: see package.json
RegisAI/
├── app/
│ ├── (app)/ # Authenticated app shell
│ │ ├── layout.tsx # App layout with Nav + MFA gate + onboarding gate
│ │ ├── dashboard/page.tsx # Audit history list with jurisdiction badges
│ │ ├── audit/
│ │ │ ├── new/page.tsx # Upload + jurisdiction selector + trigger analysis
│ │ │ └── [id]/page.tsx # Audit report view with policy drafting
│ │ ├── documents/page.tsx # Document library — list, download, delete
│ │ ├── monitoring/
│ │ │ ├── page.tsx # Thin RSC wrapper — fetches is_dev, passes to client
│ │ │ └── monitoring-client.tsx # Regulatory feed — US / EU / UK tabs (client)
│ │ └── settings/page.tsx # MFA settings (TOTP enrol / manage)
│ ├── (auth)/
│ │ ├── layout.tsx
│ │ ├── login/page.tsx # Email + password login
│ │ ├── signup/page.tsx # Email + password signup
│ │ └── forgot-password/page.tsx # Password recovery request
│ ├── (legal)/
│ │ ├── layout.tsx # Shared legal page wrapper
│ │ ├── about/page.tsx # About page
│ │ ├── privacy/page.tsx # Privacy Policy
│ │ ├── security/page.tsx # Security page
│ │ └── terms/page.tsx # Terms of Service
│ ├── api/
│ │ ├── analyse/route.ts # POST — jurisdiction-aware gap analysis pipeline
│ │ ├── documents/
│ │ │ ├── route.ts # POST — PDF upload + text extraction
│ │ │ └── [id]/
│ │ │ ├── route.ts # DELETE — delete document + cascade
│ │ │ └── download/route.ts # GET — signed URL for PDF download
│ │ ├── findings/[id]/
│ │ │ ├── status/route.ts # PATCH — update finding status (incl. risk_accepted)
│ │ │ └── draft/route.ts # POST — generate + persist policy language
│ │ ├── profile/route.ts # PATCH — upsert firm profile (onboarding)
│ │ ├── request-access/route.ts # POST — early access form → Resend email
│ │ └── monitoring/
│ │ ├── feed/route.ts # GET — returns stored regulatory updates
│ │ ├── refresh/route.ts # POST — fetches RSS feeds + upserts to DB
│ │ └── digest/route.ts # POST — sends weekly email digest via Resend
│ ├── auth/
│ │ ├── callback/route.ts # Supabase PKCE + OAuth callback handler
│ │ ├── mfa/page.tsx # AAL2 TOTP challenge
│ │ └── reset-password/page.tsx # Set new password after recovery email
│ ├── demo/
│ │ ├── clearview/page.tsx # Public demo — US/RIA (Clearview Capital, 18 gaps)
│ │ └── gdpr/page.tsx # Public demo — GDPR re-scan lifecycle (Northwind Payments)
│ ├── onboarding/page.tsx # Post-signup onboarding (firm name, type, size)
│ ├── globals.css # Design tokens + global styles + print stylesheet
│ ├── layout.tsx # Root layout
│ └── page.tsx # Root: auth check → dashboard | landing page
├── components/
│ ├── audit/
│ │ ├── audit-comparison.tsx # Before/after re-scan delta view
│ │ ├── audit-report.tsx # Full report renderer with findings + policy drafting
│ │ ├── coverage-matrix.tsx # Every requirement tagged met/gap
│ │ ├── new-audit-form.tsx # Jurisdiction selector (locked to UK for non-dev users)
│ │ └── upload-form.tsx # Two-stage upload + analysis form
│ ├── documents/
│ │ └── document-actions.tsx # Download + delete actions for document library
│ ├── marketing/
│ │ └── landing-page.tsx # B2B landing page (UK business compliance platform)
│ ├── settings/
│ │ └── mfa-settings.tsx # TOTP enrol / manage UI
│ └── ui/
│ ├── logo.tsx # Pure-CSS RegisLogo component
│ ├── nav.tsx # Responsive nav (mobile hamburger + bottom tab bar)
│ ├── risk-badge.tsx # High/Medium/Low badge component
│ └── sign-out-button.tsx # Sign out client component
├── lib/
│ ├── claude.ts # Anthropic client + gap analysis + policy drafting
│ ├── coverage.ts # getScopedRequirements, buildCoverageMatrix, computeComplianceScore, computeDelta
│ ├── currency.ts # Country-to-currency mapping (USD / EUR / GBP)
│ ├── demo-data.ts # Pre-seeded demo audit data (Clearview + Northwind GDPR)
│ ├── env.ts # Runtime env validation
│ ├── eu-regulatory-library.ts # 34 EU requirements (typed)
│ ├── monitoring.ts # RSS parser + relevance scoring (no new deps)
│ ├── pdf.ts # PDF text extraction wrapper
│ ├── regulatory-library.ts # 32 US regulatory requirements (typed)
│ ├── uk-regulatory-library.ts # 19 UK requirements (typed)
│ └── supabase/
│ ├── client.ts # Browser Supabase client
│ └── server.ts # Server Supabase client (SSR cookies)
├── proxy.ts # Auth session refresh + route protection middleware
├── plans/ # Strategic plans and architectural design documents
│ ├── 01-core-mvp-scaffold.md # Phase 1 Core MVP scaffold & database setup
│ ├── 02-finding-tracking-and-monitoring.md # Phase 2 status tracking & monitoring feed
│ ├── 03-eu-uk-regulatory-expansion.md # Phase 3 regulatory library expansion
│ └── 04-eu-uk-monitoring-expansion.md # Phase 3 monitoring feed expansion
├── supabase/
│ └── migrations/
│ ├── 20260504000000_initial.sql # Full base schema
│ ├── 20260509000001_findings_update_policy.sql # RLS update policy for findings
│ ├── 20260511000000_regulatory_updates_rls.sql # RLS + read policy for regulatory_updates
│ ├── 20260511000001_regulatory_updates_unique_url.sql # Unique constraint on url
│ ├── 20260527000000_audits_add_jurisdiction.sql # jurisdiction column on audits
│ ├── 20260528000000_regulatory_updates_add_jurisdiction.sql # jurisdiction column on regulatory_updates
│ ├── 20260601000000_findings_add_drafted_policy.sql # drafted_policy column on findings
│ ├── 20260603000000_audits_add_framework_and_rescan.sql # framework, parent_audit_id, posture score cols
│ ├── 20260603000001_findings_add_review_and_riskaccept.sql # reviewed_by/at/note, risk_accepted status
│ ├── 20260604000000_documents_delete_policies.sql # RLS policies for document deletion
│ └── 20260610000000_profiles_add_is_dev.sql # is_dev flag for jurisdiction access control
├── types/
│ └── index.ts # Shared domain types (incl. Jurisdiction, RegulatoryFramework)
├── .env.example # Environment variable template
└── lessons.md # Build session learnings log
To ensure long-term maintainability, strategic alignment, and the ability to review past decisions, RegisAI enforces a disciplined planning protocol. All architectural changes, major feature implementations, and strategic milestones are documented upfront and preserved historically.
- Design & Strategy Phase: Before writing any complex code, a comprehensive planning document is created under the
plans/directory. - Phased Structure: Plans are written in Markdown, structured by clear execution phases (Types/Libraries, AI Prompts, DB Schema, API routes, UI, Verification).
- Permanent Archive: Documents in the
plans/folder are committed as source-controlled history, enabling the team to easily go back and study the reasoning behind structural decisions. - Retrospective Log: Critical takeaways, structural friction, or paradigm shifts are summarized post-implementation in lessons.md.
Here is the index of all historic and active planning documents:
-
Plan 01 — Core MVP & Compliance Analysis Engine
- Objective: Establish the foundational RegisAI architecture, database schema, PDF text extraction pipeline, and initial Claude-powered gap analysis engine.
- Scope: Configured Supabase Auth/RLS, built 32-requirement US regulatory library, integrated
pdf-parse, drafted robust cached prompts inlib/claude.ts, and designed the primary audit dashboard and report pages. - Status: Complete.
-
Plan 02 — Finding Tracking, Monitoring Feed & Exports
- Objective: Enhance platform engagement and interactivity by adding individual finding status toggling, Live RSS/Federal Register updates, and robust PDF exports.
- Scope: Modeled discrete
findingstable with interactive card statuses, designed regulatory feed RSS/Federal Register parsers, integrated relevance scoring via Claude, and developed custom CSS print stylesheets for browser-native PDF export. - Status: Complete.
-
Plan 03 — EU & UK Regulatory Expansion
- Objective: Expand the compliance gap analysis engine to handle EU and UK manuals alongside the existing US framework.
- Scope: Added
Jurisdictiontypes, built 23 EU and 19 UK regulatory requirements, configured jurisdiction-aware prompt caching in Claude engine, ran Supabase schema migration, and implemented the multi-tab UI selector. - Status: Complete.
-
Plan 04 — EU & UK Regulatory Monitoring Expansion
- Objective: Extend the automated regulatory feed parser to ingest live updates from EU and UK watchdogs and implement a dashboard jurisdiction filter.
- Scope: Ingested ESMA, EBA, FCA, and PRA RSS feeds, updated relevance keyword matching patterns, added
jurisdictioncolumn to the DB schema, and built a dynamic three-tab filtering UI on the monitoring board. - Status: Complete.
-
Plan 05 — Dashboard Compliance Workspace Redesign
- Objective: Redesign the authenticated Regis dashboard into a compliance operating workspace.
- Scope: Replace top-level authenticated navigation with a persistent left sidebar; redesign the homepage as a UK compliance command centre; rename New Audit to New Review; add workflow surfaces for scenario reviews, stakeholder questions, and approval readiness; implement a folder-based evidence system for documents; restrict US/EU surfaces to dev/admin users.
- Status: Complete.
-- User profiles (extends auth.users)
profiles (
id uuid references auth.users primary key,
firm_name text,
firm_type text, -- 'RIA' | 'Fintech' | 'Insurance' | 'Bank'
aum_range text,
regulator text, -- 'FINRA' | 'SEC' | 'State' | 'Multiple'
plan text default 'design_partner',
is_dev boolean default false, -- grants US/EU/UK jurisdiction access (dev team only)
created_at timestamptz default now()
)
-- Uploaded compliance documents
documents (
id uuid primary key default gen_random_uuid(),
user_id uuid references profiles(id) on delete cascade,
file_name text not null,
file_path text, -- Supabase storage path
extracted_text text,
page_count int,
status text default 'uploaded', -- 'uploaded' | 'analysing' | 'complete' | 'error'
created_at timestamptz default now()
)
-- Audit reports
audits (
id uuid primary key default gen_random_uuid(),
document_id uuid references documents(id) on delete cascade,
user_id uuid references profiles(id) on delete cascade,
firm_name text,
exec_summary text,
total_gaps int,
high_risk int,
medium_risk int,
low_risk int,
strengths jsonb,
priority_actions jsonb,
raw_result jsonb, -- full Claude response
jurisdiction text default 'US', -- 'US' | 'EU' | 'UK'
framework text, -- e.g. 'GDPR' | 'FCA_RULES' (null = whole jurisdiction)
parent_audit_id uuid, -- set for re-scans; triggers delta computation
scan_number int default 1,
compliance_score int, -- 0-100 posture score (risk-weighted)
requirements_total int,
requirements_met int,
gaps_closed int,
gaps_new int,
gaps_persisting int,
created_at timestamptz default now()
)
-- Individual gap findings
findings (
id uuid primary key default gen_random_uuid(),
audit_id uuid references audits(id) on delete cascade,
req_id text, -- e.g. 'REQ-001'
rule text, -- e.g. 'FINRA Rule 3110(a)'
requirement text,
policy_says text,
gap text,
risk text, -- 'High' | 'Medium' | 'Low'
recommendation text,
status text default 'open', -- 'open' | 'in_progress' | 'resolved' | 'risk_accepted'
drafted_policy text, -- Claude-generated policy language (nullable)
reviewed_by text, -- reviewer name (set on any move away from 'open')
reviewed_at timestamptz,
review_note text, -- rationale / audit trail
created_at timestamptz default now()
)
-- Regulatory monitoring feed
regulatory_updates (
id uuid primary key default gen_random_uuid(),
regulator text, -- 'FINRA' | 'SEC' | 'ESMA' | 'EBA' | 'FCA' | 'PRA'
jurisdiction text default 'US', -- 'US' | 'EU' | 'UK'
title text,
summary text,
url text,
published_at timestamptz,
relevance_score int, -- 1-5, rule-keyword scored
affected_rules text[],
raw_content text,
created_at timestamptz default now()
)Row-level security is enabled on all tables. regulatory_updates is a shared feed — authenticated users can read all rows but cannot write directly (writes go through the service role in the refresh API route).
Accepts multipart/form-data with a file field (PDF).
- Extracts text server-side using
pdf-parse - Saves document record to Supabase
- Returns
{ document_id, page_count }
Accepts { document_id: string, jurisdiction?: 'US' | 'EU' | 'UK', framework?: string, parent_audit_id?: string }.
- Fetches extracted text from Supabase
- Enforces UK-only jurisdiction for non-dev users (
is_dev = false→ 403 on US/EU) - Builds jurisdiction-specific prompt from the matching regulatory library (32 US / 34 EU / 19 UK requirements)
- Calls Claude API (
claude-sonnet-4-20250514) with prompt caching - Parses structured JSON response; computes posture score and coverage matrix
- If
parent_audit_idsupplied, runscomputeDelta()to classify gaps as closed/persisting/improved/new - Persists audit + individual findings to Supabase
- Returns
{ audit_id }
All Claude API calls are centralised in lib/claude.ts. Never call the Anthropic SDK from components or API routes directly.
- Verifies auth and document ownership
- Deletes document from Supabase Storage and cascades to
documentstable - Returns
{ success: true }
- Verifies auth and document ownership
- Returns a short-lived signed URL for the PDF in Supabase Storage
Accepts { name, email, company, role, useCase }.
- Sends early access request email via Resend to
wordroom33@gmail.com - Returns
{ success: true }
Accepts { status: 'open' | 'in_progress' | 'resolved' | 'risk_accepted', review_note?: string }.
- Verifies auth and that the finding belongs to the authenticated user (via audit ownership)
- Updates
findings.statusin Supabase; recordsreviewed_by,reviewed_at,review_noteon any move away fromopen - Returns
{ status }
No body required.
- Verifies auth and finding ownership via the owning audit
- Calls
draftPolicyLanguage(finding, jurisdiction, firmName)inlib/claude.ts - Persists the result to
findings.drafted_policy - Returns
{ drafted_policy: string }
Accepts { firm_name, firm_type, aum_range, regulator }.
- Verifies auth
- Upserts the authenticated user's profile row
- Returns
{ profile }
No body required.
- Fetches regulatory updates from three jurisdiction sources in parallel:
- US: Federal Register JSON API (SEC + FINRA)
- EU: ESMA RSS + EBA RSS (falls back to
[]gracefully if blocked) - UK: FCA RSS + PRA/Bank of England RSS (same fallback)
- Parses RSS/Atom XML with a zero-dependency regex parser in
lib/monitoring.ts - Tags each item with its
jurisdiction('US'|'EU'|'UK') - Scores each item 1–5 for relevance and extracts affected rule citations (US, EU, and UK rules)
- Upserts into
regulatory_updates(deduped onurl) - Returns
{ inserted: number, parsed: number }
Returns all stored regulatory_updates ordered by published_at descending, limited to 500 rows. Each item includes a jurisdiction field for client-side tab filtering.
Sends the weekly regulatory updates email digest via Resend to the authenticated user's email address.
Three jurisdiction-specific typed arrays, each consumed by buildSystemPrompt(jurisdiction) in lib/claude.ts. The prompt builder is memoised per jurisdiction using a Map<Jurisdiction, string>.
| Framework | Coverage |
|---|---|
| FINRA | Rules 3110, 3120, 2010, 2111, 4511, 3310, 3130 |
| SEC | Rules 17a-3, 17a-4, Reg S-P, 206(4)-7, 204A-1, Reg S-ID, 15c3-3, 206(4)-2 |
| AML/BSA | Customer ID, SAR, CTR, CDD, Beneficial Ownership, OFAC Sanctions |
| Reg BI | Best Interest, Form CRS, Conflicts of Interest, Compliance, Fiduciary Duty |
| BCP | Business Continuity, Annual Review, Internal Inspections, Incident Response |
| Framework | Coverage |
|---|---|
| MiFID II | Organisational Requirements, Suitability, Best Execution, Conflicts of Interest, Client Communication, Product Governance |
| GDPR | Lawfulness of Processing, Controller Accountability, Security, Breach Notification, DPO Designation |
| AMLD6 | AML Programme, CDD, Enhanced Due Diligence, Beneficial Ownership, Suspicious Transaction Reporting |
| DORA | ICT Risk Management, Incident Reporting, Resilience Testing |
| SFDR | Sustainability Risk Policy, Principal Adverse Impact Disclosure |
| MAR | Market Abuse Prevention, Disclosure of Inside Information |
| Framework | Coverage |
|---|---|
| SM&CR | Senior Management Arrangements, Statements of Responsibilities, Certification Regime |
| FCA Conduct | Consumer Duty, Best Interests Rule, Suitability Assessment, Financial Promotions |
| FCA Systems | Compliance Function, Risk Assessment & Control, Conflicts of Interest Policy |
| UK AML | AML Policies & Procedures, CDD, Enhanced Due Diligence (PEPs), Training |
| UK GDPR | Data Processing Principles, Security of Processing, ICO Registration & DPO |
| FCA OpRes | Important Business Services & Impact Tolerances, Resilience Testing & Self-Assessment |
Each requirement has: id, rule, framework, requirement, description, defaultRisk.
Aesthetic: Editorial compliance — Big 4 audit report aesthetic. Serif headings, mono for citations and codes, clean data tables. Nothing that looks like a generic SaaS tool.
Fonts: Playfair Display (headings) · Inter (body) · DM Mono (citations, codes, risk badges)
Colours:
--green: #1a3a2a (primary brand)
--green-2: #2d5c44 (hover/active)
--green-tint: #e4efe8 (backgrounds)
--bg: #f5f0e8 (page background)
--bg-2: #ede7d9 (card backgrounds)
--ink: #1a1714 (primary text)
--ink-2: #3d3830 (secondary text)
--ink-3: #7a7268 (tertiary/labels)
--rule: #ccc4b8 (borders/dividers)
--red: #8b2020 (High risk)
--amber: #8b5a10 (Medium risk)
--blue: #1a3060 (Low risk)
--gold: #b8820a (accents)
Rules: Risk badges always use DM Mono, uppercase, colour-coded. Max border-radius: 4px. No drop shadows — use borders.
Copy .env.example to .env.local:
# Anthropic
ANTHROPIC_API_KEY=sk-ant-...
# Supabase
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
SUPABASE_SERVICE_ROLE_KEY=eyJ...
# Resend
RESEND_API_KEY=re_...
# App URL (set to production URL on Vercel)
NEXT_PUBLIC_APP_URL=http://localhost:3000SUPABASE_SERVICE_ROLE_KEY and RESEND_API_KEY are server-only and must never be prefixed with NEXT_PUBLIC_.
- Node.js 20+
- A Supabase project (with the migrations in
supabase/migrations/applied) - An Anthropic API key
git clone https://github.com/bitcoinow/RegisAI.git
cd RegisAI
npm install
cp .env.example .env.local
# fill in .env.local with your keys
npm run devOpen http://localhost:3000.
npm test # Run Vitest once
npm run test:watch # Run Vitest in watch mode
npm run test:coverage # Run Vitest with coverage output
npm run verify # Type-check, lint, then testTests use Vitest with jsdom and Testing Library matchers. Place tests next to the code they cover using *.test.ts or *.test.tsx.
Apply all migrations to your Supabase project via the CLI:
supabase db pushOr run each file in supabase/migrations/ in chronological order via the Supabase SQL editor.
- Gap analysis engine (Claude prompt + 32-requirement US regulatory library)
- Next.js 16 App Router scaffold
- PDF upload + server-side text extraction
- Gap analysis API route (
/api/analyse) - Audit report page with expandable findings
- Supabase auth (email + password, Google OAuth, optional TOTP MFA, password recovery)
- User dashboard (audit history with risk summary)
- Demo environment (
/demo/clearview— no login required) - Deployed to Vercel (auto-deploy from
main)
- Finding status tracking (open / in-progress / resolved / risk_accepted toggle on finding cards)
- Human review workflow — reviewer attribution, timestamp, rationale (audit trail)
- Regulatory monitoring feed (Federal Register / ESMA / EBA / FCA / PRA →
/monitoring) - PDF export of audit report (browser
window.print()with print stylesheet) - Weekly email digest of regulatory updates (Resend)
- Document library — list, download (signed URL), delete with cascade
- EU & UK regulatory libraries (MiFID II, GDPR, AMLD6, DORA, SFDR, MAR + FCA Rules, SM&CR, UK GDPR, 34 EU / 19 UK requirements)
- EU & UK regulatory monitoring feed (ESMA, EBA, FCA, PRA — jurisdiction tab selector)
- Policy drafting per finding (Claude generates ready-to-paste compliance manual language, persisted + copy-to-clipboard)
- Framework scoping (
frameworkparam on/api/analyse— runs against a single framework, e.g. GDPR-only) - Re-scan & delta analysis (
parent_audit_id— classifies gaps as closed/persisting/improved/new) - Posture score (0–100, risk-weighted) and coverage matrix (every in-scope requirement tagged met/gap)
- GDPR re-scan demo (
/demo/gdpr— Northwind Payments full lifecycle, public, no login) - Design partner onboarding flow (firm profile collection post-signup)
- B2B marketing landing page (UK business compliance platform positioning)
- Geo-based default pricing currency (USD / EUR / GBP from Vercel geo headers)
- Legal pages (Privacy Policy, Terms of Service, Security, About)
- Fully responsive nav (mobile hamburger + bottom tab bar)
- Jurisdiction access control (
is_devflag — regular users locked to UK; dev team has US/EU/UK) - Early access form with email capture (
/api/request-access→ Resend)
- Persistent left sidebar navigation shell grouped by operational context
- Compliance command centre dashboard with UK posture metrics
- Nine-step New Review workflow integration
- Folder-based evidence management for documents (move, tags, entity links)
- Custom workflow surfaces for scenario reviews, stakeholder questions, and approval readiness
- Stripe billing integration
- Multi-document support per company
- Audit prep package export (ZIP of all evidence)
- Profile management UI in Settings
- Scenario Risk Analyzer module (currently "Coming soon" on landing page)
- TypeScript strict mode. No
any. - Run
npm run verifybefore handing off code changes. - All API routes handle errors and return typed responses.
- Supabase: use server client in API routes, browser client in components.
- Claude API calls live only in
lib/claude.ts. - Server-only env vars are never prefixed with
NEXT_PUBLIC_.
US/RIA demo (/demo/clearview — Clearview Capital, 18 gaps, no login):
- Walk through High-risk findings first
- Point to rule citations — every finding maps to a specific FINRA or SEC requirement
- Show risk breakdown (High / Medium / Low counts)
- Click "Draft Policy Language" on a finding — Claude generates ready-to-paste remediation text in seconds
GDPR re-scan demo (/demo/gdpr — Northwind Payments, no login):
- Start at V1: 13 gaps, 40% posture score
- Toggle to V2: 10 gaps closed, 90% posture — delta view shows closed/persisting/new
- Show coverage matrix — every GDPR article mapped to met/gap
- Show
risk_acceptedfinding with reviewer rationale (audit trail)
Close: "We're onboarding design partners at no cost. Is your company a fit?"
All outputs are recommendations, not legal advice. High-risk findings always require human review. Regis is not a replacement for a qualified compliance officer — it is a tool to augment one.