// Trust & Security Report
Regard
AI-powered clinical documentation / clinical decision support platform ("Proactive Documentation") that reviews EHR chart data and clinician-patient conversations to recommend diagnoses and generate draft clinical notes before point of care; single enterprise SaaS product sold to hospitals and health systems, integrates with EMRs and partners such as Microsoft Dragon Copilot.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on regard.com“As part of our commitment to protect data, Regard has achieved SOC2 Type 1 compliance.”
Verify on regard.com“ONC 2015 Cures Update Certification Criteria: B10, D1, D5, D12, D13, G5, G4 ... Certification Number: 15.04.04.3192.Rega.01.00.0.240502 ... Product: Regard SaaS Solution v.1”
> Show 9 unconfirmed / not-held certifications
source: regard.comNo public evidence. The vendor's own data-compliance page only claims 'SOC2 Type 1 compliance' - no Type 2 report or attestation date is referenced anywhere on regard.com.
source: regard.comNo public evidence on regard.com. The only ISO reference found is on the ONC certification page, which lists 'CQMS: ISO 9001' (a quality-management standard for the certified health IT module), not ISO 27001 (information security). Do not conflate the two.
source: regard.comNo public HIPAA-compliance statement, BAA-availability statement, or PHI-handling policy was found on regard.com (home page, privacy policy, data-compliance page, about-us page, or proactive-documentation page). The vendor's public privacy policy reads as a generic WordPress-template policy (e.g. it only addresses indefinite retention of blog comments) rather than a healthcare-specific PHI policy. Regard's product clearly processes PHI as its core function, so a signed BAA is very likely offered contractually to hospital customers, but this is not publicly evidenced on the vendor's own domain.
source: regard.comNo GDPR-specific posture, EU representative, or international-transfer mechanism (e.g. SCCs) is mentioned anywhere on regard.com. The public privacy policy is a generic US-oriented template with no GDPR section.
source: regard.comNo public evidence; not applicable - Regard is a clinical documentation tool, not a payment processor, and no payment-card handling claims appear on the site.
source: regard.comNo public evidence found. Regard's public messaging discusses 'responsible innovation' and 'trustworthy, auditable' AI in press/marketing content but does not cite ISO/IEC 42001 or any formal AI-governance certification.
source: regard.comNo public evidence found; no indication Regard sells to federal agencies.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not publicly specified. Regard lists corporate offices in Los Angeles and New York City, but no data-residency or hosting-region statement was found on the vendor's site.
No public statement on regard.com specifies whether patient/customer chart data is used to train Regard's AI models, nor whether any opt-out exists. This is a material disclosure gap for a clinical AI vendor whose core product ingests full EHR records. Could not confirm either way; treat as unknown, not as an absence of training.
// Security controls
SOC 2 Type 1 attestation
Achieved (Type 1 only - point-in-time control design, not operating effectiveness over a period like Type 2)
regard.comMulti-factor authentication
Product relies on the connected EMR's own two-factor authentication protocol rather than a separate Regard-native MFA, per its ONC certification filing.
regard.comHealth IT interoperability certification
ONC-certified for FHIR-based Electronic Health Information (EHI) export, single-patient and bulk export.
regard.com// Products & data scope
data: Full patient EHR chart data (vendor cites review of a patient record with on average 50,000 data points) plus clinician-patient conversation content, used to recommend diagnoses and auto-generate draft clinical notes. Includes PHI by design.
Single enterprise SaaS offering sold to hospitals/health systems via demo request; no self-serve or consumer tier. Integrates with hospital EMRs and partners such as Microsoft Dragon Copilot. ONC-certified as 'Regard SaaS Solution v.1'.
// What to watch
- No dedicated trust center - compliance disclosure is limited to a single sentence on a lightly-built /data-compliance/ page plus a separate ONC certification detail page.
- SOC 2 is Type 1 only, not Type 2 - Type 1 attests to control design at a point in time, not operating effectiveness over an observation period; weaker assurance than Type 2 and should be labeled precisely, not rounded up to 'SOC 2 compliant.'
- No public HIPAA-compliance or BAA-availability statement despite the product's core function being ingestion and processing of full patient EHR records (PHI) - a notable gap for a clinical AI vendor. Prospective hospital customers should confirm BAA terms directly with Regard before deployment.
- Possible cert-confusion risk: the ONC certification filing lists 'CQMS: ISO 9001' (quality management), which is unrelated to ISO/IEC 27001 (information security) - do not let this be mis-read as an ISO 27001 claim; no ISO 27001 evidence exists.
- No public disclosure of whether patient/customer data is used to train Regard's AI models, and no opt-out mechanism described - unresolved and should be flagged to prospective customers.
- Public privacy policy reads as a generic, non-healthcare-specific (likely template-generated) policy and does not mention HIPAA, PHI, encryption, or data retention for clinical data - inconsistent with a vendor whose entire product handles PHI.
// At a glance
Pricing model
Enterprise/custom - sold via sales demo to hospitals and health systems; no public self-serve pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Regard's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
regard.com