// Trust & Security Report

    Regard logo

    Regard

    AI-powered clinical documentation / clinical decision support platform ("Proactive Documentation") that reviews EHR chart data and clinician-patient conversations to recommend diagnoses and generate draft clinical notes before point of care; single enterprise SaaS product sold to hospitals and health systems, integrates with EMRs and partners such as Microsoft Dragon Copilot.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    As part of our commitment to protect data, Regard has achieved SOC2 Type 1 compliance.

    Verify on regard.com
    ONC Health IT Certification (2015 Edition Cures Update)
    HELD

    ONC 2015 Cures Update Certification Criteria: B10, D1, D5, D12, D13, G5, G4 ... Certification Number: 15.04.04.3192.Rega.01.00.0.240502 ... Product: Regard SaaS Solution v.1

    Verify on regard.com
    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence. The vendor's own data-compliance page only claims 'SOC2 Type 1 compliance' - no Type 2 report or attestation date is referenced anywhere on regard.com.

    source: regard.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on regard.com. The only ISO reference found is on the ONC certification page, which lists 'CQMS: ISO 9001' (a quality-management standard for the certified health IT module), not ISO 27001 (information security). Do not conflate the two.

    source: regard.com
    HIPAA
    NOT CONFIRMED

    No public HIPAA-compliance statement, BAA-availability statement, or PHI-handling policy was found on regard.com (home page, privacy policy, data-compliance page, about-us page, or proactive-documentation page). The vendor's public privacy policy reads as a generic WordPress-template policy (e.g. it only addresses indefinite retention of blog comments) rather than a healthcare-specific PHI policy. Regard's product clearly processes PHI as its core function, so a signed BAA is very likely offered contractually to hospital customers, but this is not publicly evidenced on the vendor's own domain.

    source: regard.com
    GDPR
    NOT CONFIRMED

    No GDPR-specific posture, EU representative, or international-transfer mechanism (e.g. SCCs) is mentioned anywhere on regard.com. The public privacy policy is a generic US-oriented template with no GDPR section.

    source: regard.com
    HITRUST
    NOT CONFIRMED

    No public evidence found anywhere on regard.com.

    source: regard.com
    PCI DSS
    NOT CONFIRMED

    No public evidence; not applicable - Regard is a clinical documentation tool, not a payment processor, and no payment-card handling claims appear on the site.

    source: regard.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found. Regard's public messaging discusses 'responsible innovation' and 'trustworthy, auditable' AI in press/marketing content but does not cite ISO/IEC 42001 or any formal AI-governance certification.

    source: regard.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on regard.com.

    source: regard.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; no indication Regard sells to federal agencies.

    source: regard.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly specified. Regard lists corporate offices in Los Angeles and New York City, but no data-residency or hosting-region statement was found on the vendor's site.

    No public statement on regard.com specifies whether patient/customer chart data is used to train Regard's AI models, nor whether any opt-out exists. This is a material disclosure gap for a clinical AI vendor whose core product ingests full EHR records. Could not confirm either way; treat as unknown, not as an absence of training.

    // Security controls

    SOC 2 Type 1 attestation

    Achieved (Type 1 only - point-in-time control design, not operating effectiveness over a period like Type 2)

    regard.com

    Multi-factor authentication

    Product relies on the connected EMR's own two-factor authentication protocol rather than a separate Regard-native MFA, per its ONC certification filing.

    regard.com

    Health IT interoperability certification

    ONC-certified for FHIR-based Electronic Health Information (EHI) export, single-patient and bulk export.

    regard.com

    Encryption in transit / at rest

    No public statement found on regard.com.

    regard.com

    // Products & data scope

    Regard Proactive Documentation PlatformHealthcare AI - clinical documentation / CDI (clinical documentation improvement)

    data: Full patient EHR chart data (vendor cites review of a patient record with on average 50,000 data points) plus clinician-patient conversation content, used to recommend diagnoses and auto-generate draft clinical notes. Includes PHI by design.

    Single enterprise SaaS offering sold to hospitals/health systems via demo request; no self-serve or consumer tier. Integrates with hospital EMRs and partners such as Microsoft Dragon Copilot. ONC-certified as 'Regard SaaS Solution v.1'.

    // What to watch

    • No dedicated trust center - compliance disclosure is limited to a single sentence on a lightly-built /data-compliance/ page plus a separate ONC certification detail page.
    • SOC 2 is Type 1 only, not Type 2 - Type 1 attests to control design at a point in time, not operating effectiveness over an observation period; weaker assurance than Type 2 and should be labeled precisely, not rounded up to 'SOC 2 compliant.'
    • No public HIPAA-compliance or BAA-availability statement despite the product's core function being ingestion and processing of full patient EHR records (PHI) - a notable gap for a clinical AI vendor. Prospective hospital customers should confirm BAA terms directly with Regard before deployment.
    • Possible cert-confusion risk: the ONC certification filing lists 'CQMS: ISO 9001' (quality management), which is unrelated to ISO/IEC 27001 (information security) - do not let this be mis-read as an ISO 27001 claim; no ISO 27001 evidence exists.
    • No public disclosure of whether patient/customer data is used to train Regard's AI models, and no opt-out mechanism described - unresolved and should be flagged to prospective customers.
    • Public privacy policy reads as a generic, non-healthcare-specific (likely template-generated) policy and does not mention HIPAA, PHI, encryption, or data retention for clinical data - inconsistent with a vendor whose entire product handles PHI.

    // At a glance

    Pricing model

    Enterprise/custom - sold via sales demo to hospitals and health systems; no public self-serve pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Regard's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    regard.com

    > Browse all vendor trust reports