// Trust & Security Report

    Regie.ai, Inc. logo

    Regie.ai, Inc.

    AI sales engagement platform (RegieOne) unifying AI-driven prospecting agents, an AI dialer, email/social sequencing, enrichment, and signal-based orchestration for B2B go-to-market teams.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    "The platform complies with several industry-recognized security standards, including SOC 2 and AppExchange security certifications." A SOC 2 badge also appears in the site footer on the Privacy Policy, Terms and Conditions, and Why Regie pages. The report type (Type 1 vs Type 2) and the Trust Services Criteria covered are not stated anywhere on the vendor's own site.

    Verify on regie.ai
    GDPR (posture)
    HELD

    "Regie.ai operates as a data processor, while its customers act as data controllers... Regie.ai maintains detailed records of processing activities to support its customers in their compliance efforts... Regie.ai maintains a fixed and transparent list of sub-processors involved in data processing activities [and] the list is available upon request." This is a compliance posture/program, not a third-party GDPR "certification" (no such formal certification scheme exists under GDPR itself).

    Verify on regie.ai
    > Show 6 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No mention of ISO 27001 anywhere on Regie.ai's own site (gdpr page, privacy policy, terms, why-regie, homepage). A third-party listicle-style site (Nudge Security's auto-generated "security profile") claims Regie.ai is "ISO 27001 Compliant" with no methodology or sourcing disclosed and no link to vendor-domain evidence; this does not meet the vendor-domain-proof bar and is treated as unverified.

    source: regie.ai
    HIPAA
    NOT CONFIRMED

    No HIPAA mention on any Regie.ai-owned page. Only third-party claim (unsourced Nudge Security profile) asserts "HIPAA Compliant" - not corroborated on the vendor's own domain, so graded not held.

    source: regie.ai
    PCI DSS
    NOT CONFIRMED

    No PCI DSS mention on Regie.ai's own site. Regie.ai is a B2B sales engagement tool with no evident payment-card processing surface; only an unsourced third-party profile claims "PCI Compliant" with no vendor-domain corroboration.

    source: regie.ai
    FedRAMP
    NOT CONFIRMED

    No FedRAMP mention on Regie.ai's own site and no listing in the FedRAMP Marketplace found. Only an unsourced third-party profile claims "FedRamp Compliant"; not corroborated on the vendor's own domain.

    source: regie.ai
    CSA STAR
    NOT CONFIRMED

    No CSA STAR mention on Regie.ai's own site, and Regie.ai does not appear in the CSA STAR Registry search. Only an unsourced third-party profile claims "CSA Star Level 1 Compliant"; not corroborated on the vendor's own domain.

    source: regie.ai
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. Not mentioned on any Regie.ai-owned page or in any credible third-party source found.

    source: regie.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    not disclosed - no data center location, region, or residency commitment found on any Regie.ai-owned page

    Privacy Policy explicitly states: "Regie.ai does not use any data, including data obtained through Google Workspace APIs, to train generalized AI or machine learning models" and "does not retain user data obtained through Workspace APIs for developing, improving, or training generalized AI or ML models." However, this no-training commitment is worded specifically around Google Workspace API data; the Terms and Conditions separately reserve a broader right for Regie.ai to "use such information and data to improve and enhance the Services" when in "aggregate or other de-identified forms," which is a different (and looser) standard than a blanket no-training promise across all customer data. Net: opt-out/scope details for non-Workspace customer data are not confirmed, hence null overall with a flag.

    // Security controls

    Encryption in transit and at rest

    "Your data is encrypted both in transit and at rest using industry-standard encryption protocols."

    regie.ai

    Access control

    "Only authorized personnel with a legitimate business need have access to your data, protected by role-based permissions."

    regie.ai

    MFA for internal accounts

    "Multi-Factor Authentication (MFA): Required for internal administrative accounts."

    regie.ai

    Monitoring & incident response

    "Our systems are monitored 24/7 for threats, and we have an incident response plan."

    regie.ai

    Breach notification

    GDPR page states processor-to-controller breach notification within 30 days; privacy policy states affected users are notified "within the legally required timeframe."

    regie.ai

    Data subject rights contact

    "Data subjects can request to access, change, or delete their data by contacting ciso@regie.ai."

    regie.ai

    // Products & data scope

    RegieOneAI sales engagement platform (orchestration layer)

    data: CRM contact/account data, prospect enrichment data, email/call/social engagement data

    Unifies AI agent and human rep task orchestration in one workflow; no separate security posture published versus the base platform.

    Prospecting AgentsAI agents for sourcing, enrichment, and personalized outbound messaging

    data: Prospect/contact records, intent and behavioral signal data, generated message content

    Feature set within RegieOne; no distinct compliance documentation found.

    AI DialerAI-assisted outbound calling

    data: Call recordings/metadata, lead prioritization signals

    Customer testimonial references call volume increases; no dedicated security/compliance page found for call recording handling, retention, or consent capture.

    // What to watch

    • No trust center: Regie.ai has no dedicated /trust or /security page (regie.ai/security returns 404) and no Vanta/Drata/SecurityScorecard-style trust portal. All compliance claims are scattered across the /gdpr page, privacy policy, and footer badges.
    • SOC 2 claim lacks specificity: vendor never states Type 1 vs Type 2, audit date, or which Trust Services Criteria are covered - just a badge and a general sentence.
    • Over-claim risk from third-party aggregator: a Nudge Security "security profile" page (non-vendor domain, no disclosed methodology) lists Regie.ai as compliant with SOC 2, PCI, HIPAA, GDPR, ISO 27001, FedRAMP, and CSA STAR simultaneously - a pattern typical of auto-generated/templated vendor profiles rather than verified findings. Only SOC 2 and a GDPR posture are corroborated on Regie.ai's own domain; the rest (ISO 27001, HIPAA, PCI DSS, FedRAMP, CSA STAR) were graded held=false because they could not be confirmed on the vendor's own site.
    • AI-training scope ambiguity: the privacy policy's no-training promise is explicitly scoped to Google Workspace API data, while the Terms and Conditions separately reserve a right to use de-identified/aggregate customer data to "improve and enhance the Services." It is not confirmed whether this broader clause includes any form of model training/fine-tuning.
    • No data residency/region disclosed anywhere on the vendor's site.
    • DPA availability not explicitly documented; only a sub-processor list is mentioned as "available upon request," with no direct DPA request path shown.

    // At a glance

    Pricing model

    Demo/quote-based (no public self-serve pricing found; site funnels to "Get a demo")

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Regie.ai, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    regie.ai

    > Browse all vendor trust reports