Security and data residency

We hold ourselves to the same standard we build for our customers. These are the sub-processors Registora engages to deliver its service.

Encryption in transit

All traffic is served over TLS (HSTS with preload). No plaintext endpoints.

Encryption at rest for secrets

User-supplied secrets (Slack webhook URLs, webhook signing secrets) are encrypted with AES-256-GCM before they touch the database.

Tamper-evident change history

Every monitoring snapshot is anchored with an RFC-3161 trusted timestamp from a publicly-trusted authority, so the change record is audit-grade and independently verifiable.

Scoped, hashed API keys

REST API keys are stored only as SHA-256 hashes, shown once, and scoped to a single workspace; they are never recoverable after creation.

SSRF-guarded outbound calls

Customer-configured webhook and domain targets are validated against private-network ranges before any request is made.

Least-data logging

Structured logs redact email addresses and never store secrets or full request bodies.

Consent-first subscriptions

Public subscribe widgets use double opt-in, recording the confirmation timestamp + IP as the consent record, with one-click unsubscribe in every email.

The primary database that holds your register and audit trail is hosted in the EU (Oracle Cloud, France). Supporting processors (Vercel, Resend, Cloudflare) are US companies operating under standard contractual clauses and their own data processing agreements. A fully EU-region deployment option for DORA-tier customers is on our roadmap. We would rather state the current reality than over-claim blanket EU residency.

Where is my data stored?

Your subprocessor register, customer contacts, and audit log are stored in a PostgreSQL database hosted on Oracle Cloud Infrastructure in Paris, France (the EU). Application compute runs on Vercel, transactional email is sent via Resend, and brand assets / signed documents are stored in Vercel Blob; those processors are US-based and operate under standard contractual clauses and their own data processing agreements.

Is Registora EU-hosted?

The primary database that holds your register and audit trail is hosted in the EU (France). We are transparent that some supporting processors (Vercel, Resend, Cloudflare) are US companies operating under SCCs and DPAs. A fully EU-region deployment option for DORA-tier customers is on our roadmap; we would rather state the current reality than over-claim blanket EU residency.

What subprocessors does Registora itself use?

Registora uses Oracle Cloud (database hosting, EU), Vercel (application hosting and storage), Resend (email), Cloudflare (DNS and email routing), and Paddle (billing as Merchant of Record). The full list with purposes and locations is published on this page - we hold ourselves to the same disclosure standard we build for our customers.

How is the change history made tamper-evident?

Each daily snapshot of a monitored provider is hashed and that hash is anchored with an RFC-3161 trusted timestamp from a publicly-trusted Time Stamp Authority. The signed token is stored and can be verified by anyone, including with standard OpenSSL tooling, proving the recorded state existed at the stated time and has not been altered.

How do you handle secrets and credentials?

User-supplied secrets are encrypted with AES-256-GCM at rest. API keys are stored only as SHA-256 hashes and shown once. We never log secrets or full request bodies, and email addresses are redacted in logs.