A short, factual summary of how Regnora handles your data. For anything not covered here, [contact us](/resources/support/).

## Data residency

Regnora processes data in the **European Union**. The cloud services and AI providers Regnora uses are configured to EU regions; data is not routed through non-EU regions.

## What the AI does with your documents

When you upload a document, Regnora extracts and indexes its text so the AI can search your evidence by meaning. From there the AI reads that evidence to do the work you ask of it — assessing requirements in a [gap analysis](/guides/running-a-gap-analysis/), drafting and revising documents, answering questions. It works within the project it's running in.

Crucially, anything an agent produces that changes your data or leaves Regnora — a document edit, an email — is **staged for a human to approve**, never applied silently. An agent also has no capabilities until you grant them. See [Building custom agents](/guides/building-custom-agents/#capabilities).

## Project isolation

[Projects](/guides/setting-up-projects/) are the boundary for your data. A gap analysis assesses only the documents in its own project, and an agent reads only the project it runs in — there is no cross-project document search. [Guests](/guides/members-roles-and-permissions/#guests) invited to a single project see only that project, which is what makes an external project a safe place to share evidence with a client or auditor.

## Account security

- **Multi-factor authentication** — members secure their accounts with an authenticator app, and owners or admins can enforce it across the organisation. See [Organisation settings & security](/guides/org-settings-and-security/#multi-factor-authentication).
- **Sign-in** — by email link, or with a Google or Microsoft account.
- **Access control** — organisation [roles](/guides/members-roles-and-permissions/#organisation-roles) and explicit project access govern who can see and do what.

## Audit trail

Regnora keeps a record of what happened. Documents are [versioned](/guides/managing-documents/#versioning-and-the-audit-trail) so you can see how a policy changed over time; gap-analysis [attestations](/guides/running-a-gap-analysis/#review--confirm-flag-or-re-assess-each-verdict) record who signed off on a verdict; and the [Activity](/guides/collaborating-with-your-team/#activity) feed logs the meaningful events across a project.