Read-only auditor access
Customers invite their external auditors (Big-4 firms, ISO notified bodies, regulator inspectors) into a per-tenant read-only view. The auditor sees evidence packs + audit-trail replay + control attestations. They never see other customers and never modify anything. Their activity is itself audited and surfaces in the customer's WORM chain.
What the auditor sees
Per-tenant audit pack browser. View signed Evidence Packs by date range + framework. Download as ZIP with cryptographic manifest.
Reconstruct platform state at any timestamp from the WORM chain. Side-by-side with the current snapshot. Tamper-detection per-row.
Live per-framework coverage map. Click any control to see the evidence chain + last-reviewed-at + reviewer principal.
ReguNav's own sub-processors (CF, Neon, ClickHouse, Stripe, Clerk, etc.) with current DPA + SCC + sub-processor-of-sub-processor chain.
Public-facing incident log: detection time, root cause, remediation, customer-impact assessment.
Latest pen-test attestation letter (when available). Status: Type I ✓ · Type II Q4 2026.
Read-only by construction
- ✓Auditor accounts are scoped to one tenant per invitation
- ✓Read-only — auditor cannot modify any data
- ✓No access to customer code; only the read-only logs branch + evidence packs the customer chose to share
- ✓Every auditor read emits a row in the customer's regunav_audit_trail_events (the auditor's activity is itself audited)
- ✓Sessions expire after 8 hours; full re-auth required
- ✓Auditor invitations are revocable instantly by the customer or by ReguNav admin
How auditors get access
- Customer invites you via
app.regunav.com → Settings → Auditors → Invite. You receive an email with a sign-in link. - You complete SCA (TOTP or hardware key) on first sign-in. All subsequent sessions require re-auth every 8 hours.
- You are routed to
trust.regunav.com/auditor/<tenant-slug>— a read-only mirror of the customer's evidence, attestations, and audit-trail. - You can download Evidence Packs, browse the audit-trail replay, export attestation tables. The customer is notified of every export in real-time.
- When the engagement ends, the customer revokes access. Your view collapses to a final summary page with the evidence-pack hashes you accessed during the engagement (proof-of-review for your own working papers).