Unlock, sign & maintain
Free gives you the whole map and a DRAFT record — forever. Paid unlocks the defensible one: the DRAFT stamp comes off, the record is signed under a named person, and it is kept current. This page covers what it costs, what signing actually is, what OFFICIAL adds, and how the seal stays honest over time.
What it costs
Pricing is published, self-serve, and all-in — one yearly charge, no setup fee. The plan is worked out from two answers at unlock, never guessed from your scanned data:
- How many staff? — up to 50 · 51–250 · more than 250.
- A regulated financial firm? — authorised or registered with a financial regulator (that is who DORA applies to). Most unregulated startups answer no.
| Plan | Price / year | Fits | Includes |
|---|---|---|---|
| RoPA | €6,000 | Up to 50 people | The signed GDPR Article 30 record |
| RoPA + DORA | €12,000 | 51–250, regulated financial entity | + the DORA register |
| Enterprise | from €18,000 | More than 250 / multi-entity | + self-host, SLA — on invoice, price published |
The €6,000 and €12,000 tiers close with a card, no salesperson. More than 250 staff routes to the Enterprise conversation — still a published floor price, invoiced, never "ask us". You manage the subscription later from Account → Billing.
regixo admin mint) or supplied
as an env var — the seal path below is the same either way.Before you sign: name the controller
An Article 30 record is the controller's record. Regixo refuses to seal one whose controller is
unnamed — an official document with no responsible organisation is indefensible. The refusal is the coded
error CONTROLLER_REQUIRED, raised before any signing happens.
Supply the registered legal name once, either way:
- regixo.yml — the engineer
controller: { name: "Northwind Data BV", contact: "dpo@northwind.example" }— headless, committed with the config.- the claim page — the compliance team
- Fill the organisation field on the record; it is persisted before the seal step opens.
What signing is
Signing produces a simple electronic signature over the exact bytes of the record. Regixo serialises the official record, takes its SHA-256, and signs that hash with a dedicated Ed25519 attestation key — separate from any licence key. The signing timestamp is set by the server and is immutable; it is never taken from the client.
The seal also states how the signer was identified. One of three assurance levels is recorded, and the artifact never overstates it:
- sso
- A real authenticated session through the organisation's single sign-on. The strongest level.
- email-verified
- A magic-link sign-in proved control of the email address (the account layer's default).
- env-declared
- An identity declared at unlock via env var — marked non-production on the artifact, since no one verified it. Fine for a dry run, not for a filing.
The signed bytes also bind the signer's organisation and role, so the seal proves "an authorised officer of <organisation>", not just a verified inbox. The signer therefore appears in full capacity — name, role, organisation — wherever the signature is shown.
What OFFICIAL adds over DRAFT
The record body is the same shared renderer in both states — OFFICIAL is a superset of the DRAFT, never a thinner copy. What changes is the evidence around it:
- The DRAFT watermark comes off, replaced by a running
● OFFICIAL — ATTESTEDmark on every page. - A seal card lays out the signature facts (below).
- A standalone offline verifier (
verify-attestation.mjs) ships next to the artifact, plusATTESTATION_KEYS.mdin the public repo — so anyone can check the seal with no Regixo server in the loop. - Every signature seals an immutable snapshot; the change log and version history keep the diffs.
The seal card carries these rows, each stating exactly what it is:
✓ Audit-ready · sealed 2026-07-05
● OFFICIAL — signed & sealed
- Who signed — Anna Kessler · Data Protection Officer · Northwind Data BV (anna.kessler@northwind.example), on 2026-07-05T09:14:22.000Z. Identity verified by email sign-in link (magic link).
- When — Signed 2026-07-05T09:14:22.000Z (the signing server's clock). An RFC 3161 counter-stamp is not attached yet; the authoritative timestamp status is recorded in attestation.json.
- What kind of signature — A simple electronic signature. Under eIDAS (Art. 25(1)) it cannot be denied legal effect solely because it is electronic. It is not a qualified electronic signature.
- Tamper-proof seal — Locked: any later edit re-opens the signature. Anyone can check it's genuine offline, without contacting us — see "Technical details".
- Your record — Plan ropa · valid until 2027-07-05.
Technical details (for your auditor)
Content seal sha256:5f2e9c…c41a7b — any later edit re-opens the signature.
Attestation att_9d3c1f88b0a24e5f6c7d8e90 · key regixo-att-2026 · tenant northwind.
Verifiable offline: run node verify-attestation.mjs next to the exported attestation.json (key published in ATTESTATION_KEYS.md).
The Content seal line under Technical details is the SHA-256 of the file a verifier can recompute — flip a single byte and the check fails. The When row is honest about what backs the time today; see What is not built yet.
The green band above reads “✓ Audit-ready · sealed <date>” only when every legal call has been confirmed. If any are still open, the band says so instead — “✓ Sealed · <date> — N legal calls below still need confirming” — and the card adds a What’s still left for you row. A seal records who signed and freezes the bytes; it never confirms a legal call on your behalf, so it will not claim a readiness the record itself denies.
Unlock — the command that flips DRAFT → official
In the portal the compliance team answers the two questions, pays, and signs — that flips the record to
OFFICIAL. On the command line the same licence activation is regixo verify (paid): it validates
the licence for the tenant and enables the sealing path.
The four steps sit in a block at the foot of the claimed record. On the record below the licence is already paid, so step 2 reads nothing to choose or pay; on an unlicensed record that step is where you answer the two questions and the published price appears.
Record of Processing Activities
DRAFT · not yet defensibleReview & fill the legal calls
1 of 16 confirmed — 10 blank · 5 awaiting confirmation. Review & fill →
You can seal with open calls — they seal as flagged gaps, clearly listed before you sign.
Choose your plan
Your plan is set by the licence on this record — nothing to choose or pay. Verify and sign below to apply it.
Verify it’s you
Signing is a legal act under your name, so we confirm your identity once — with a one-time email link. Reading this record never needs an account.
Sign & seal
Verify your email in step 3 first — the seal records who signed.
Nothing new leaves your systems when you sign — signing only seals what you already see on this page.
Unlock & pay. Answer the two questions — How big is your organisation? and Are you a regulated financial firm (DORA applies)? — and the published price appears. Press Continue to payment (card, via Stripe); a leave page notes that you enter your card on Stripe (Regixo never sees or stores it) and come straight back. On return you see ✓ Payment received — activating your licence…, then a receipt.
Sign. An approver or admin presses 🔓 Sign & seal this record as <name>, reads the Before you sign page, and confirms — the record flips to the OFFICIAL seal block, with Download the official PDF alongside. Every seal writes a Version history card with what-changed diffs; when your data drifts, a Review & re-sign → banner appears.
Renew or upgrade. Under Account → Billing: Renew →, Upgrade to RoPA + DORA →, or Billing in Stripe → for invoices and card details. A tour: the compliance portal tour.
$ export REGIXO_LICENCE_KEY='rgx_live_…' $ regixo verify $ regixo seal pull <claimToken>
This one’s yours. Only a person can sign a record.
The same licence activation, headless; then the engineer brings the sealed copy home. Detail below.
An agent can read the record’s state (the trust signal reports seal: draft), but
it never pays, signs, or seals — those stay human acts, by design.
$ export REGIXO_LICENCE_KEY='rgx_live_…' $ regixo verify
This one’s yours. Only a person can sign a record.
The seal is produced on the machine that holds the record. The engineer brings the sealed copy home with
regixo seal pull, so the OFFICIAL artifact lives next to the source it describes:
“Pull our signed, sealed record from the portal onto this machine.”
Show the commandHide the commandShow the sentenceHide the sentence
$ regixo seal pull <claimToken>The forker's copy has no regixo verify to unlock — sealing lives in the private
layer and was never in the public code. Gating is the absence of code, not a switch.
Re-sign when a core field moves
The record keeps changing as your data does. A signature does not silently follow it. When
regixo watch re-scans and a core field of a
signed activity moves, that activity is flagged as needing re-signing — and only that one:
- Take and record payments — changed: retention, recipients
| Change | Effect on the signature |
|---|---|
| Core field — purpose · lawful basis · retention · data categories · data subjects · recipients · transfers outside the EU | Flags the activity for re-sign; the diff is shown. |
| Metadata only — a new column, a row-count change, no legal impact | Not a re-sign. Appended to the change log, marked "review suggested". |
Renew each year
The licence is yearly — annual renewal is the model, because the record is a living document, not a one-time file. An expiry warning shows from 30 days out; the record stays fully OFFICIAL while it warns. On lapse the tenant flips back to draft-only — no data is deleted — with a renewal banner.
Renew from Account → Billing. For a regulated entity the DORA register carries a hard annual deadline, so the yearly cadence is not optional there.
The evidence pack
The defensible deliverable a compliance team can put in front of an auditor is the record plus its proof. Its parts:
- Official record (PDF) — the sealed Article 30 document, no DRAFT stamp.
- Source attestations — each mechanical field traced to the system it came from, as of a date.
- Append-only change log — every change since the first draft.
- Immutable snapshots — one per signature.
- Machine-readable bundle — the record as data; for DORA, the xBRL-CSV package.
- Attestation public key + the offline verifier — plus printed verification instructions in the PDF.
Anyone holding the exported folder can check the seal without Regixo — run the verifier next to
attestation.json:
$ node verify-attestation.mjsCross-check the key against ATTESTATION_KEYS.md in the public Regixo
repository. The evidence is designed to outlive the vendor.
What is not built yet
The independent timestamp is built, but not yet switched on. A seal can carry an
RFC 3161 counter-stamp — an independent time-stamp token that corroborates when the signature
existed — and the shipped offline verifier checks it. What remains is configuring the
production time-stamping authority and completing the key-signing ceremony; until the owner does that
(before the first paying customer), every seal records timestampProof: none and the artifact
says so, with the recorded time resting on the signing server's clock. An RFC 3161 counter-stamp is not an
eIDAS qualified timestamp — either way the seal backs a simple electronic signature
(eIDAS Art. 25(1)), never a qualified one.
The one-file export is not built. The parts above ship individually (PDF, seals, change log, machine-readable bundle); the single assembled evidence-pack export is tracked for a later release.
The guarantees are bounded, and exact. Regixo aims to be accurate to your data (a mis-map is fixed free), complete (gaps are flagged, never silent), fresh (per-source staleness), and defensible (evidence behind each mechanical field). It never promises you will pass an audit or avoid fines — no software can — and it never gives legal advice. The signer owns the legal judgment and the signature.