Regixo docs
EU compliance · optional · compliance team

Unlock, sign & maintain

Free gives you the whole map and a DRAFT record — forever. Paid unlocks the defensible one: the DRAFT stamp comes off, the record is signed under a named person, and it is kept current. This page covers what it costs, what signing actually is, what OFFICIAL adds, and how the seal stays honest over time.

Optional · EU compliance module You need this only if your company must keep a GDPR Article 30 RoPA or a DORA register — it is an optional module on top of the free data catalog. If that is not you, you can skip this section.
Machines suggest, humans sign Regixo drafts and sanity-checks the record. It never confirms a legal field — purpose, lawful basis, retention and transfers are the signer's judgment. Signing is the moment a person takes that judgment on. This page is documentation, not legal advice.

What it costs

Pricing is published, self-serve, and all-in — one yearly charge, no setup fee. The plan is worked out from two answers at unlock, never guessed from your scanned data:

PlanPrice / yearFitsIncludes
RoPA€6,000Up to 50 peopleThe signed GDPR Article 30 record
RoPA + DORA€12,00051–250, regulated financial entity+ the DORA register
Enterprisefrom €18,000More than 250 / multi-entity+ self-host, SLA — on invoice, price published

The €6,000 and €12,000 tiers close with a card, no salesperson. More than 250 staff routes to the Enterprise conversation — still a published floor price, invoiced, never "ask us". You manage the subscription later from Account → Billing.

Payment — as built Stripe checkout and the webhook are wired and offline-tested; the live-Stripe run is a launch-gate step. Until it runs, a licence is minted by Regixo on invoice (regixo admin mint) or supplied as an env var — the seal path below is the same either way.

Before you sign: name the controller

An Article 30 record is the controller's record. Regixo refuses to seal one whose controller is unnamed — an official document with no responsible organisation is indefensible. The refusal is the coded error CONTROLLER_REQUIRED, raised before any signing happens.

Supply the registered legal name once, either way:

regixo.yml — the engineer
controller: { name: "Northwind Data BV", contact: "dpo@northwind.example" } — headless, committed with the config.
the claim page — the compliance team
Fill the organisation field on the record; it is persisted before the seal step opens.
Fact, not judgment Recording the controller's registered name is a factual identity — Regixo carries it, it never originates a legal call. Purpose, lawful basis, retention and transfers stay the signer's to confirm (Hard Rule #4).

What signing is

Signing produces a simple electronic signature over the exact bytes of the record. Regixo serialises the official record, takes its SHA-256, and signs that hash with a dedicated Ed25519 attestation key — separate from any licence key. The signing timestamp is set by the server and is immutable; it is never taken from the client.

The seal also states how the signer was identified. One of three assurance levels is recorded, and the artifact never overstates it:

sso
A real authenticated session through the organisation's single sign-on. The strongest level.
email-verified
A magic-link sign-in proved control of the email address (the account layer's default).
env-declared
An identity declared at unlock via env var — marked non-production on the artifact, since no one verified it. Fine for a dry run, not for a filing.

The signed bytes also bind the signer's organisation and role, so the seal proves "an authorised officer of <organisation>", not just a verified inbox. The signer therefore appears in full capacity — name, role, organisation — wherever the signature is shown.

What OFFICIAL adds over DRAFT

The record body is the same shared renderer in both states — OFFICIAL is a superset of the DRAFT, never a thinner copy. What changes is the evidence around it:

The seal card carries these rows, each stating exactly what it is:

what you'll see — the OFFICIAL seal card
Regixo compliance portal · EU-hostedAnna Kessler · approver · sign out

✓ Audit-ready · sealed 2026-07-05

● OFFICIAL — signed & sealed

  • Who signed — Anna Kessler · Data Protection Officer · Northwind Data BV (anna.kessler@northwind.example), on 2026-07-05T09:14:22.000Z. Identity verified by email sign-in link (magic link).
  • When — Signed 2026-07-05T09:14:22.000Z (the signing server's clock). An RFC 3161 counter-stamp is not attached yet; the authoritative timestamp status is recorded in attestation.json.
  • What kind of signature — A simple electronic signature. Under eIDAS (Art. 25(1)) it cannot be denied legal effect solely because it is electronic. It is not a qualified electronic signature.
  • Tamper-proof seal — Locked: any later edit re-opens the signature. Anyone can check it's genuine offline, without contacting us — see "Technical details".
  • Your record — Plan ropa · valid until 2027-07-05.
Technical details (for your auditor)

Content seal sha256:5f2e9c…c41a7b — any later edit re-opens the signature.

Attestation att_9d3c1f88b0a24e5f6c7d8e90 · key regixo-att-2026 · tenant northwind.

Verifiable offline: run node verify-attestation.mjs next to the exported attestation.json (key published in ATTESTATION_KEYS.md).

Download the official PDF

The Content seal line under Technical details is the SHA-256 of the file a verifier can recompute — flip a single byte and the check fails. The When row is honest about what backs the time today; see What is not built yet.

The green band above reads “✓ Audit-ready · sealed <date>” only when every legal call has been confirmed. If any are still open, the band says so instead — “✓ Sealed · <date> — N legal calls below still need confirming” — and the card adds a What’s still left for you row. A seal records who signed and freezes the bytes; it never confirms a legal call on your behalf, so it will not claim a readiness the record itself denies.

Unlock — the command that flips DRAFT → official

In the portal the compliance team answers the two questions, pays, and signs — that flips the record to OFFICIAL. On the command line the same licence activation is regixo verify (paid): it validates the licence for the tenant and enables the sealing path.

The four steps sit in a block at the foot of the claimed record. On the record below the licence is already paid, so step 2 reads nothing to choose or pay; on an unlicensed record that step is where you answer the two questions and the published price appears.

what you'll see — Make this record official: the four-step block at the foot of the claimed record (a record whose licence is already paid, not yet sealed — so step 2 has nothing left to choose)
Regixo compliance portal · EU-hosted

Record of Processing Activities

DRAFT · not yet defensible

Review & fill the legal calls

1 of 16 confirmed — 10 blank · 5 awaiting confirmation. Review & fill →

You can seal with open calls — they seal as flagged gaps, clearly listed before you sign.

Choose your plan

Your plan is set by the licence on this record — nothing to choose or pay. Verify and sign below to apply it.

Verify it’s you

Signing is a legal act under your name, so we confirm your identity once — with a one-time email link. Reading this record never needs an account.

Works once, for 15 minutes — no password, no account form.

Sign & seal

Verify your email in step 3 first — the seal records who signed.

Nothing new leaves your systems when you sign — signing only seals what you already see on this page.

▤ In the portal

Unlock & pay. Answer the two questions — How big is your organisation? and Are you a regulated financial firm (DORA applies)? — and the published price appears. Press Continue to payment (card, via Stripe); a leave page notes that you enter your card on Stripe (Regixo never sees or stores it) and come straight back. On return you see ✓ Payment received — activating your licence…, then a receipt.

Sign. An approver or admin presses 🔓 Sign & seal this record as <name>, reads the Before you sign page, and confirms — the record flips to the OFFICIAL seal block, with Download the official PDF alongside. Every seal writes a Version history card with what-changed diffs; when your data drifts, a Review & re-sign → banner appears.

Renew or upgrade. Under Account → Billing: Renew →, Upgrade to RoPA + DORA →, or Billing in Stripe → for invoices and card details. A tour: the compliance portal tour.

$ At the terminal
run
$ export REGIXO_LICENCE_KEY='rgx_live_…'
$ regixo verify
$ regixo seal pull <claimToken>

This one’s yours. Only a person can sign a record.

The same licence activation, headless; then the engineer brings the sealed copy home. Detail below.

— not here

An agent can read the record’s state (the trust signal reports seal: draft), but it never pays, signs, or seals — those stay human acts, by design.

run
$ export REGIXO_LICENCE_KEY='rgx_live_…'
$ regixo verify

This one’s yours. Only a person can sign a record.

The seal is produced on the machine that holds the record. The engineer brings the sealed copy home with regixo seal pull, so the OFFICIAL artifact lives next to the source it describes:

say

“Pull our signed, sealed record from the portal onto this machine.”

Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo seal pull <claimToken>

The forker's copy has no regixo verify to unlock — sealing lives in the private layer and was never in the public code. Gating is the absence of code, not a switch.

Re-sign when a core field moves

The record keeps changing as your data does. A signature does not silently follow it. When regixo watch re-scans and a core field of a signed activity moves, that activity is flagged as needing re-signing — and only that one:

what you'll see — the re-sign banner on a signed record
Regixo compliance portal · EU-hostedAnna Kessler · approver · sign out
1 activity needs RE-SIGN — the record changed since you signed on 2026-07-05. Review the changes and re-sign to keep the record defensible (Regixo never re-signs for you).
  • Take and record payments — changed: retention, recipients

What changed, day by day →

ChangeEffect on the signature
Core field — purpose · lawful basis · retention · data categories · data subjects · recipients · transfers outside the EUFlags the activity for re-sign; the diff is shown.
Metadata only — a new column, a row-count change, no legal impactNot a re-sign. Appended to the change log, marked "review suggested".
Regixo never re-signs for you Re-signing is a human act — a person re-runs the attestation over the changed record. Regixo determines which activities are stale and shows the diff; it never re-seals on your behalf. The already-signed snapshot is never mutated.

Renew each year

The licence is yearly — annual renewal is the model, because the record is a living document, not a one-time file. An expiry warning shows from 30 days out; the record stays fully OFFICIAL while it warns. On lapse the tenant flips back to draft-only — no data is deleted — with a renewal banner.

Renew from Account → Billing. For a regulated entity the DORA register carries a hard annual deadline, so the yearly cadence is not optional there.

The evidence pack

The defensible deliverable a compliance team can put in front of an auditor is the record plus its proof. Its parts:

Anyone holding the exported folder can check the seal without Regixo — run the verifier next to attestation.json:

$ node verify-attestation.mjs

Cross-check the key against ATTESTATION_KEYS.md in the public Regixo repository. The evidence is designed to outlive the vendor.

What is not built yet

Stated plainly

The independent timestamp is built, but not yet switched on. A seal can carry an RFC 3161 counter-stamp — an independent time-stamp token that corroborates when the signature existed — and the shipped offline verifier checks it. What remains is configuring the production time-stamping authority and completing the key-signing ceremony; until the owner does that (before the first paying customer), every seal records timestampProof: none and the artifact says so, with the recorded time resting on the signing server's clock. An RFC 3161 counter-stamp is not an eIDAS qualified timestamp — either way the seal backs a simple electronic signature (eIDAS Art. 25(1)), never a qualified one.

The one-file export is not built. The parts above ship individually (PDF, seals, change log, machine-readable bundle); the single assembled evidence-pack export is tracked for a later release.

The guarantees are bounded, and exact. Regixo aims to be accurate to your data (a mis-map is fixed free), complete (gaps are flagged, never silent), fresh (per-source staleness), and defensible (evidence behind each mechanical field). It never promises you will pass an audit or avoid fines — no software can — and it never gives legal advice. The signer owns the legal judgment and the signature.

REGIXO — documentation · the seal is checkable without Regixo · Glossary