Built so your data can't leave.
Not a policy promise — an architecture. Regixo runs on your machine, reads metadata only, and stores everything in a local folder you can delete. This page shows exactly what is read, what is stored, and the one thing that can ever leave — with your confirmation.
What Regixo reads — and never reads.
The scanner connects to your sources the way a schema browser does: it lists the structure, never the contents.
Reads — metadata only
The shape of your data, never the data.
- ✓Table & column names —
users,email,card_last4 - ✓Column types — text, number, date
- ✓Structure & lineage — how views and models connect
- ✓Source health — reachable or not, when last scanned
Never reads
Not sampled, not cached, not "anonymised" — not read at all.
- ✕Row values — no names, emails, records, or contents
- ✕Samples or previews — nothing is "peeked at" to classify
- ✕Credentials — connection secrets stay in your environment, never written to config
- ✕Telemetry — nothing phones home; the code is open to check
Nothing leaves — unless you forward it.
Regixo talks to your own databases and SaaS accounts to read their structure — and to nothing else. The only time it sends anything to us is the moment you choose to forward the draft record to your compliance team. Before anything is sent, it shows you exactly what will travel and asks you to confirm.
✓Goes: dataset names, personal-data flags, the drafted record
✓Goes: source list & scan coverage — so the reader knows what the draft is built on
✕Never goes: row values, credentials, or anything you didn't see in this preview
The paid layer adds safeguards, not access.
Paying never widens what Regixo can read. It adds protections around the record your compliance team relies on.
The attestation seal
When the signer on your compliance team signs the record, the seal binds who signed, their organisation and role, and when into a cryptographically signed payload (Ed25519). Anyone can verify it offline — without Regixo, without us, without an internet connection.
The seal only ever attests mechanical facts. The legal calls — purpose, lawful basis, retention — are confirmed by a human and marked as such.
EU-hosted, tenant-isolated
Opens with the portalThe hosted portal (for claim links and record management) runs in the EU with per-tenant encryption at rest and an append-only audit log. It only ever holds the same metadata-only snapshot you saw in the pre-send preview.
A GDPR Art. 28 data-processing agreement ships with the portal opening — before any customer metadata is hosted.
You can read every line that touches your data.
The split is a one-way door: everything that connects to your systems is public code. The paid layer only adds signing and export — it contains no scanner.
Everything that reads your data
The CLI, the scanner, every connector, the local store, the draft generator, and the dashboard — all open source. If it can touch your systems, you can audit it, build it yourself, and pin the exact version you reviewed.
Only the safeguards
The paid package holds the attestation signing, official export, and portal account layer. It contains no scanner and no connector — it never gains a way to read more than the free code you can inspect.
Report a vulnerability.
Security reports go straight to the maintainers — privately, before any public issue.
Responsible disclosure
Email security@regixo.com with what you found and how to reproduce it. Please don't open a public GitHub issue for security problems — give us a chance to fix it first. The full policy lives in SECURITY.md in the repository, and we credit reporters unless you'd rather stay anonymous.
Don't take our word for it.
The strongest privacy claim is code you can read. Run the scan on a test database and watch what it does — nothing leaves your machine.
npx regixo start