Skip to content
RegSpace
Book a demo
Agentic GRC platform

Hire a team of AI agents to run your governance, risk, and compliance.

RegSpace replaces your spreadsheet risk register, your manual policy reviews, your stack of regulator-alert subscriptions, and the paralegal hours wasted triaging them. Twelve specialist agents, purpose-built for GRC, citation-grounded by architecture, and lawyer-reviewed before anything ships.

Book a demoMeet the agents

UK, EU, and US tenants · data residency enforced per client · SOC 2 Type 1 in flight

ScoutAgent

Horizon scanner

Flags the 3 deltas that matter this week

DrafterAgent

Memo + redline writer

Drafts a cited counsel memo + DOCX redline

ReviewerAgent

Citation auditor

Re-verifies every quoted source before publish

Risk CaptainAgent

ISO 31000 register

Maintains your 5×5 risk matrix + history

EngineerAgent

Controls library

Maps law clauses → controls → mitigations

AnalystAgent

Executive briefing

Renders live posture for the board

+ Profiler, Cartographer, Coordinator, Diligencer, Auditor, and Mapper. See all 12 agents →

Four GRC problems no spreadsheet has solved.

Compliance teams across the UK, EU, and US tell us the same story. Every box below is one your team has either bought a tool for or is quietly losing time to. RegSpace consolidates the lot.

Generic alerts aren’t intelligence

You drown in irrelevant headlines while the rule that affects your vendor contract slips past unread. Noise scales; signal doesn’t.

Risk registers stuck in Excel

Three people own three versions. Owner fields drift when staff change. The CCO can’t answer “what’s our residual exposure in the EU today?” without an email thread.

Owner accountability vacuum

Free-text “owner: head of security” on a control breaks the moment the head of security leaves. Tickets pile up in an inbox no-one watches. SLAs slip silently.

Audit-evidence scrambles

When the auditor arrives, “show me the trail for that control attestation” turns into two analysts and a week of archaeology. Hash-chain audit trails or it didn’t happen.

Meet the agents

Twelve specialists. One platform. Hire the mix you need.

Every sellable capability of RegSpace is its own AI agent, named, scoped, and priced. Start with the three-agent Foundation, add the in-house compliance team, or run the full GRC Suite. Mix and match; cancel an agent and pay only for what's left.

  • This week3 material
    • FCA CP24/1: operational resilience update
    • ICO guidance on age-assurance for online services
    • EUR-Lex: DORA secondary RTS published
    • + 47 informational, filtered out

    Scout

    Regulatory horizon scanner

    Watches every regulator that touches your business.

    Surfaces only the changes that are material to your jurisdictions, sectors, and customer footprint.

    From £900/moDetails
  • Profile draft · v1
    • Privacy noticeFound · 0.94
    • Cookie policyFound · 0.92
    • Data processing addendumGap
    • Acceptable useFound · 0.81

    Profiler

    Tenant onboarding researcher

    Builds your structured tenant profile from your website.

    Two-day onboarding instead of a four-week intake spreadsheet. Every inferred field grounded in a quoted excerpt.

    From £600/moDetails
  • Privacy notice · redline

    We retain personal data for two yearsthree years following the end of our contractual relationship, or longer where required by applicable law.

    ⁇ ICO Code of Practice §32(b) · verified

    Drafter

    Memo + redline writer

    Drafts counsel memos and DOCX redlines, fully cited.

    Three-tier memos (digest / counsel / board) and policy redlines with track changes. No claim without a primary-source citation.

    From £1,350/moDetails
  • Citations re-verified

    23 of 24 byte-matched · 1 sent back to Drafter

    Reviewer

    Citation auditor

    Re-verifies every citation before any artefact ships.

    Zero ungrounded claims. Every quoted text is byte-matched against the recorded snapshot before publish.

    From £700/moDetails
  • Residual heatmap · 5×5
    5
    10
    15
    20
    25
    4
    8
    12
    16
    20
    3
    6
    9
    12
    15
    2
    4
    6
    8
    10
    1
    2
    3
    4
    5

    L4 × I4 = 16 · High · PII bucket exposure

    Risk Captain

    Risk register operator

    Runs your ISO 31000 / COSO ERM register with auditable history.

    Inherent + residual 5×5 scoring, treatment lifecycle, owner role binding, CSV export at will.

    From £800/moDetails
  • Org tree
    • Engineering
    • CISO · ciso@acme.test
    • Head of Platform Vacant
    • Legal
    • DPO · dpo@acme.test

    Cartographer

    Organisation directory operator

    Maps your departments, roles, and owners; survives staffing changes.

    Every owner field (risks, controls, policy approvals, tickets) binds to a stable role identity, not a person.

    From £450/moDetails
  • Control · CTRL-DPO-01
    TechnicalFailing

    Bucket public-read guard

    ↳ GDPR Art. 32 · ISO 27001 A.5.2

    ↳ mitigates 3 risks · implements 2 policy clauses

    Engineer

    Controls library + Law → Policy → Control mapping

    Operates your control library and the obligation graph.

    When a control fails, every law clause and risk it covers auto-flags within an hour.

    From £1,050/moDetails
  • Inbox · 4 due
    • Q3 attestation: bucket guardOverdue
    • Sub-processor refresh7d
    • Privacy notice reviewOpen

    Coordinator

    Workflow + reminders

    Materialises tickets, dispatches reminders, advances cycles on completion.

    Email + Slack + Teams reminders 30 days before every review deadline; SLA-tracked overdue ticket count.

    From £700/moDetails
  • Compliance posture
    Critical risks
    3
    Failing controls
    1
    Overdue tickets
    2
    Reviews on time
    12

    Analyst

    Executive briefing

    Renders your live compliance posture for the board and the CCO.

    One-roundtrip dashboard: critical risks, failing controls, overdue tickets, jurisdiction heatmap.

    From £500/moDetails
  • Vendor risktop 3
    • Acme Analytics72% · missing DPA
    • DataPipe Inc48% · transfer no SCCs
    • Stripe Payments12% · clean

    Diligencer

    Vendor risk + DPA gap analysis

    Scores every supplier in your register against transfer rules, contract gaps, and audit recency.

    Per-vendor risk score 0-100 with a transparent rule set: missing DPA, transfer to non-adequate country without SCCs, audit > 12 months old.

    From £650/moDetails
  • Privacy notice audit3 findings
    • critDPIA required for AI summarisation, no record
    • matVendor not named: Twilio (processor)
    • matCookie not in policy: _ga (analytics)

    Auditor

    Privacy-policy claimed-vs-actual reconciliation

    Reads your privacy notice + cookie policy and finds every gap against your actual register.

    Findings list per policy: vendors not named, cookies not disclosed, DPIA-required activities with no record, transfers undisclosed, controller not identified.

    From £750/moDetails
  • Data flowcustomer email
    CustomerSign-upMailchimp
    US (SCCs)

    Mapper

    Data-flow graph from RoPA + assets + vendors

    Builds the data-flow diagram auditors ask for during DPIA reviews.

    DAG of data subjects → processing activities → assets → vendors → transfer countries, refreshed live from your registers.

    From £500/moDetails

  • Corpus QA

    Monthly dual-AI corpus auditor

    The conscience of the canonical-clause corpus.

    Every published clause re-audited by Claude + Gemini at least monthly; only fixes both models agree on become proposals.

    From £0/moDetails

Pricing scales with the mix. À-la-carte from £600/mo.

See tiers, agent prices, and a comparison vs. OneTrust + AuditBoard →

Product tour

What your agents produce, day one.

Every screen below is the live portal: risk register, controls library, executive dashboard. Your agents populate them; your team reviews and signs off.

01Risk Captain

ISO 31000 risk register, with a 5×5 heatmap and audit trail.

Every risk carries inherent + residual scoring, treatment strategy, owner role, jurisdictions, target residual, and a hash-chained field-level history. CSV export at will. The heatmap below is the actual /risks/[id] component, not a mockup.

app.regspace.ai/risks/r-001
R-001CyberIn treatmentReduce

Loss of customer PII via cloud storage misconfiguration

Public-read on a GCS bucket could leak PII for ~50K customers.

Inherent
20
Residual
8target 4
Heatmap · L × I
L1
L2
L3
L4
L5
I5
5
10
15
20
25
I4
4
8
12
16
20
I3
3
6
9
12
15
I2
2
4
6
8
10
I1
1
2
3
4
5
Owner
CISO · Engineering
Jurisdictions
UK, EU
Cadence
Quarterly
Last reviewed
12 Apr 2026
Next review
12 Jul 2026
Linked controls
3 (CTRL-DPO-01 …)
02Engineer

Controls library + Law → Policy → Control mapping.

A failing control auto-flags every risk it mitigates and every law clause it satisfies. Back-propagation on a graph, not a notification dump. The badge in the corner is the dashboard trigger.

app.regspace.ai/controls

Controls library

1 failing
  • CTRL-DPO-01Bucket public-read guardFailingtechnical
    GDPR Art. 32 · ISO 27001 A.5.2
  • CTRL-VENDOR-01Sub-processor due diligence packIn progressprocess
    GDPR Art. 28 · DPA 2018
  • CTRL-LOG-04Privileged-access audit logs retained 365dLivedetective
    ISO 27001 A.8.16 · SOC 2 CC7.2
  • CTRL-IR-02Incident response drill, quarterlyLiveprocess
    DORA Art. 17 · NIS2 Art. 21(2)(c)

Each row links to a detail page with the risks it mitigates, the policy clauses it implements, and the regulator clauses it satisfies.

03Analyst

One-roundtrip executive dashboard. Drill anywhere.

Risk × jurisdiction heatmap, failing-control counter, overdue-ticket gauge, 30-day on-time-review velocity. Aggregated server-side; renders without a single N+1 fan-out.

app.regspace.ai/dashboard

Compliance posture

Critical risks
3
2 high · 11 total
Failing controls
1
1 attestation overdue
Overdue tickets
2
6 open · 12 closed (30d)
Reviews on time
12
last 30 days
Risk by jurisdiction
JurisdictionCriticalHigh
UK21
EU11
US00

Trust & architecture

Six controls that make this safe to rely on.

Legal-grade reliability is an engineering problem, not a prompt-engineering problem. We built RegSpace so the important guarantees are enforced by code.

FAQ

Questions we hear on every first call.

How is this different from OneTrust, AuditBoard, or LogicGate?

Those are forms-and-workflows tools, useful but the work still falls on your humans. RegSpace is the same surface area (risk register, controls library, tickets, dashboards) operated by specialist AI agents. Scout watches regulators; Drafter writes redlines; Reviewer checks every citation; Engineer maintains the controls graph; Diligencer scores vendor risk; Auditor reconciles your privacy notice against the real registers; Mapper draws the data-flow graph; Coordinator dispatches reminders. You hire the mix you need; you pay only for the agents you keep.

Is this legal advice?

No, and we say so on every deliverable. RegSpace produces draft regulatory intelligence for your qualified counsel to rely on. We do not form a lawyer-client relationship and we do not displace your legal team's judgement. Every material output is signed off by a qualified lawyer on our side before it reaches you.

What if an agent hallucinates a citation?

It can't publish. The Reviewer agent re-reads every citation's frozen snapshot from our tenant-isolated storage and byte-matches the quoted text against the recorded content hash. Any claim whose citation fails verification is sent back to the writer; it never reaches you. Cross-vendor (Gemini ↔ Claude) for second opinion where supported.

Do you train on our policies?

No. We use zero-retention inference endpoints where our model providers support them, and we do not fine-tune or train on any client data. Your policies live in a tenant-isolated store with a per-tenant CMEK encryption key; revoking the key renders the data unreadable.

Can I start with one agent and add more later?

Yes. Foundation (Scout + Drafter + Reviewer) is the entry point; most pilots start here. Adding Risk Captain, Cartographer, Engineer, Coordinator, Analyst, Diligencer, Auditor, or Mapper is a billing-day-of-the-month upgrade with no migration. Removing an agent is the same: cancel for the next billing period and you stop paying for it.

How is this priced versus OneTrust / AuditBoard?

Cheaper at every tier and transparent on the website. Foundation lists at £30,000/year (vs. an opaque OneTrust SKU starting around $30,000 USD with modules billed extra). Our top tier (GRC Suite, all 12 agents) is £120,000/year vs. the £180,000–£300,000+ range OneTrust or AuditBoard typically quote for an equivalent surface. Full breakdown on the pricing page.

How do you handle our industry vertical?

Our obligation taxonomy has 17 top-level categories and 12 sector codes. Trickle-down exposure (the rules that flow through your customers' sectors to you) is modelled as a first-class relationship, so a SaaS vendor to airlines automatically inherits the relevant EASA cyber obligations.

Which jurisdictions do you cover?

At launch: US federal and priority states, the UK, and all 27 EU member states. Coverage means weekly monitoring of the primary regulators and legislative trackers in each jurisdiction. We add more jurisdictions as our client base expands.

What's the deployment time?

Two weeks for Foundation, three weeks for Compliance Office, four weeks for the full GRC Suite. Profiler does most of the onboarding work itself: it crawls your corporate site, classifies the policies it finds, and proposes a structured tenant profile your counsel reviews. The first weekly digest typically lands in week three.

Pick your agent mix. Ship in two weeks.

Foundation pilots are up and running within two weeks: Profiler handles intake from your corporate site, Scout’s first weekly digest lands in week three, and Drafter has redlined your first policy by the end of the month. Compliance Office and GRC Suite add 1–2 weeks for orgchart and controls setup.

Book a 30-minute demoSee pricing