Twelve specialists. Hire only the ones you need.
Each agent below is a sellable capability of RegSpace, scoped to one job, priced individually, and packaged into the three tiers most tenants ask for. Click an agent to jump to the deep dive.
- Scout · Regulatory horizon scanner£900/mo
- Profiler · Tenant onboarding researcher£600/mo
- Drafter · Memo + redline writer£1,350/mo
- Reviewer · Citation auditor£700/mo
- Risk Captain · Risk register operator£800/mo
- Cartographer · Organisation directory operator£450/mo
- Engineer · Controls library + Law → Policy → Control mapping£1,050/mo
- Coordinator · Workflow + reminders£700/mo
- Analyst · Executive briefing£500/mo
- Diligencer · Vendor risk + DPA gap analysis£650/mo
- Auditor · Privacy-policy claimed-vs-actual reconciliation£750/mo
- Mapper · Data-flow graph from RoPA + assets + vendors£500/mo
- Corpus QA · Monthly dual-AI corpus auditor£0/mo
Regulatory horizon scanner
Scout
Watches every regulator that touches your business.
Scout monitors UK, EU, and US primary sources every week: gazettes, regulator feeds, standards bodies, supervisory letters. Generic alerts give you noise; Scout scores each delta against your structured profile and only escalates what your counsel needs to read.
- Weekly material-deltas digest
- Trickle-down obligation mapping
- Per-source watermarks + reproducible snapshots
- Citation-pinned to primary source
- · Memo drafting (that's Drafter's job)
From £900/month à-la-carte · included in the GRC Suite tier and above.
- FCA CP24/1: operational resilience update
- ICO guidance on age-assurance for online services
- EUR-Lex: DORA secondary RTS published
- + 47 informational, filtered out
Tenant onboarding researcher
Profiler
Builds your structured tenant profile from your website.
Profiler crawls your corporate site with robots.txt adherence, classifies the policies it finds (privacy / cookies / TOU / TOS / DPA / modern slavery / acceptable use), and proposes a structured tenant profile with per-field confidence chips and verifiable evidence. You accept or edit before it's promoted to your canonical profile.
- Same-origin crawl with snapshotting
- Policy classifier (7 canonical categories)
- Evidence-backed confidence per field
- Gap callouts ('no DPA found')
From £600/month à-la-carte · included in the Compliance Office tier and above.
- Privacy noticeFound · 0.94
- Cookie policyFound · 0.92
- Data processing addendumGap
- Acceptable useFound · 0.81
Memo + redline writer
Drafter
Drafts counsel memos and DOCX redlines, fully cited.
When a regulatory change touches a policy you've published, Drafter produces a counsel-grade memo summarising the impact and a DOCX redline with track changes against your original document. Every claim it emits cites a verifiable primary source; the Reviewer agent re-checks the citations before anything ships.
- Three-tier memo writer (Tier-A digest, Tier-B counsel, Tier-C board)
- DOCX redline with track changes + footnoted rationale
- Citation-pinned to primary source
- Amended-policy export (full doc with strikethrough + highlight)
From £1,350/month à-la-carte · included in the Foundation tier and above.
We retain personal data for two yearsthree years following the end of our contractual relationship, or longer where required by applicable law.
⁇ ICO Code of Practice §32(b) · verified
Citation auditor
Reviewer
Re-verifies every citation before any artefact ships.
Reviewer is a second LLM (different vendor where possible) that re-fetches every citation from frozen snapshot storage and string-matches the quoted text against the recorded content hash. A claim whose citation fails verification is sent back to Drafter; failed-citation memos never reach you.
- Citation byte-match against snapshot store
- Cross-vendor LLM (Gemini ↔ Claude) for second opinion
- Hash-chained audit trail of every verdict
- Failed-citation findings auto-flagged for human review
From £700/month à-la-carte · included in the GRC Suite tier and above.
23 of 24 byte-matched · 1 sent back to Drafter
Risk register operator
Risk Captain
Runs your ISO 31000 / COSO ERM register with auditable history.
Risk Captain replaces the spreadsheet your risk register lives in today. Twelve ISO 31000 / COSO ERM categories, four treatment strategies (avoid / reduce / transfer / accept), five-state status lifecycle, jurisdictions, target residual scores, and a hash-chained field-level history per risk.
- 5×5 inherent + residual matrix with auto-computed score
- Treatment strategy + plan + target residual
- Owner role binding (via Cartographer)
- CSV export with all 25 canonical columns
From £800/month à-la-carte · included in the Compliance Office tier and above.
L4 × I4 = 16 · High · PII bucket exposure
Organisation directory operator
Cartographer
Maps your departments, roles, and owners; survives staffing changes.
Upload an HRIS-style CSV (BambooHR / Workday / Personio columns are aliased automatically). Cartographer builds the department tree + role list + reports-to chain, then lets you assign role holders inline. When the CISO moves on, every artefact owned by that role automatically points at the new holder.
- CSV import with HRIS column aliasing
- Department tree + role reports-to chain
- Role-first identity (NIST PM-29 / ISO 27001 A.5.2)
- Append-only directory history
From £450/month à-la-carte · included in the Compliance Office tier and above.
- Engineering
- ↳ CISO · ciso@acme.test
- ↳ Head of Platform Vacant
- Legal
- ↳ DPO · dpo@acme.test
Controls library + Law → Policy → Control mapping
Engineer
Operates your control library and the obligation graph.
Engineer maintains a NIST SP 800-53 / COBIT 2019-flavoured control taxonomy and the three mapping tables that make Law → Policy → Control queryable: which controls mitigate which risks, which controls implement which policy clauses, which controls satisfy which regulator clauses. A failing control back-propagates through the graph.
- 7 control kinds (policy / technical / physical / process / detective / corrective / preventive)
- Implementation lifecycle (not_started → live → failing → retired)
- Risk × control × policy × obligation mapping
- Attestation cadence + evidence URIs
From £1,050/month à-la-carte · included in the GRC Suite tier and above.
Bucket public-read guard
↳ GDPR Art. 32 · ISO 27001 A.5.2
↳ mitigates 3 risks · implements 2 policy clauses
Workflow + reminders
Coordinator
Materialises tickets, dispatches reminders, advances cycles on completion.
Coordinator turns recurring review schedules into a shared inbox. Every risk, control, policy, obligation, finding, or attestation can carry a review cycle; Coordinator materialises tickets when the lead window opens, dispatches reminders via Postmark / Slack / Teams / generic webhook, and advances the cycle's next-due date when the ticket completes.
- Recurring cycles on any artefact (7 frequencies)
- Email / Slack / Teams / webhook dispatch
- SLA tracking; overdue surfaces in the dashboard
- Audit-trail notes per ticket + every notification logged
From £700/month à-la-carte · included in the GRC Suite tier and above.
- Q3 attestation: bucket guardOverdue
- Sub-processor refresh7d
- Privacy notice reviewOpen
Executive briefing
Analyst
Renders your live compliance posture for the board and the CCO.
Analyst aggregates posture across risks, controls, tickets, and the obligation graph into a single executive view. Filter by jurisdiction or department; drill into any tile to land on the underlying register / library / inbox. Updates in real time as Risk Captain, Engineer, and Coordinator do their work.
- Single-roundtrip aggregate (no N+1 fan-out)
- Risk-by-jurisdiction heatmap
- Failing-control + overdue-ticket counters
- 30-day on-time-review velocity
From £500/month à-la-carte · included in the GRC Suite tier and above.
Vendor risk + DPA gap analysis
Diligencer
Scores every supplier in your register against transfer rules, contract gaps, and audit recency.
Diligencer reads the vendor + processing-activity registers and runs a deterministic rule pass — country adequacy, DPA presence, SCCs module fit, audit recency, contract expiry. The score is the sum of triggered rule weights, capped at 1.0, so an operator can see exactly why a vendor scored what it did. Fires on every vendor save plus a weekly schedule.
- Per-vendor risk score that updates on save
- Findings list ('missing DPA', 'transfer to US without SCCs')
- Adequacy table maintained against current EU + UK decisions
- High-risk audits surfaced as Coordinator review tickets
From £650/month à-la-carte · included in the GRC Suite tier and above.
- Acme Analytics72% · missing DPA
- DataPipe Inc48% · transfer no SCCs
- Stripe Payments12% · clean
Privacy-policy claimed-vs-actual reconciliation
Auditor
Reads your privacy notice + cookie policy and finds every gap against your actual register.
Auditor reconciles policy text against the underlying registers (vendors, RoPA, cookies, DPIAs, legal entities). Heuristic rules cover the GDPR Art 13/14 transparency obligations + the ICO/EDPB cookie-naming guidance. Critical findings include 'transfers not disclosed' and 'DPIA required, no record'; material findings include 'cookie not in policy' and 'vendor not named'.
- 11 deterministic findings per policy
- Critical / material / informational severity
- DPIA evidence reconciliation per RoPA entry
- Cookie inventory cross-check against policy text
From £750/month à-la-carte · included in the GRC Suite tier and above.
- critDPIA required for AI summarisation, no record
- matVendor not named: Twilio (processor)
- matCookie not in policy: _ga (analytics)
Data-flow graph from RoPA + assets + vendors
Mapper
Builds the data-flow diagram auditors ask for during DPIA reviews.
Mapper assembles a node-link graph showing where personal data actually flows: which subject categories enter which activities, which assets host them, which vendors process them, and which countries the data ends up in. The graph stays in sync with the live RoPA + asset + vendor registers, so the picture you show an auditor is the picture as of right now.
- Live data-flow graph rendered in the portal
- Five node kinds: subject, activity, asset, vendor, country
- Cross-border transfers as terminal nodes with safeguard label
- Foundation for 'sub-processor not in privacy policy' findings
From £500/month à-la-carte · included in the GRC Suite tier and above.
Monthly dual-AI corpus auditor
Corpus QA
The conscience of the canonical-clause corpus.
Corpus QA is RegSpace's monthly self-check on the ground truth that drives every gap analysis. It audits each canonical clause across six dimensions — policy_type, jurisdiction, obligation_category, tier, intent_summary, archive — using Claude and Gemini in parallel. Where both agree on a fix it files a normal change proposal; disagreements stay in the audit log for the super-admin to read. Tenants never see this agent directly — they see fewer mis-categorised findings.
- Monthly full-corpus audit (Cloud Scheduler @ 1st 03:00)
- Dual-LLM agreement gate before any proposal is filed
- Per-clause audit history in canonical_qa_audits
- Routes through the same super-admin proposal queue
- · Rewriting clause text (that's Canonicaliser + Reviewer)
- · Tenant-visible findings (it's platform-internal)
From £0/month à-la-carte · included in the GRC Suite tier and above.
Not sure which agents fit your stack?
30-minute discovery call: we walk through your current GRC tools, your owner accountability, your audit cadence, and recommend a tier or bespoke agent mix. We quote on the call.