RegRadar

by TokenShift

About RegRadar by TokenShift

Why we built a regulatory-ops platform around the three-lines-of-defence model and not around alert volume.

Company

RegRadar is the regulatory-operations product inside TokenShift, an EU-based AI lab that builds auditable workflow tools for regulated industries. We started RegRadar in 2025 because the compliance teams we spoke to — at EU payment institutions, digital banks, French asset managers, German and Italian universal banks, insurance groups, and ESG advisory firms — kept telling us the same thing: “We do not need another alerting feed. We need the alert turned into a signed, defensible decision, and we need the evidence ready before the supervisor asks for it.”

The problem, named properly

Most regulatory change products solve one of three problems in isolation: ingestion (RSS/Atom fan-out), summarisation (plain-language abstract of each release), or distribution (newsletter to stakeholders). None of those three produce a defensible audit trail. An EU banking supervisor on site does not ask “did you see the release” — they ask “who decided it did not apply to your perimeter, when, on what evidence, and who countersigned.”

RegRadar answers that last question. Every impact routes through a three-lines-of-defence signoff chain backed by SHA-256 hashes: the 1LoD business owner structures and signs, the 2LoD Compliance or Risk reviewer countersigns or challenges, and the 3LoD internal auditor can review the chain read-only. The hash of each signoff is recomputed on every audit export and compared to the stored value. A broken chain blocks new signoffs by design. See the three-lines-of-defence methodology for the JSON schema and inspection walkthrough.

EU-first by architecture, not by marketing

RegRadar runs on EU-region infrastructure by default: EU application hosting, EU Postgres, EU backup region, EU log region. Authentication is externalized through Supabase EU. Transactional email is Brevo-first with SMTP fallback. AI processing is routed through providers that commit to zero-retention and no-training policies; the impact detail exposes the provider, jurisdiction, temperature, and attestation on every AI output so an operator can state these facts to an internal auditor or to a supervisor. Enterprise deployments can request a fully private tenant, an EU-hosted Azure OpenAI or Mistral routing, and stricter residency controls.

Scope we refuse to chase

RegRadar is not a full obligations-to-controls platform. It does not attempt to map every control in your ICFR library to every paragraph of MiFID II. That work belongs in tools with dedicated teams and seven-figure price tags. RegRadar is the action layer: capture the change, structure it, route it through three lines of defence, produce the evidence pack. We ship a paid eight-week pilot at €15k that deploys one topic on one team; the Core annual workspace is €36k for up to ten users, three topics, and seventy-five monitored sources. Enterprise starts at €90k and is private-deployment-friendly.

Who we serve today

As of 2026, RegRadar runs pilots with French banks (ACPR / Banque de France perimeter), German universal banks (BaFin / Bundesbank MaRisk / BAIT perimeter), Italian banks and asset managers (Banca d'Italia / CONSOB / IVASS), Dutch payment institutions (DNB / AFM), and French ESG consulting firms covering CSRD / SFDR / taxonomy mandates for portfolio clients. Supervised locale support covers English, French, German, and Italian at the shell level; source coverage is broader and extends to Benelux, Nordics, and Iberia through source-pack presets.

Trust posture

The Security overview and the in-product Trust Center expose hosting region, subprocessors, DORA Chapter V artefacts, DPA state, PII-in-prompts controls, and procurement disclosures. We do not claim SOC 2 / ISO 27001 reports we have not earned; where documents are templates or in-progress, we say so. Real external attestations are linked from the Trust Center as they become available.

Talk to us

Buyers should write to hello@tokenshift.ai to scope an eight-week paid pilot. Prospective operators inside an existing tenant can request an invite from their administrator. Procurement teams can request our DPA, security posture, and artefact index through the same inbox.