Services
Regulation (EU) 2016/679 has extraterritorial reach under Article 3(2) — if you sell to or profile EU data subjects, you are in scope regardless of where you are incorporated. We deliver the Article 30 RoPA, Article 35 DPIA, Article 28 processor contracts, Article 32 technical and organisational measures, Article 33–34 breach response, and the Article 44–49 international transfer pack (2021 SCCs, TIA, supplementary measures) as one integrated engineering deliverable — not five separate legal binders. Engineering-grade evidence, defensible memos, board-ready risk register. From 6,500 EUR for the Readiness Assessment.
Article 83(5) penalties reach 20 million EUR or 4 percent of global turnover for the worst categories of violation — lawful basis failures, data-subject rights failures, international transfer failures. But most software companies do not need a 200-page binder; they need a defensible data map, a clean SCC package, a working DSAR pipeline, and a breach response runbook that survives the Article 33 72-hour clock. We have done this for SaaS vendors, fintechs, healthtechs and US companies entering the EU market — the deliverable is operational, owned by your team, and double-counts as input for SOC 2 and ISO 27001.
Living inventory of every processing activity: purpose, Article 6 lawful basis, Article 9 special-category basis where relevant, categories of data subjects and data, retention, recipients, international transfers. Maintained in your tool, not a frozen PDF.
DPIA template plus worked DPIAs for high-risk processing — large-scale special-category, systematic monitoring, profiling with legal effect under Article 22, new technology. Aligned to WP29 / EDPB methodology with risk treatment that engineering can actually implement.
Controller-to-processor and processor-to-sub-processor DPAs aligned to Article 28(3), including audit rights, sub-processor flow-down, deletion/return obligations, and the eight mandatory clauses. Negotiation playbook for hyperscaler templates included.
Technical and organisational measures: encryption in transit (TLS 1.3) and at rest (AES-256, KMS-managed keys), MFA, RBAC, audit logging, vulnerability management SLAs, annual pentest, BCP/DRP with measured RTO/RPO. Documented to evidence each Article 32(1) sub-paragraph.
2021 EU SCCs (correct module per relationship), Transfer Impact Assessment per Schrems II and EDPB Recommendations 01/2020, supplementary measures, EU-US Data Privacy Framework certification support where relevant, and the customer-facing transparency notice.
Articles 12–22 data-subject rights pipeline in your product (access, rectification, erasure, portability, objection, automated-decision review), and the Article 33–34 breach response runbook tied to the 72-hour notification clock.
Week 1: confirm controller/processor roles per relationship, inventory every processing activity, identify special-category and cross-border flows, draft the Article 30 RoPA in your data-mapping tool.
Week 2: gap the in-scope processing against Articles 5, 6, 12–22, 25, 28, 30, 32, 33–34, 35 and 44–49, score each gap by risk and effort, produce a remediation roadmap with owners and dates.
Weeks 3–8: ship the DPA pack, DPIA template plus one worked DPIA, Article 32 TOMs hardening, DSAR pipeline, SCC and TIA package, breach runbook, public privacy notice. Engineering-led, not legal-only.
From month three: quarterly evidence refresh, EDPB / national authority monitoring, DSAR triage, breach support on standby, vendor DPA reviews, annual audit dry run.
Two weeks, fixed scope. Article 30 RoPA, gap analysis against the operative articles, remediation roadmap, and a 60-minute executive briefing with the founder and counsel. 6,500 EUR fixed.
Six to eight weeks. DPA pack, Article 35 DPIA template plus one worked DPIA, Article 32 TOMs implementation, Articles 12–22 DSAR pipeline in your product, SCC + TIA pack, Article 33–34 breach runbook, public privacy notice. 18,000 EUR fixed.
Ongoing monthly retainer. Quarterly evidence refresh, EDPB / ICO / CNIL / BfDI / AEPD / Garante monitoring, DSAR triage, breach support, up to 10 vendor DPA reviews per month, annual audit dry run. 3,500 EUR/month.
Article 27 EU representative appointment is quoted separately at cost. Three-month minimum on DPO-as-a-Service, month-to-month thereafter with 30 days notice. NDA, DPA and IP assignment signed before kickoff.
Article 10 data governance, Article 35 DPIA + AI-Act FRIA, Annex IV documentation — built on top of your GDPR baseline.
Read more →
Trust Services Criteria CC1.0–CC9.0 + Privacy P1.0–P8.0 mapped to GDPR Articles 25, 28, 32 so one control evidences both.
Read more →
Annual pentest evidencing Article 32(1)(d) regular testing — OWASP ASVS L2, API Top 10, cloud config review.
Read more →GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · ISO/IEC 42001-aligned
We read the codebase, the data pipeline, and the auth flow before we draft the RoPA. Our DPIAs hold up because they reflect what the system actually does — not what a slide deck claims.
GDPR, ISO 27001, SOC 2, EU AI Act, HIPAA — underlying controls overlap. We build one versioned evidence library that discharges duties across all of them instead of running parallel binders.
DPA and NDA signed before kickoff, repo access, attendance in your engineering staff meeting and your board legal update. The artefacts live in your stack and are owned by your team after handover.
For Article 27 EU representative we partner with established firms in Ireland and Germany; for litigation-grade DPIAs and regulator engagement we co-deliver with privacy counsel of your choosing.
Yes, Article 3(2) gives GDPR extraterritorial reach. If you offer goods or services to data subjects in the Union (paid or free), or you monitor their behaviour (analytics, profiling, retargeting), you are in scope regardless of where your servers or HQ sit. You will need an Article 27 EU representative unless you fall under the narrow exemption. Penalties under Article 83(5) reach 20 million EUR or 4 percent of global annual turnover, whichever is higher. We deliver the Article 27 representative appointment, the Article 30 records, the Article 28 processor contracts, and the Article 32 security baseline as one integrated package rather than five separate workstreams.
Article 30 RoPA (Records of Processing Activities) is mandatory for almost every controller and processor — a living inventory of every processing purpose, lawful basis under Article 6, categories of data subjects and data, retention, recipients, and transfers. Article 35 DPIA is required when processing is likely to result in high risk to rights and freedoms — large-scale special-category processing, systematic monitoring, automated decisions with legal effect, new technology. A TIA (Transfer Impact Assessment) is required under Schrems II whenever you rely on Article 46 SCCs for transfers to a third country without an adequacy decision. We deliver all three using a single source-of-truth data map so they stay synchronised instead of drifting.
Three lawful routes under Chapter V (Articles 44–49). First, Article 45 adequacy — the EU-US Data Privacy Framework is currently valid; certify under it and you can transfer to certified US importers without further measures. Second, Article 46 Standard Contractual Clauses (the 2021 EU SCCs, four modules) combined with a Transfer Impact Assessment and supplementary measures per EDPB Recommendations 01/2020 — encryption in transit and at rest under your sole key control, split processing, contractual transparency obligations. Third, Article 49 derogations for specific situations — narrow, never a default. We draft the SCC package, the TIA, the supplementary technical measures, and the customer-facing transparency notice as one bundle.
Article 32(1) requires technical and organisational measures appropriate to the risk, including (a) pseudonymisation and encryption, (b) ongoing confidentiality, integrity, availability and resilience, (c) the ability to restore availability and access after an incident, (d) a process for regular testing, assessing and evaluating effectiveness. In practice for SaaS that means encryption in transit (TLS 1.2+ minimum, ideally 1.3), encryption at rest (AES-256, KMS-managed keys), MFA for admin access, RBAC with least privilege, audit logging with tamper resistance, vulnerability management with documented SLAs, annual penetration testing, an incident response runbook tied to the Article 33 72-hour breach notification clock, and a BCP/DRP with measured RTO/RPO. We implement and document each of these to evidence Article 32 compliance under audit.
They overlap on controls but differ on framing. ISO 27001 Annex A controls (especially A.5, A.8, A.18) map almost 1:1 to GDPR Article 32. SOC 2 Trust Services Criteria CC6 (logical access), CC7 (system operations) and the optional Privacy category P1–P8 cover most Article 25 and 32 ground. The EU AI Act Article 10 data governance for high-risk systems borrows directly from GDPR Articles 5, 25 and 35. We build one unified evidence library that discharges all four regimes — same encryption control evidences SOC 2 CC6.7, ISO A.8.24, GDPR Article 32(1)(a), and AI Act Article 15. You do the work once; the auditors get what each of them needs.
Three packages. GDPR Readiness Assessment is 6,500 EUR fixed (two weeks): scope confirmation, Article 30 RoPA in your data-mapping tool, gap analysis against Articles 5, 6, 12–22, 25, 28, 30, 32, 33–34, 35 and 44–49, remediation roadmap, executive briefing. Implementation Pack is 18,000 EUR fixed (six to eight weeks): DPA template for processors and sub-processors, Article 35 DPIA template plus one worked DPIA, Article 32 technical measures implementation, Articles 12–22 data-subject rights workflows in your product, SCC and TIA pack for EU-to-third-country transfers, breach response runbook, public privacy notice. Ongoing DPO-as-a-Service is 3,500 EUR/month: quarterly evidence refresh, regulator monitoring (EDPB, ICO, CNIL, BfDI, AEPD, Garante guidance), DSAR triage support, breach support, vendor DPA reviews up to 10/month, annual audit dry run.
