Security & Compliance

Security is what lets you sign the next big contract — not what stops you from shipping. Our approach is pragmatic: we target the certifications your customers actually need, harden what must be hardened, and document the rest for the audit.

What we ship

The security work that lets you pass audits, satisfy enterprise procurement, and sleep at night — without hiring a full-time CISO.

What it covers

• GDPR & Swiss FADP compliance — records of processing, DPIAs, processor contracts, rights handling
• SOC2 readiness — Type 1 and Type 2, scope, controls, remediation, audit support
• PCI DSS — for payment workloads, segmentation, hardening, key management
• IAM design — least privilege, rotation, federation, environment separation
• Secrets management — Vault, AWS Secrets Manager, removal of plaintext secrets from code and CI
• Supply chain — SBOM, signatures, dependency auditing, update policies
• Audit preparation and remediation — gap analysis, uplift plan, in-audit support

Where we make a difference

We separate what the standard actually requires, what your customers require, and what is merely “best practice.” Many compliance programs blow up in budget because no one made that distinction. Our role is to make it — starting with conversations with your procurement team and key prospects, not by opening a 200-page SOC2 PDF.

Typical engagement formats

• Gap analysis (1–2 weeks) — assessment against the target standard, remediation plan
• Compliance program (3–9 months) — end-to-end uplift through to audit
• Advisory — second opinion on a security decision, IAM review, due diligence