The compliance consultant, not the compliance platform.
Drata and Vanta automate evidence collection. They don't do your gap analysis, write your policies, or manage your auditor. We do.
Schedule a scoping call →SOC 2 Type I & II
The compliance gate for enterprise SaaS sales. CPA-attested report confirming your systems meet AICPA Trust Service Criteria. Most common first engagement for Series A–C companies.
ISO 27001:2022
International ISMS certification required by European enterprise buyers, government contractors, and M&A due diligence. Natural complement to SOC 2 — 60–70% policy overlap.
ISO 42001:2023 — AI Governance
The world's first AI Management System standard. AWS, Google Cloud, and Microsoft are already certified. EU AI Act enforcement begins August 2026. The first-mover window is still open.
HIPAA
The vendor gate for hospital systems, clinics, and insurers. Full compliance program for any platform handling Protected Health Information.
GDPR / UK GDPR
Applies to any company with EU users or EU data — regardless of where the company is incorporated. Combined with ISO 27001 or CCPA for efficient multi-jurisdiction coverage.
CCPA / CPRA
Required for companies meeting California's applicability thresholds. Penalties raised in 2025 to $7,988 per consumer (intentional), no cap. Significant policy overlap with GDPR.
PCI-DSS
Payment Card Industry Data Security Standard for platforms that store, process, or transmit cardholder data. Required by banking partners and payment processors.
VAPT
Vulnerability assessment and penetration testing — web, mobile, API, network, and cloud environments. NIST SP 800-115 and OWASP-aligned methodology. Standard through advanced adversarial simulation.
Virtual CISO
Ongoing security program management, risk assessments, board reporting, and incident response planning. Retainer-based.
DPO-as-a-Service
Data Protection Officer function, DSAR management, regulatory liaison, and consent management. Retainer-based.
Also available: ISO 27701 · India DPDPA · Saudi Arabia PDPL · South Africa POPIA · Singapore PDPA · Canada CPPA · GRC advisory · Compliance training
Compliance platforms automate evidence collection. They don't do compliance.
Automation platforms connect to your infrastructure, monitor controls, and collect evidence. What they don't do: conduct your gap assessment, write policies that reflect your actual environment, or manage your auditor when exceptions arise.
You still need a consultant. With most platforms, that conversation starts only after you've committed to a significant annual licensing spend.
We deliver the full program — gap assessment, policy development, control implementation, auditor coordination, CPA-attested report — without the platform overhead.
One more thing: template policies fail audits. When your auditor's testing matrices don't match your actual environment, they flag it. Policies written around how your team actually operates pass. That's the difference.
| Big 4 | Platforms | ShieldKey | |
|---|---|---|---|
| SOC 2 Type II | $60K–$150K | $80K+/yr license + consultant | Scoped to your needs |
| Timeline | 6–12 months | Self-serve (you do the work) | 8–12 weeks |
| Output | CPA-attested report | Evidence dashboard (no attestation) | CPA-attested report |
| Policies | Custom (at enterprise price) | Templates | Custom |
| ISO 42001 | Limited capacity | Not offered | Available now |
Frequently asked questions
Is SOC 2 a certification?
No — and this distinction matters. SOC 2 is an attestation report issued by a licensed US CPA, confirming your systems meet the AICPA's Trust Service Criteria. It is not a certification. Anyone describing it as one signals a knowledge gap.
How long does SOC 2 take?
SOC 2 Type I takes approximately 6–8 weeks. SOC 2 Type II requires a minimum 3-month observation period — it cannot be completed in 10–14 days regardless of what a platform vendor claims. We set realistic timelines and meet them.
Do I need SOC 2 or ISO 27001?
SOC 2 is the standard for US enterprise buyers. ISO 27001 is the international standard — required by many European enterprise clients and government buyers. They share approximately 60–70% policy structure overlap, so many clients pursue both. We'll recommend the right starting point based on your buyer profile.
What is ISO 42001?
The world's first international standard for AI Management Systems, published in 2023. If you build AI products, your enterprise buyers will increasingly require it — and the EU AI Act (enforcement begins August 2026) identifies it as the preparation framework for High Risk AI system compliance. This is where SOC 2 was five years ago.
Do you work with companies outside the US?
Yes. We serve companies globally — particularly those with US enterprise buyer requirements, EU market ambitions, or cross-border data handling obligations.
How is this different from using a compliance platform?
Platforms automate evidence collection. They don't conduct gap assessments, write customized policies, manage your auditor, or handle exceptions. We do. And we do it for a fraction of what platforms charge annually.
Scoped to your framework, team, and timeline.
Every engagement is scoped individually. Book a 30-minute scoping call — you'll get a framework recommendation and ballpark investment before committing to anything.
Get a scoping call →