Services catalog
Everything we deliver, in one place.
Certifications, attestations, privacy frameworks, security testing, and ongoing advisory. Scoped individually. Fully managed. CPA-attested where applicable.
Schedule a scoping call →Multi-framework engagements
Running two or more standards? Run them as one program.
Modern ISO management standards share the Annex SL shell — leadership, risk, internal audit, and management review build once and serve every standard layered on top. Five named bundles cover the most common multi-framework programs we run.
Certifications & Attestations
The frameworks buyers ask about by name.
The four most requested frameworks for growth-stage SaaS, HealthTech, and AI companies. Every engagement produces a CPA-attested report or IAF-accredited certificate.
SOC 2 Type I & II
The compliance gate for enterprise SaaS sales. CPA-attested report confirming your systems meet AICPA Trust Service Criteria. Most common first engagement for Series A-C companies.
Learn more →ISO 27001:2022
International ISMS certification required by European enterprise buyers, government contractors, and M&A due diligence. Natural complement to SOC 2 with 60-70% policy overlap.
Learn more →ISO 42001:2023 AI Governance
The world's first AI Management System standard. AWS, Google Cloud, and Microsoft are already certified. EU AI Act enforcement begins August 2026. The first-mover window is still open.
Learn more →HIPAA
The vendor gate for hospital systems, clinics, and insurers. Full compliance program for any platform handling Protected Health Information.
Learn more →Management Systems
Quality, environment, safety, privacy, continuity.
Five ISO management-system standards that share the Annex SL shell with ISO 27001 and ISO 42001. Run them together as an Integrated Management System, not five separate programs.
ISO 9001
Quality Management System certification. The most common entry point for manufacturers, engineering firms, and service companies responding to enterprise tenders.
Learn more →ISO 14001
Environmental Management System certification. Auditable evidence for ESG reporting, supply-chain customers, and large enterprise tenders.
Learn more →ISO 45001
Occupational Health & Safety Management System certification. Workplace safety, ESG "S" pillar, and increasingly required in tender documentation.
Learn more →ISO 27701
Privacy Information Management System extending ISO 27001. Maps to GDPR, UK GDPR, DPDPA, LGPD, and PDPA. Strongest privacy upsell for ISO 27001 holders.
Learn more →ISO 22301
Business Continuity Management System certification. The most-requested companion to ISO 27001 for SaaS, financial services, and critical infrastructure.
Learn more →Privacy & Regional Compliance
Multi-jurisdiction privacy, one consolidated program.
Privacy laws overlap more than they diverge. We build one governance program that satisfies all the jurisdictions you operate in, instead of four parallel efforts.
GDPR / UK GDPR
Applies to any company with EU users or EU data, regardless of where the company is incorporated. Combined with ISO 27001 or CCPA for efficient multi-jurisdiction coverage.
Learn more →CCPA / CPRA
California privacy compliance. Penalties raised in 2025 to $7,988 per consumer (intentional) with no cap. Significant policy overlap with GDPR.
Learn more →Regional privacy coverage
ISO 27701 · India DPDPA · Saudi Arabia PDPL · Singapore PDPA · South Africa POPIA · Canada CPPA
Security Testing
Testing aligned to the standards auditors recognize.
Vulnerability assessment, penetration testing, and payment security aligned to NIST CSF, MITRE ATT&CK, and CIS Benchmarks.
VAPT
Vulnerability assessment, penetration testing, and red-team engagements aligned to NIST CSF, MITRE ATT&CK, and CIS Benchmarks. Includes configuration audits, source code review, and cloud security reviews.
Learn more →PCI-DSS
Payment Card Industry Data Security Standard for platforms that store, process, or transmit cardholder data. Required by banking partners and payment processors.
Learn more →Ongoing Advisory
Retainer services for teams without a security leader.
Monthly retainers for board reporting, risk management, and ongoing compliance posture. The program doesn't end at the report.
Virtual CISO
Ongoing security program management, risk assessments, board reporting, and incident response planning. Retainer-based.
Learn more →DPO-as-a-Service
Data Protection Officer function, DSAR management, regulatory liaison, and consent management. Retainer-based.
Learn more →Also available
GRC advisory · Compliance training · Security awareness programs · Third-party risk management
What's included
Every engagement delivers the full program.
We don't split compliance into six SKUs you have to piece together. One engagement, one scope, one price.
Gap assessment
Full evaluation of controls in place, controls missing, documentation gaps, and risk exposure against your target framework.
Custom policies
Written around how your team actually operates, not templates. Template policies fail audits; custom policies pass.
Control implementation
Hands-on remediation work, not a list of things for you to do yourself. We close the gaps alongside your team.
Evidence collection
Structured evidence packages mapped to controls. Audit-ready documentation, not raw screenshots in a folder.
Auditor coordination
We manage the auditor relationship end-to-end, including exception handling and testing matrix alignment.
CPA-attested report
SOC 2 reports attested by licensed US CPAs under US CPA firm letterheads. IAF-accredited certificates for ISO standards.
Post-audit support
Annual recertification, surveillance audits, and ongoing posture management through optional vCISO or DPO retainer.
No platform lock-in
No annual licensing fees, no mandatory tooling, no contract traps. You own your policies, controls, and evidence.
FAQ
Frequently asked questions
Is SOC 2 a certification?
No, and this distinction matters. SOC 2 is an attestation report issued by a licensed US CPA, confirming your systems meet the AICPA's Trust Service Criteria. It is not a certification. Anyone describing it as one signals a knowledge gap.
How long does SOC 2 take?
SOC 2 Type I takes approximately 6-8 weeks. SOC 2 Type II requires a minimum 3-month observation period. It cannot be completed in 10-14 days regardless of what a platform vendor claims. We set realistic timelines and meet them.
Do I need SOC 2 or ISO 27001?
SOC 2 is the standard for US enterprise buyers. ISO 27001 is the international standard required by many European enterprise clients and government buyers. They share approximately 60-70% policy overlap, so many clients pursue both. We'll recommend the right starting point based on your buyer profile.
What is ISO 42001?
The world's first international standard for AI Management Systems, published in 2023. If you build AI products, your enterprise buyers will increasingly require it, and the EU AI Act (enforcement begins August 2026) identifies it as the preparation framework for High Risk AI system compliance. This is where SOC 2 was five years ago.
Can you cover multiple frameworks at once?
Yes, and this is usually the smart play. SOC 2 + ISO 27001 share 60-70% of their controls. GDPR + CCPA share most of their data subject rights logic. Multi-framework engagements price efficiently because we reuse the evidence base rather than building it twice.
Do you work with companies outside the US?
Yes. We serve companies globally, particularly those with US enterprise buyer requirements, EU market ambitions, or cross-border data handling obligations.
How is this different from using a compliance platform?
Platforms automate evidence collection. They don't conduct gap assessments, write customized policies, manage your auditor, or handle exceptions. We do. And we do it for a fraction of what platforms charge annually.
Scoped to your framework, team, and timeline.
Every engagement is scoped individually. Book a 30-minute scoping call. You'll get a framework recommendation and ballpark investment before committing to anything.
Get a scoping call →