GDPR compliance that matches
what your product actually does.
GDPR is law, not a certificate. If you process personal data of people in the EU or UK, it applies to you wherever you are based. We align your data flows, policies, and vendors with what the regulation actually requires.
Compliance built on your real data flows.
Most GDPR problems are not missing paperwork; they are a gap between what the privacy policy claims and what the product actually does. Trackers that fire before consent, processors nobody listed, data kept with no retention rule. Regulators and plaintiffs read your policy as a set of promises, so the work starts with the truth: we map how personal data actually enters, moves through, and leaves your systems, then make the disclosures, legal bases, and contracts match.
The engagement covers the core obligations: records of processing, lawful bases, privacy notices (our PPA review), data subject rights handling, data processing agreements with vendors, international transfer mechanics, and a breach-response plan that can meet the 72-hour notification clock. Where technical verification helps, our automated privacy scanning shows what trackers and third parties are really on your pages.
From data map to defensible posture.
Data mapping and lawful bases
A record of processing activities built from your real systems, each flow assigned a lawful basis and a retention rule you can defend.
Policies, notices, and DPAs
Privacy notices that match reality (PPA review), cookie and consent flows checked against actual page behavior, and data processing agreements for every vendor that touches personal data.
Rights and breach readiness
A workable process for access, deletion, and portability requests, plus a breach playbook with roles and timelines so the 72-hour notification window is achievable, not theoretical.
Four steps to a defensible posture.
Map the data
Inventory what personal data you collect, where it flows, which vendors touch it, and how long it is kept. Reality first, paperwork second.
Fix the legal layer
Assign lawful bases, rewrite notices to match reality, close DPA gaps with vendors, and resolve international transfer questions.
Build the processes
Working procedures for data subject requests, retention enforcement, consent management, and the 72-hour breach notification clock.
Verify and monitor
Automated privacy scanning confirms the site behaves the way the policy says, and keeps confirming it after every release.
GDPR FAQ.
We're a US company. Does GDPR apply to us?
If you offer goods or services to people in the EU or UK, or monitor their behavior (analytics and tracking count), GDPR can apply regardless of where your company is incorporated. Serving EU users from US infrastructure does not exempt you; it adds international transfer questions to solve.
Is there a GDPR certificate we can get?
No. GDPR is legislation, not a certifiable standard, so no vendor can sell you a "GDPR certification". What you can have is a documented, defensible posture: data maps, lawful bases, contracts, and processes that hold up when a regulator or enterprise customer asks. That is what we build.
What are the penalties for getting it wrong?
The regulation provides for fines up to 20 million euros or 4 percent of worldwide annual turnover, whichever is higher, for the most serious infringements. In practice the more immediate costs are lost enterprise deals, breach fallout, and forced product changes under regulator scrutiny.
How does this relate to SOC 2 or ISO 27001?
They reinforce each other. GDPR requires appropriate technical and organizational security measures, and the control work you do for SOC 2 or ISO 27001 is strong evidence of exactly that. We map the overlap so one control set serves all three.
Do we need a Data Protection Officer?
Only certain organizations must appoint a DPO: public authorities and those whose core activities involve large-scale systematic monitoring or large-scale processing of special category data. Many startups do not meet that bar, but still need someone accountable for privacy. We help you make and document that call correctly.
What is a data processing agreement?
A DPA is the contract GDPR requires between you and any vendor that processes personal data on your behalf (hosting, analytics, email, support tooling). It binds them to instructions, confidentiality, security measures, and breach notification. We inventory your vendors and close every missing or outdated DPA.