Risk, Security & Privacy

Cybersecurity and privacy for growing businesses — compliance + engineering + evidence

Outsource your DPO and Security Lead. We combine legal privacy expertise with security engineering to reduce risk, accelerate client audits, and protect your business against breaches, regulation (GDPR, NIS2), and emerging AI challenges.

Request free assessment

Request a Free Assessment

A security and privacy expert will contact you with no obligation.

Cristina Contero · Head of Privacy

LLM MSc · EU Legal Tech Woman 2020 Nominee

Adrián Becerra · Security Director

Forbes 30 Under 30 Nominee · InfoSecurity Expert

Raúl Moraleda · CEO

Chartered Economist · Licensed Admin. Manager nº111

Our team combines top-tier legal and technical profiles: privacy lawyers with experience in multinationals and consultancies from London and Silicon Valley, alongside security engineers with a track record in SaaS development, InfoSecurity, and B2B platforms. This combination is what allows us to deliver real governance, not just paperwork.

We don't sell one-off pentests or single audits. We offer continuous Risk, Security & Privacy programs that generate evidence, prepare your company for client, investor, and regulator audits, and reduce real incident risk.

Increasingly, enterprise clients, tenders, and investors demand proof of security and privacy maturity. Our service builds that maturity step by step, with metrics, controls, and verifiable documentation.

The risks are real and the clock is ticking

Regulatory non-compliance and lack of security controls can paralyze your business

GDPR: 72 hours to notify

In a personal data breach, you have a maximum of 72 hours to notify the supervisory authority. Without a protocol or prepared team, the clock works against you. Fines reach €20M or 4% of global annual turnover.

NIS2: new cybersecurity obligations

The NIS2 directive imposes on companies in critical sectors and their supply chains early warning in 24h, notification in 72h, and final report in 1 month for significant incidents. Non-compliance carries sanctions and management liability.

Ungoverned AI: exponential risk

The EU AI Act reaches full application in August 2026. Every AI tool you use without inventory, risk assessment, or internal policy is a legal and technical vulnerability. Incidents from compromised AI code and dependencies are already a daily reality.

We treat **privacy and security as essential requirements**, not as a checklist. From the way we work internally to how we design and operate our products. All our solutions maintain **strict regulatory compliance** in privacy and security.

Cristina Contero

Head of Privacy

LLM MSc · Nominated European Women in Legal Tech 2020

Three pillars for comprehensive protection

We combine legal, technical, and AI governance in a single recurring service

DPOaaS+ — Operational Privacy

External Data Protection Officer and full GDPR compliance program, from gap analysis to ongoing support.

Certified external DPO
Gap analysis and real data mapping (ROPA)
Data processing agreements and international transfers
Breach management with 72h protocol
Data Protection Impact Assessments (DPIA)
Cookies, consent, and digital environment
Team training and awareness

vCISO — External Security Lead

A virtual security officer who designs, implements, and oversees your security controls with a practical, proportionate approach.

Asset inventory and crown jewels identification
Access control, MFA, and least privilege
Backups and restore testing
Vulnerability management and hardening
Incident response plan
Logging, traceability, and audit
Executive reporting with risk KPIs

AI Governance

Inventory, risk assessment, and internal policy for AI use in your organization, aligned with the EU AI Act.

AI tools and use-case inventory
Risk classification per AI Act
Internal AI usage policy
AI vendor assessment
AI risk training for teams
Evidence for audits and enterprise clients

Plans adapted to your maturity stage

No lock-in commitment. Start where you need and scale as you grow.

Essentials

SMEs and startups that need order and basic compliance

Light DPO (quarterly support)
Cookies, clauses, and base contracts
MFA, backups, and restore testing
AI usage policy
Basic team training
Incident response plan

Request assessment →

Recommended

Growth

Growing companies that need to close enterprise clients or prepare for due diligence

Everything in Essentials
Full external DPO (ongoing support)
vCISO with quarterly reporting
Vendor risk and supplier review
Gap analysis with remediation plan
Client audit preparation
AI governance (inventory + policy)

Request proposal →

Enterprise

Companies in regulated sectors, with NIS2 obligations, or multinational clients

Everything in Growth
Annual program with continuous review
Incident reporting readiness (24h/72h/1 month)
Control catalog and ISO 27001 evidence
Full AI governance (AI Act readiness)
Formal audits and certification path
Cyber risk insurance (via in-house brokerage)

Contact team →

Our method: assess, plan, act, evidence

A continuous cycle that builds real maturity, not just documents

Assessment and gap analysis

Asset, data, and process inventory. Real risk identification. Quick wins and impact-prioritized plan.

Action plan and controls

We define roles, policies, and controls. Governance documentation (who approves, who executes, who validates).

Phased implementation

We execute the plan in stages: critical controls first, then continuous improvement. No impact on your operations.

Continuous review and evidence

Quarterly reporting, risk KPIs, improvement backlog. Evidence ready for audits, clients, and investors.

Frequently Asked Questions

We are here to answer.

NIS2 applies to essential and important entities in sectors such as energy, transport, health, digital infrastructure, ICT services, and supply chain. If your company provides services to these sectors, you may also be affected. We help you determine applicability and your specific obligations.

The DPO (Data Protection Officer) focuses on privacy regulatory compliance (GDPR): personal data, rights, breaches, cookies, contracts. The vCISO (Virtual Chief Information Security Officer) covers technical security: access controls, vulnerabilities, backups, incident response, hardening. Both roles complement each other and work in coordination in our service.

You have a maximum of 72 hours to notify the supervisory authority if personal data is affected. Under NIS2, the early warning deadline is 24 hours. Our team manages the entire process: incident analysis, containment, authority and affected party notifications, remediation plan, and evidence generation.

The EU AI Act entered into force on August 1, 2024, with full application on August 2, 2026. Prohibited practices and literacy obligations started in February 2025, and general-purpose AI obligations in August 2025. If you use AI tools in your business, you need an inventory and internal policy before August 2026.

Our Essentials plan is specifically designed for SMEs and startups that need order and basic compliance at an affordable cost. The Growth plan is for growing companies that need to close Enterprise clients or prepare for due diligence. Enterprise is for companies in regulated sectors.

A pentest is a point-in-time snapshot of your technical vulnerabilities. We offer a continuous governance program: assessment, controls, policies, training, incident response, evidence, and quarterly review. A pentest can be one of the controls within our program, but the real value lies in the complete cycle and continuous improvement.

Still confuse? no need to worry, just contact us

Contact our support