GDPR
Your GDPR report, 3–4 weeks from now.
GDPR isn't optional if you have a single EU customer or visitor. We build the full Records of Processing Activities (ROPA), draft and execute Data Processing Agreements with all your subprocessors, run Data Protection Impact Assessments where required, and set up the breach notification machinery so a 72-hour clock never catches you flat-footed.
What you get
Everything in your GDPR program
Built specifically for anyone processing eu/uk personal data.
Full ROPA (Article 30) — every processing activity inventoried, lawful basis documented, retention period set
Data Processing Agreements (Article 28) signed with every subprocessor (cloud providers, SaaS tools, contractors)
Standard Contractual Clauses (SCCs) for transfers outside the EEA, with Transfer Impact Assessments where needed
DPIA (Article 35) templates and execution for high-risk processing
Cookie consent + privacy-policy generator wired to your actual data flows (not a template)
Subject Access Request (SAR) / Right to Erasure / Portability runbook + automated workflow
72-hour breach notification runbook + supervisory-authority contact list per member state
EU representative service if you don't have an EU establishment (Article 27)
Pricing
Fixed price. No annual contract.
Setup gets you to the report. The retainer keeps you compliant. Cancel any time.
One-time, fixed-fee
- Full GDPR program build
- Auditor introductions and prep
- 3–4 weeks to Article 30 ready
Cancel any time
- Continuous control monitoring
- Quarterly access reviews + risk refresh
- Drift remediation by our team
- Annual re-audit support included
Audit fees paid directly to your auditor (not marked up). We negotiate fixed-fee quotes from our auditor network.
Stack frameworks, save money
Reuse your GDPR work across other frameworks
Most controls overlap. Your second framework costs a fraction of the first.
UK GDPR
95%Almost identical — we cover both at no extra cost.
GDPR questions, answered
Yes, if you offer goods or services to EU/UK residents OR monitor their behavior (analytics, ads, etc.). It doesn't matter where your servers are — what matters is whose data you process.
Only if you do large-scale systematic monitoring or large-scale processing of special-category data. Most B2B SaaS doesn't need one. We help you assess and, if needed, provide a fractional DPO service.
If you're a US company processing EU data, certifying under the DPF is the cleanest legal basis for transfers. We help you self-certify (it's a US Department of Commerce process) and maintain the annual recertification.
3–4 weeks for the core program (ROPA, DPAs, breach runbook, SAR workflow). Add 1–2 weeks if you need DPIAs for high-risk processing (e.g., AI / automated decision-making).
Quarterly ROPA refresh, ongoing subprocessor DPA management, SAR processing support, breach response on-call (24/7 for the first hour to start the 72h clock), supervisory-authority correspondence handling, and continuous monitoring of new EU/UK guidance.
Ready to ship your GDPR?
Tell us your timeline. We'll scope the work, give you a fixed price, and start this week.