Line 02 · Governance & attestation

Governance you can attest to.

Compliance is where claims get proven — the assessments that establish where you stand, the privacy analysis regulators expect, and the attestation work that turns security effort into something a customer or auditor can rely on. Structured, scoped to your environment, and free of theatre.

CMP-01 of 05 · Flagship assessment

Threat Risk Assessment (STRA)

A structured look at what can actually hurt you.

The STRA is our flagship assessment: a methodical review of a system or service that identifies the threats that apply to it, weighs their likelihood and impact, and measures your existing controls against recognized frameworks. Findings arrive ranked by real risk, not alphabetically, with a remediation path your team can actually execute. It is the document that lets executives, auditors, and engineers argue from the same facts.

Structured STRA methodologyThreat & risk modellingControl gap analysisRanked remediation plan
CMP-02 of 05 · Privacy assessment

Privacy Impact Assessment (PIA)

Know how personal data moves through your organization — and prove it is protected.

A PIA maps how personal information is collected, used, stored, and shared across a system or initiative, then measures those flows against PIPEDA and the provincial privacy laws that apply to you. We identify where the gaps are and pair each one with a safeguard that is proportionate, not performative. The result is documentation that stands up to a regulator and a design your privacy officer can defend.

Data-flow mappingPIPEDA & provincial alignmentProportionate safeguardsRegulator-ready documentation
CMP-03 of 05 · Attestation readiness

SOC 2 Readiness

Walk into your audit already knowing the answer.

We scope the trust services criteria that actually apply to your business, run a gap assessment against them, and help you design controls and evidence habits that fit how your team already works. When the auditor arrives, the evidence exists because it was produced in the normal course of business — not assembled in a two-week scramble. We stay through the audit itself to keep the process moving.

Scoping & gap assessmentControl designEvidence & automation habitsAudit-cycle support
CMP-04 of 05 · Regulatory coverage

Data Protection & Regulatory

DLP, GDPR, and PCI — one coherent program instead of three scrambles.

Data-protection obligations overlap heavily, so we treat them as one program: know where sensitive data lives, control how it moves, and map each control once to every regulation that demands it. That covers data loss prevention that people don’t route around, GDPR readiness for organizations touching EU data, and PCI DSS scoping that keeps cardholder environments small. One control set, maintained once, defensible everywhere.

Data loss prevention (DLP)GDPR readinessPCI DSS scoping & complianceUnified control mapping
CMP-05 of 05 · Cloud posture — assess

Cloud Security Assessment

Know how your cloud is actually configured — not how it was designed.

Cloud environments drift: the architecture diagram says one thing, and eighteen months of tickets say another. We assess your real posture across AWS, Azure, GCP, and Microsoft 365 — identities and their permissions, network paths, storage exposure, logging — and rank what we find by exploitability, not by scanner severity. When you want the fixes watched continuously rather than annually, this hands off directly to Managed CloudSec.

Posture & configuration reviewAWS · Azure · GCP · M365Identity & network pathsPathway to Managed CloudSec
Not sure where to start?

Most compliance engagements start with a gap conversation: which obligation is in front of you, and what evidence exists today. From there we scope the shortest path to a defensible position.