Compliance · Implementation · Fractional CISO

Compliance should be a byproduct.
Not the product.

Template platforms swap your company name into an 80-page policy and call it done. Auditors don't. We're the operators who actually implement ISO 27001, ISO 42001, SOC 2, EU AI Act and GDPR — so the certificate is just the receipt.

Founding teamEx-Big 4 & mid-tier
Combined years30+ in IT advisory
EngagementOutcome-based
Trusted by top teams at
Ditta Labs
GradSearch GradSearch
"Compliance was completely off our plate from day one — we never had to think about it. Protectify gave us all our time back to build and grow."
Alessio Redeghieri — Founder & CEO, Ditta Labs
01 / Where we come in

Your compliance platform generates policies.
Someone still has to run them.

The template-platform modelMost vendors

You get a policy library. You're on your own after that.

  • ×Name-swapped policies. Same templates, your logo. Auditors recognise them on sight.
  • ×A dashboard, not a control. Green ticks don't equal evidence an auditor will accept.
  • ×"Guidance only" consulting. You still write, review, implement, and run tabletop exercises.
  • ×Each framework, separately. Five overlapping checklists, five sets of work.
  • ×Audit day is your problem. Engineers pulled off-roadmap for two months of screenshot requests.
The Protectify modelWhere we come in

We don't generate policies. We make them true.

  • +Policies fit to your environment. Cloud topology, dev workflow, physical or remote — written for what you actually run.
  • +Controls operated, not just documented. Tabletop CSIRT, vuln SLAs, change management, vendor risk — done with your team.
  • +One implementation, every framework. ISO 27001, 42001, SOC 2, AI Act, GDPR mapped to a single control set.
  • +We sit across from the auditor. Daily auditor calls, evidence pulls, clarifications — handled by us in your seat.
  • +Platform-agnostic. Bring Vanta, Drata, Sprinto, or none. We work either way.
02 / What we actually do

The work that doesn't fit inside a SaaS dashboard.

01

Run the tabletop exercise.

CSIRT walkthroughs your auditor will sample — incident response, breach simulation, recovery drills. We facilitate; your team performs.

02

Enforce the vulnerability SLA.

30-day critical remediation isn't a line in a PDF; it's a cadence with your engineers. We instrument it and make it stick.

03

Wire change management into your pipeline.

Approved, tested, traceable deploys — adapted to your existing Git, CI and ticketing flow. No new ceremony for ceremony's sake.

04

Triage your vendor risk.

Sub-processor reviews, DPAs, security questionnaires, AI model providers — assessed and tracked, not just listed.

05

Curate evidence, not screenshots.

What an auditor will accept versus what they'll push back on — built into how your team works, not assembled in a panic.

06

Pick the right auditor.

A cheap certificate that falls apart in your customer's procurement review costs more than a real one. We help you choose.

03 / Frameworks & services

One control set. Every certificate that matters to your buyer.

27K
Infosec · global

ISO/IEC 27001

The information security management system buyers ask for first. Stage 1 + Stage 2 readiness, surveillance, and recertification cycles.

ISMS scopeAnnex A controlsStage 1 / 2
42K
AI governance · new

ISO/IEC 42001

The AI management system standard. Risk assessment, model lifecycle, transparency and human oversight — built to map directly to the EU AI Act.

AIMSModel riskLifecycle
SOC
Trust services · US

SOC 2 · Type I & II

Type I design opinion in 8–12 weeks. Type II observation window scoped to your buyer's procurement gate, not your vendor's calendar.

SecurityAvailabilityConfidentiality
AI
EU regulation · staged

EU AI Act

Risk-tier classification, GPAI obligations, technical documentation, conformity assessment readiness. Aligned with your ISO 42001 work, not duplicated.

Risk tieringGPAIConformity
GDPR
Data protection · EU/UK

GDPR & UK GDPR

Records of processing, lawful basis, DPIAs, sub-processor governance, breach process. Plus DPO advisory where you need a named one.

RoPADPIADSARDPO advisory
CISO
Retainer · monthly

Fractional CISO

A named security leader in your exec channel — board reporting, customer security calls, vendor reviews, and the judgement calls your team shouldn't be making alone.

Board reportingCustomer callsOn-call
04 / How we work

Four phases. One fixed-fee commitment per certificate.

Week 0 – 2

Diagnose

Two-week control gap assessment against your target frameworks, mapped to your real environment — cloud, codebase, vendors, headcount.

Week 2 – 10

Implement

We embed with engineering and ops. Policies written, controls operated, evidence curated — adapted to your pipeline, not bolted on top of it.

Week 10 – 14

Audit

We brief, attend and respond. Auditor questions, screenshot requests, clarifications — we sit in your seat. Engineering keeps shipping.

Ongoing

Operate

Quarterly control reviews, surveillance audits, new product reviews, customer security questionnaires. Compliance as a steady state.

05 / Outcome-based pricing

You pay for the certificate.
Not the hours.

01 · DiagnosticTwo weeks

Compliance gap study

For founders mapping the road to their first enterprise deal.

Fixed fee· credited toward implementation
  • Control gap across up to two frameworks
  • Auditor & platform recommendation, vendor-neutral
  • Time-to-certificate plan and budget envelope
  • Executive readout with your investors if needed
Start diagnostic
03 · Fractional CISOMonthly retainer

A named security leader

For teams past their first certificate who need a security voice in the room.

Monthly· cancellable quarterly
  • Named CISO in your Slack and exec channel
  • Customer security calls, vendor reviews, board reporting
  • Surveillance audits, recertification, new-framework scoping
  • On-call advisory for security incidents and disclosures
Talk to a partner
No hourly meters

One fixed fee. Tied to the certificate landing, not consultant hours logged.

No template tax

You don't pay us to rename a PDF.

No lock-in

Bring your own platform — Vanta, Drata, Sprinto, or none.

06 / The founding team

Three operators. Thirty plus years between Big 4 and mid-tier advisory.

IT Audit & SOC Lead
Managing Partner & CEO · IT Audit & Assurance
EX-BIG 4CISAISO 27001 LA

A decade embedded in Big 4 IT audit practices across the US, UK and India. Led SOC 1 and SOC 2 Type II examinations for fintech, SaaS and enterprise clients. Deep hands-on experience scoping audit windows, curating evidence packages, and managing auditor relationships from kick-off to certificate issuance.

Security & Fractional CISO Lead
Managing Director · Security Engineering & vCISO
EX-MID-TIERCISSPCCSP

Twelve years in IT security advisory and fractional CISO engagements across regulated sectors. Built and operated SOC and incident-response programs at scale. Provides board-level security leadership, customer security calls, and on-call advisory for disclosures — the judgement layer that sits between your engineering team and your auditor.

Privacy & AI Governance Lead
Managing Director · Data Protection & AI Governance
EX-BIG 4CIPP/EISO 42001 LA

Privacy and AI governance specialist with Big 4 roots. Delivered GDPR implementation programmes across regulated financial entities and was an early practitioner of ISO 42001 and EU AI Act readiness work. Leads records of processing, DPIAs, sub-processor governance, and DPO advisory where a named officer is required.

07 / Audit week

When the auditor asks, "who's the control owner here?" — we answer.

A real audit runs two months. Daily standups. Screenshot requests. Justification trails. The certificate is decided in those rooms, not in the policy PDF.

Your team should be shipping product. We sit in your seat with the auditor, defend the design, walk through the operating evidence, and clear the findings before they become qualifications.

Average client engineering hours during audit: 12 hrs / week
A 45-minute working session, not a sales call

Bring the auditor. Bring the questionnaire.
Bring whatever's stuck.

We'll spend the first thirty minutes on your actual situation and the last fifteen telling you whether you need us, a platform, both, or neither.

If we're not the right fit, we'll tell you in the call. No follow-up sequences.
Our Partners
A-LIGN Tempo Audits
— / Services

Everything you need to go from zero to certified.

SOC 2
SOC 2 Readiness for AI Startups
Policies, controls, evidence collection, and auditor support. Audit-ready in 8–12 weeks.
ISO 27001
ISO 27001 Implementation
Full ISMS build, risk assessment, Annex A controls, Stage 1 & Stage 2 audit management.
ISO 42001
ISO 42001 for AI Startups
AI Management System — governance, transparency, bias controls, EU AI Act alignment.
EU AI Act
EU AI Act Readiness
Risk classification, conformity assessment, governance documentation. Extra-territorial scope applies to UK startups.
Questionnaires
Security Questionnaire Support
SIG, CAIQ, and custom vendor questionnaires drafted and delivered. Deal-blockers removed.
Security Reviews
Customer Security Review Support
Preparation, documentation, and live call support for enterprise security reviews.
— / Common questions

Questions we answer
every working session.

What does ProtectifyAI do?
We implement compliance programmes — SOC 2, ISO 27001, ISO 42001, and EU AI Act readiness — for AI startups. We build the policies, controls, and evidence your auditor will expect, then sit with you through the audit until the certificate lands. We are the implementation partner, not the auditor.
How long does SOC 2 take for an AI startup?
SOC 2 readiness takes 8–12 weeks from engagement start. The Type 2 observation period then runs 3–12 months. Full journey to Type 2 certificate: typically 12–18 months. SOC 2 Type 1 can be achieved in 3–4 months if urgency demands it.
SOC 2 or ISO 27001 — which first?
US-focused startups typically do SOC 2 first. UK/EU-focused startups typically do ISO 27001 first. The control overlap is ~70% — so once you have one, the second is significantly faster and cheaper. We help you sequence for maximum deal velocity.
How is the pricing structured?
Outcome-based — a fixed fee agreed upfront and payable on certificate issuance. No hourly meters, no scope-creep change orders, no surprises. Auditor and certification body fees are separate, quoted independently, and vendor-neutral.
Does the EU AI Act apply to UK startups?
Yes. The EU AI Act has extra-territorial reach — it applies to any AI provider whose systems are deployed in the EU, regardless of where the company is based. UK startups with EU customers or users must comply with the Act's obligations for those AI systems.
Do we need ISO 42001 as an AI startup?
ISO 42001 is the world's first AI management system standard (published December 2023). Enterprise buyers are beginning to ask AI governance questions in procurement. ISO 42001 positions you ahead of this curve and provides the governance framework the EU AI Act requires.
BOOK A SESSION

A 45-minute working session,
not a sales call.

Tell us a little about your situation and we'll come prepared.

✓  Request sent — we'll be in touch shortly.
Limited spots · Founder Beta Programme

Hey founders 👋

We're running a Founder Beta Programme for our security, privacy and AI compliance advisory service. A small number of startups will receive a tailored readiness assessment in exchange for feedback and a testimonial.

Choose your assessment
You receive a bespoke 3–4 page advisory report covering your tech landscape, processes, controls, key gaps and next steps.
£1,000+
£100
Your email

Ideal for startups preparing for enterprise customers, due diligence, security questionnaires, fundraising or future compliance initiatives. Limited spots available.

Trusted by top teams at
Ditta Labs
GradSearch GradSearch