Compliance and privacy, handled.
SOC 2, ISO 27001, HIPAA, PCI, and global privacy, from a first audit you’re behind on to an ongoing program you don’t have to think about. We scope it, get you ready for a fixed fee, and keep it that way.
Frameworks and privacy, under one roof.
SOC 2 is where most teams start and where we lead, but you won’t outgrow us when the next requirement lands.
Frameworks
- SOC 2, Type I and Type II (our lead)
- ISO 27001
- HIPAA
- PCI DSS
- CMMC
- Customer security reviews & questionnaires
Privacy
- GDPR & UK GDPR
- CCPA / CPRA & US state laws
- PIPEDA, LGPD & other global regimes
- Data mapping & ROPAs
- DSAR / data-subject request handling
- DPAs & breach-notification readiness
Scope it, get ready for a fixed fee, stay ready.
No paying to be told what’s wrong and then paying open-ended to fix it. One path, three clear steps.
Compliance Scoping
Where you stand, what your target framework really requires, and a fixed quote for the work. Credited toward your package.
Readiness Package
One fixed fee to audit-ready, sized by complexity, evidence, controls, remediation, and auditor support. Expedite option for tight deadlines.
Ongoing Compliance
Type II monitoring, new frameworks, and privacy upkeep, folded into a vCISO retainer so it stays handled.
Behind on a SOC 2 audit with a deadline?
That’s a specialty, not a problem. We come in under the gun, tight scoping, Type I to buy runway, compensating controls, fast remediation, and get you across the line. The readiness package has an expedite option for exactly this.
Common questions.
Which frameworks and privacy regimes do you support?
SOC 2 is the most common starting point, and it’s where we lead, but we also run ISO 27001, HIPAA, PCI DSS, CMMC, and customer security reviews. On the privacy side we handle GDPR and UK GDPR, CCPA/CPRA and the other US state laws, PIPEDA, and LGPD, plus the underlying program work: data mapping and ROPAs, DSAR handling, DPAs, and breach-notification readiness.
Is privacy really separate from security compliance?
Yes. A SOC 2 report is a security attestation; GDPR and CCPA are laws with their own obligations, data mapping, subject-access requests, processing agreements, cross-border transfers. We run both, but we scope and price them as distinct programs because the work genuinely is.
How does pricing work?
Three steps. A short, low-cost Scoping engagement gives you where-you-stand and a fixed quote, and its fee is credited toward what comes next. A fixed-fee Readiness Package gets you audit-ready, one number, sized by complexity. Then Ongoing Compliance keeps you there (Type II monitoring, multi-framework, privacy upkeep), folded into a retainer. The technical test is a separate $3,500 from DeepExploit.
We’re behind on a SOC 2 audit with a deadline. Can you still help?
Yes, that’s a big part of what we do. See the SOC 2 page for how we handle audits under deadline pressure; the readiness package has an expedite option for tight timelines.
Why fixed-fee instead of charging by the hour?
Because the question you’re actually asking is “what does it cost to get me ready,” and you deserve a number. We scope it up front, quote a fixed fee by complexity, and only the genuinely custom cases (heavy multi-framework, complex cloud, large privacy programs) stay custom.
Not sure where you stand?
A short scoping engagement gives you the map and a fixed quote, and the fee comes off whatever you do next. Tell us your framework and timeline.