Compliance that lives inside the startup.
We sit at the table between first funding and first audit — translating GDPR clauses, SOC 2 controls, and ISO frameworks into plain-language playbooks founders actually read.
These numbers need more people behind them.
Every card is a real scene. Flip it to see where you'd fit.
Hover any card to see the role that solves it. Click to apply for that role directly.
Founder Googling SOC 2 at 2 a.m.
The Series A closed three weeks ago. The enterprise prospect wants a SOC 2 Type II report by Q3. Nobody on the team has ever written a security policy.
Compliance Engineer
You turn a panicked Notion doc into a working controls library in 4.2 days. You know which TSCs actually matter for a 12-person SaaS and which are theater.
Series B Due Diligence Stalling
The lead investor's legal team asked for a data processing inventory. The answer was a spreadsheet last updated in 2023 with three rows and a column called "misc."
Privacy Program Lead
You own the data map from day one. GDPR Article 30 records that are actually accurate. RoPA that an investor's counsel can read without a Xanax.
Privacy Policy Copy-Pasted from a Competitor
The privacy policy references a DPA with a vendor they no longer use, mentions CCPA compliance they haven't implemented, and was last reviewed by someone who left in 2021.
Client Embedded Analyst
You sit inside the client's Slack, attend their sprint planning, and catch the broken policy before it becomes a breach notification. You build systems, not slide decks.
ISO 27001 Kicked Down the Road Again
The CTO said "we'll do ISO after the product launch." That was four product launches ago. Now a NHS contract requires it and the timeline is 90 days.
GRC Program Manager
You've run ISO 27001 implementations in 90-day sprints. You know which controls to tackle first, which auditor relationships matter, and how to keep engineering actually engaged.
Third-Party Vendor Risk? What Vendor Risk?
The startup uses 47 SaaS tools. Three process personal data. None have DPAs. One is headquartered in a country with no adequacy decision. The CPO found out during a customer audit.
Privacy Program Lead
You build the vendor assessment process before the audit, not during it. You know which SCCs are current, which adequacy decisions cover which transfers, and which vendors just need a DPA email.
Security Training: One Video, Once, in Onboarding
The phishing simulation hit 34% click rate. The CEO clicked the test email twice. The "security culture" is a checkbox in the onboarding doc nobody reads after week one.
Compliance Engineer
You design security awareness that engineers don't resent — tabletop exercises that feel like product reviews, phishing simulations with post-mortems, controls that fit how the team actually works.
Pull up a chair. Everyone's working hard.
The people who come to work here are ex-Big Four consultants tired of billable-hour theater. Junior lawyers who want to build systems instead of review them. Ops generalists who light up when they find a broken process.
We sit inside the startup during the messy middle — between first funding and first audit. We're in the Slack channels, attending sprint planning, translating GDPR clauses into plain-language playbooks founders actually read at 2 a.m.
The conversation is sharp. The work is real. And there's a place already set for you.
Ex-Deloitte, 6 years. Left after billing 2,400 hours on a report nobody read.
"I wanted to fix the process, not just document it."
Junior associate at a NYC law firm. Spent 18 months reviewing contracts he couldn't change.
"Building systems beats reviewing them. Every time."
Ops generalist at three Series A companies. Found a broken GDPR process at each one.
"Broken processes are just opportunities nobody's claimed yet."
What an engagement actually looks like.
Four phases. No mystery. You'll know what we're doing, why we're doing it, and what good looks like before we start.
Embedded onboarding
We join your Slack, attend one sprint planning, review your current tool stack, and map every data flow we can find. No questionnaire. No slide deck. We just start.
Gap assessment
We deliver a plain-English gap report. Not a 60-page PDF — a prioritised list of what matters, what can wait, and what's actually fine. With a timeline attached.
Controls build
We write the policies. We configure the tooling. We run the vendor reviews. We train the team in ways that stick. You ship product. We close the gaps.
Embedded maintenance
Monthly reviews, evidence collection, audit prep, new vendor onboarding, incident response support. We stay embedded until you don't need us — then we hand off clean.
We write playbooks founders actually read
No 40-page policy documents. No legal boilerplate. Every playbook is written for the audience — founders, engineers, and ops teams who need to act, not just acknowledge.
Average engagement
From kickoff to first clean controls evidence
Startup stage
Seed to Series C. The messy middle is our home.
We stay until the audit passes
Not a fixed-term retainer. We measure success by the audit result, not the hours logged.
Frameworks we navigate daily
Founders who've been in the messy middle.
I thought SOC 2 would take us six months and a Big Four firm. Comply had us audit-ready in seven weeks. They were in our Slack every day — it felt like a team member, not a vendor.
Our Series B due diligence stalled for three weeks on the data map question. Comply fixed it in four days. Four days.
The privacy policy they wrote is the first one I've seen that actually explains what we do. Our customers noticed.
I was skeptical of embedded compliance. I thought it meant someone sitting in our office eating our snacks. What I got was someone who understood our product architecture better than most of our engineers did after a week.
The table is set. Is this your seat?
No résumé on first touch. No cover letter theater. Just three questions and a conversation. We've set a place for the right person — tell us if that's you.
6 embedded roles · Remote-first · Response within 2 business days