Compliance

Compliance readiness & audit prep

A buyer, board, or regulator just told you to get compliant. We are the audit-prep experts who get you there fast, SOC 2, ISO 27001, HIPAA, PCI DSS, and privacy law. Fixed scope, real timelines, no auditor-speak. Serving startups and mid-market across Canada and the US.

Book a free 30-minute readiness call

You are probably here because of one of these

The trigger is almost always the same: revenue or funding is at risk, and you do not have time to figure this out yourselves. That is exactly what we remove.

Every framework a North American buyer asks for

We run readiness and audit prep across the frameworks that gate enterprise deals and regulated markets. Each links to a full breakdown of scope, timeline, and what buyers expect.

We are the prep expert, not a Big 4 generalist

The audit itself has to be signed by an independent CPA firm. Everything before that, the part that actually takes the time and causes the pain, is what we own.

01

Prep, remediation, and evidence, done with you

Gap assessment, policies, control implementation, evidence collection, and auditor coordination. You get an outcome and a date, not a stack of templates.

02

Security depth behind the paperwork

Our founder is a published CVE researcher, so controls are designed around real attacker behavior. When your buyer asks a hard technical follow-up, the answer holds.

03

We work on top of Vanta, Drata, or nothing at all

Already have a compliance-automation tool but stuck at 60 percent green? We finish it. Starting from zero? We stand it up. Either way you get to audit-ready.

04

Fixed scope and honest cost

You know the deliverable, the timeline, and the price before you commit. No open-ended hourly meter and no fabricated numbers.

Pick a deadline, not an open-ended project

Productized readiness engagements with a defined scope, timeline, and price. See full pricing.

SOC 2 in 75 Days

Our flagship end-to-end readiness sprint to audit-ready, delivered with Lorikeet Security.

75 daysDetails

SOC 2 Type I in 10 weeks

Point-in-time Type I when a buyer needs proof now and you will follow with Type II.

~10 weeksDetails

ISO 27001 readiness in 16 weeks

ISMS build-out, Statement of Applicability, and internal audit ready for Stage 1 and Stage 2.

~16 weeksDetails

HIPAA audit-prep sprint

Risk analysis, safeguards, BAAs, and PHI policies for digital health teams facing a deadline.

scopedDetails

Guides for your situation

Deciding how to get compliant? Start here.

Get the SOC 2 readiness checklist

The same control-by-control checklist we use to get clients audit-ready. Read it free, or grab the editable version for your team.

Open the checklist

Works well with

Tell us your deadline

Whatever the trigger, a blocked deal, an investor ask, or an expiring audit, we will build the plan to meet it. Free 30-minute readiness call, no pressure.

Book a readiness call

Frequently asked questions

How long does SOC 2 take?

Most clients reach audit-ready in 8 to 12 weeks with our SOC 2 in 75 Days track, and a Type I can be as fast as about 10 weeks. Timing depends on how mature your controls already are. The Type II observation window (typically 3 to 6 months) then runs after readiness is complete, so plan for roughly 4 to 9 months from kickoff to a Type II report.

How much does SOC 2 cost in Canada?

Budget two separate line items: the auditor (an independent CPA firm, often USD 10k to 30k+ depending on scope) and readiness help. Our readiness work is fixed-scope so you know the number before you commit. We are transparent about both up front and never inflate scope. Book a call and we will give you a real range for your situation.

Do you run the audit or just the prep?

We do readiness and audit prep: gap assessment, policies, evidence collection, control remediation, and auditor coordination. We do not sign the attestation, because SOC 2 and ISO 27001 require the preparer and the auditor to be independent. We work alongside your auditor so the exam goes smoothly, and we are the prep experts, not a Big 4 generalist.

SOC 2 or ISO 27001, which should we do first?

If your buyers are mostly North American SaaS and enterprise, SOC 2 usually comes first because that is what their security questionnaires ask for. If you sell into Europe or globally, ISO 27001 often carries more weight. The control sets overlap heavily, so doing one gives you a strong head start on the other. We help you sequence them so you never build the same evidence twice.

We already use Vanta or Drata but are still stuck. Can you help?

Yes, and it is common. Compliance automation tools track controls, but they do not write your policies, close your gaps, choose your auditor, or interpret an ambiguous control. We work on top of your existing Vanta or Drata instance to get you from 60 percent green to actually audit-ready.

Do you serve companies outside Canada?

Yes. We are based in Toronto and work with startups and mid-market companies across Canada and the United States. Frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS are international, and we deliver readiness remotely across both countries.