Enterprise customers stop sending RFPs to vendors that cannot produce a GDPR Article 28 Data Processing Agreement, a SOC 2 Type II evidence package, and ISO 27001 control mapping in the first 30 minutes of a security review. The DLA Piper GDPR Fines Survey reported cumulative fines above EUR 7.1 billion since 2018, with the Spanish AEPD alone issuing over 40 sanctions in 2024 where missing or inadequate DPAs were a contributing factor. The Finnish Data Protection Ombudsman fined a healthcare processor EUR 608,000 partly for a DPA missing adequate data deletion provisions. Compliance Pack closes the documentation gap for ASH customers selling into procurement processes that demand processor controls evidence.
What you receive at order time: a GDPR Article 28-compliant DPA covering all eight mandatory clauses (documented instructions, confidentiality, security measures, sub-processor authorisation, data subject assistance, breach assistance, deletion or return, audit support), executed digitally and counter-signed within 48 hours; sub-processor list maintained as Annex 3 with general authorisation model and 30-day advance notice on changes; SOC 2 Type II evidence package mapping our operational controls to the AICPA Trust Services Criteria; ISO 27001 Annex A control alignment documentation; sanitised annual third-party penetration test report; Records of Processing Activities (Article 30) template you adapt for your operations; 4 hours per quarter of DPIA support; documented 4-hour breach notification SLA. EUR 2,499 setup, EUR 449 monthly. No multi-year commitment.
Click a framework to see exactly which obligations we deliver evidence for, which we partially support, and which require a different vendor or framework. We publish this matrix because most "compliance bundles" in our market hide the gaps; we surface them up front so your procurement team can plan accordingly.
The EU GDPR has been in force since May 25, 2018. Cumulative fines reached EUR 7.1 billion by January 2026 according to DLA Piper's annual fines survey, with the trajectory accelerating year over year. A growing share of enforcement actions target processor agreements directly: the Spanish AEPD issued over 40 sanctions in 2024 alone where missing or insufficient DPAs were a contributing factor; the Danish DPA found that 35% of processor agreements reviewed in a 2024 audit failed to include adequate sub-processor flow-down clauses; the Finnish Data Protection Ombudsman fined a healthcare processor EUR 608,000 partly because the DPA lacked adequate data deletion provisions. Article 28 is no longer a checkbox; it is an active enforcement surface.
The cost extends beyond fines. Enterprise procurement processes treat the absence of a DPA, SOC 2 report, or ISO 27001 documentation as immediate disqualification. Security questionnaires from Fortune 500 buyers run 200-400 questions covering processor obligations, encryption practices, access controls, breach handling, sub-processor management, audit rights, and data deletion procedures. Vendors that cannot answer these questions with documented evidence within 48-72 hours fall off the shortlist. SOC 2 Type II audits typically require 12-18 months to complete; ISO 27001 certification runs 18-24 months. The market has produced an arbitrage opportunity: vendors with mature operational practices can deliver evidence-based compliance documentation immediately while pursuing formal certification on a longer timeline.
Compliance Pack does not promise certifications we do not hold. We are not a SOC 2 Type II certified entity; we are not an ISO 27001 certified entity. What we deliver is the evidence package that supports your SOC 2 Type II audit by mapping our controls to the AICPA Trust Services Criteria, the documentation that aligns with ISO 27001 Annex A controls, and a fully GDPR Article 28-compliant DPA executed at order with all eight mandatory clauses. For most enterprise procurement processes, this evidence package is sufficient. For customers who specifically require a fully SOC 2 Type II certified processor (some financial services, some healthcare), we are honest that ASH is not the right fit and refer to certified providers.
The pricing model reflects the economics. Setup of EUR 2,499 covers DPA preparation, sub-processor list documentation, evidence package compilation, control mapping work, and digital execution. Monthly EUR 449 covers ongoing maintenance: sub-processor change notifications, annual evidence refresh, breach notification SLA staffing, DPIA support hours (4 per quarter), audit response capacity, and document version control. Total annual cost EUR 7,887 first year, EUR 5,388 second year onward. Compared to the EUR 50K-150K typical SOC 2 Type II audit cost or EUR 80K-200K ISO 27001 certification cost, Compliance Pack provides a different value proposition: ongoing evidence delivery rather than periodic certification.
Run your existing vendor DPA (or your own if you are a processor) through the eight mandatory checks below. A single missing clause makes the DPA non-compliant under Article 28(3) and creates direct enforcement exposure. Our Compliance Pack DPA is engineered to pass all eight checks at execution.
Pre-drafted Data Processing Agreement covering all eight mandatory clauses of Article 28(3). Executed at order time within 48 hours. Counter-signed by ASH legal entity. Includes Annex 1 (processing details), Annex 2 (security measures pursuant to Article 32), Annex 3 (sub-processor list with general authorisation model). Updated when EDPB issues binding guidance.
Living Annex 3 listing all current sub-processors with role, location, and protection guarantees. Categories: upstream colocation operators per datacenter region, DDoS scrubbing partner, DNS provider, fiat payment processor (cryptocurrency transactions have no traditional sub-processor). 30-day advance notice on changes; right to object and terminate without penalty.
Mapping document linking ASH operational controls to AICPA Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy. For each criterion, evidence references our internal documentation, log retention policies, access controls, encryption practices. Designed for inclusion in your own SOC 2 audit as third-party controls evidence.
Control alignment matrix mapping our practices to ISO 27001 Annex A 93 controls. Honest disclosure of which controls we fully implement, which we partially cover, and which require complementary controls on your side as data controller. Useful both for your own ISO 27001 certification and for vendor security reviews requiring control documentation.
Annual third-party penetration test of ASH infrastructure conducted by independent CREST or equivalent-accredited firm. Sanitised report (vulnerabilities remediated, scope of test, findings severity distribution) released to Compliance Pack customers under NDA. Full unsanitised report available to customers conducting on-site audit.
Records of Processing Activities template aligned with GDPR Article 30 obligations. Pre-populated sections for the processing activities ASH performs on your behalf (categories of data subjects, types of personal data, recipients, transfers, security measures). Adapt for your full RoPA or include as a supplement covering ASH-related processing.
4 hours per quarter of dedicated support from our compliance team for high-risk processing reviews. Use cases: assessing whether new processing activities require Article 35 DPIA, reviewing your DPIA drafts, providing technical input on security measures, supporting prior consultation with supervisory authorities under Article 36 if needed.
Documented commitment: ASH notifies affected controllers within 4 hours of confirmed security incident classification. Notification includes incident scope, affected data categories, root cause status, remediation in progress. Your remaining 68 hours of GDPR Article 33 budget go to investigation and supervisory authority notification, not to chasing your processor.
Most security controls satisfy obligations across multiple frameworks at once. The matrix below shows how seven of our common operational practices map to GDPR, SOC 2, and ISO 27001 simultaneously. The overlap is the reason a single Compliance Pack can deliver evidence value across multiple procurement requirements without redundant work.
| Control | GDPR reference | SOC 2 TSC | ISO 27001 Annex A |
|---|---|---|---|
| Encryption at rest and in transit | Art. 32(1)(a) | CC6.1, CC6.7 | A.8.24, A.5.34 |
| Access management with least privilege | Art. 32(1)(b) | CC6.1, CC6.2, CC6.3 | A.5.15, A.5.18, A.8.2 |
| Breach notification within statutory window | Art. 33, Art. 34 | CC7.3, CC7.4 | A.5.24, A.5.25, A.5.26 |
| Vendor risk management with DPAs | Art. 28, Art. 28(4) | CC9.2 | A.5.19, A.5.20, A.5.22 |
| Incident response and business continuity | Art. 32(1)(c) | CC7.3, CC7.5, A1.2 | A.5.24-A.5.30, A.8.13 |
| Personnel confidentiality and training | Art. 28(3)(b), Art. 32(4) | CC1.4, CC1.5 | A.6.2, A.6.3, A.6.6 |
| Logging and monitoring with retention | Art. 32(1)(b), Art. 30 | CC4.1, CC7.1, CC7.2 | A.8.15, A.8.16, A.5.28 |
The same encryption standard satisfies GDPR Article 32, SOC 2 CC6.1, and ISO 27001 A.8.24 simultaneously. The same access management practice covers obligations across all three frameworks. Compliance Pack documents these overlaps so a single procurement review covers multiple framework requirements rather than three sequential reviews against three different standards.
Marketing automation platforms, CRMs, ESP whitelabels, transactional email APIs selling to companies that run procurement security reviews. Without Compliance Pack documentation you fail vendor questionnaires; with it you close deals that would otherwise disqualify you for documentation gaps.
Operations sending to or processing personal data of healthcare organisations subject to HIPAA in the US or equivalent regimes elsewhere. Compliance Pack does not deliver HIPAA Business Associate Agreement obligations directly but supports the broader compliance posture that healthcare buyers screen for.
Banks, insurance, fintech, payment processors sending transactional or marketing email subject to sectoral oversight (FCA, BaFin, MAS, SEC). These buyers run extensive vendor security reviews and require detailed control evidence. Compliance Pack supports the procurement process; firm-specific regulatory obligations may require additional documentation.
Companies established in the EU acting as data processors for EU controllers. Article 28 obligations apply directly; missing or inadequate DPA creates direct enforcement exposure with the supervisory authority of the controller. Compliance Pack DPA is engineered to pass Article 28(3) audit on all eight clauses without remedial work.
Customers running their own SOC 2 Type II audit need third-party controls evidence for vendors in their data flow. Compliance Pack mapping document allows your auditor to document ASH controls as part of your audit scope without requiring ASH itself to be SOC 2 certified. Functional substitute when the full certified subprocessor model is excessive.
Operations selling across EU (GDPR), UK (UK GDPR and Data Protection Act 2018), Switzerland (revFADP), and other Convention 108-aligned jurisdictions. Compliance Pack documentation translates across substantively similar frameworks; the same DPA structure supports controllers in multiple jurisdictions with framework-specific annexes available on request.
A bundle that delivers documentation and operational practices required for enterprise procurement reviews against GDPR (specifically Article 28 DPA and Article 30 records of processing), SOC 2 Trust Services Criteria, and ISO 27001 controls. Components: GDPR Article 28-compliant DPA executed at order time with all eight mandatory clauses; sub-processor list maintained as Annex 3 with advance notice on changes; SOC 2 Type II evidence package mapping our controls to AICPA Trust Services Criteria; ISO 27001 control alignment documentation; sanitised annual third-party penetration test report; Records of Processing Activities template (Article 30); 4 hours per quarter of DPIA support for high-risk processing reviews; breach notification SLA committing to 4-hour notice from confirmed detection. Setup EUR 2,499 once; recurring EUR 449 monthly.
Because email touches personal data at scale. When a customer (data controller) sends marketing campaigns through your infrastructure, you become a data processor under GDPR Article 28, which mandates a written contract with eight specific clauses. The DLA Piper GDPR Fines Survey reported cumulative fines exceeding EUR 7.1 billion since 2018, with a growing share of enforcement targeting inadequate or missing processor agreements. Spanish AEPD issued over 40 sanctions in 2024 alone where DPA absence or insufficiency was a contributing factor. Without a Compliance Pack, you and your customers carry shared liability up to EUR 20M or 4% of global turnover. Enterprise buyers increasingly require SOC 2 Type II reports and ISO 27001 alignment in vendor security questionnaires before signing; absence of these blocks deals regardless of product quality.
We are honest about this distinction. ASH is not currently a SOC 2 Type II certified entity. We provide an evidence package that maps our operational controls to the AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) so your auditor can document our practices in your own SOC 2 audit. We deliver penetration test reports from independent third parties, our internal control documentation, our incident response procedures, and our access controls evidence. For customers requiring a fully SOC 2 Type II certified processor, we can refer you to certified providers; we are transparent that the evidence package model serves customers running their own SOC 2 attestation rather than seeking a fully certified subprocessor.
We commit to a 4-hour breach notification SLA from the moment we confirm a security incident affecting customer personal data. The SLA is measured from internal incident classification to outbound notification. GDPR Article 33 gives controllers 72 hours from awareness to notify supervisory authorities; our 4-hour processor notification gives controllers approximately 68 hours of working time to investigate, document, and notify. The Compliance Pack includes a documented escalation chain, designated incident commander on rotation, and templated breach notification content that controllers can adapt for their submissions. Notifications include incident classification, scope of affected data, root cause analysis status, and remediation steps in progress.
We operate under the general authorisation model permitted by GDPR Article 28(2). Our current sub-processor list is published and maintained as Annex 3 of the DPA: the upstream colocation operators in each datacenter region, our DDoS scrubbing partner, our DNS provider, our payment processor for fiat transactions (cryptocurrency transactions have no traditional sub-processor chain). Any change to the sub-processor list triggers email notification to all Compliance Pack customers at least 30 days before the change becomes effective. Customers retain the right to object under Article 28(2); if a controller objects, we either find a workaround (route data away from the new sub-processor) or the customer can terminate without penalty. We have not yet had a Compliance Pack customer object to a sub-processor change.
Three different things that overlap. SOC 2 is an attestation framework from the AICPA designed for service organisations: a third-party CPA audits whether stated controls are designed (Type I) or operating effectively over a period of 3-12 months (Type II) against five Trust Services Criteria. ISO 27001 is an international standard for Information Security Management Systems: certification by an accredited body confirms that a documented ISMS exists and is operating, against 93 controls in Annex A. GDPR is European Union law on personal data protection: directly applicable, no certification involved, supervisory authority enforcement with fines up to EUR 20M or 4% of global turnover. Substantively, the controls overlap heavily: encryption at rest, access management, breach notification, vendor management, and so on appear in all three. Operationally, the proof differs: SOC 2 wants auditor attestation, ISO 27001 wants ISMS documentation and certification body audit, GDPR wants demonstrable accountability through contracts (DPA), records (ROPA), and security measures (Article 32).
Partial coverage. The EU AI Act enforcement begins August 2026 for high-risk AI systems requiring conformity assessments. Email infrastructure itself is not classified as a high-risk AI system; standard PowerMTA, MailWizz, and bounce processing pipelines are not AI systems under the Act definition. However, customers running AI-driven email content generation, AI-driven recipient targeting, or AI-based deliverability optimisation may have AI Act obligations as deployers or providers. Our Compliance Pack documentation clarifies which parts of our infrastructure include any AI components (currently: none in the email send path; some optional analytics features use ML-based anomaly detection clearly disclosed in DPA Annex 1). We are tracking AI Act enforcement guidance from supervisory authorities and will update Compliance Pack documentation as guidance crystallises during 2026.
Yes, with practical limits. GDPR Article 28(3)(h) gives controllers the right to conduct audits or appoint auditors. Our Compliance Pack supports three audit modalities. First, paper audits: we provide our internal documentation, third-party penetration test reports, control mapping evidence, and answer follow-up questions in writing. This satisfies most enterprise procurement reviews. Second, virtual audits: we make subject matter experts available for video calls covering specific control areas (incident response, access management, encryption, sub-processor management). Third, on-site audits: physical facility visits in our datacenter regions, scheduled with 30 days notice and conducted under NDA. On-site audits beyond one per year per controller carry an additional fee of EUR 2,500 to cover staff coordination and facility access; the first audit per year is included.
The compliance pack consolidates evidence packaging across multiple compliance frameworks rather than producing separate evidence for each framework independently. The consolidation produces operational efficiency for organizations subject to multiple frameworks simultaneously.
SOC 2 evidence covers CC7.2 (logging), CC7.3 (system monitoring), CC6.1 (logical access controls), CC6.7 (data transmission). ISO 27001 evidence covers A.8.15 (logging), A.8.16 (monitoring), A.8.20 (network controls), A.8.24 (cryptography). PCI DSS evidence covers Requirements 3.6 (key management), 4.2 (cryptography in transit), 10.4 (audit log review), 10.5 (audit log retention). GDPR evidence covers Article 30 (records of processing) and Article 32 (security of processing).
The cross-framework consolidation maps individual evidence artifacts to the relevant controls across all applicable frameworks. A single piece of audit evidence (DKIM rotation event with cryptographic attestation) maps to SOC 2 CC6.1, ISO 27001 A.8.24, and PCI DSS 3.6 simultaneously. Organizations under multiple frameworks gain operational efficiency from the consolidation rather than producing parallel evidence for each framework.
Telegram conversation takes 15-25 minutes to confirm scope, processing details for Annex 1, and customer legal entity for DPA execution. DPA counter-signed and delivered within 48 hours. Evidence package and ISO 27001 alignment documentation delivered within 5 business days. Sub-processor registry and breach SLA active immediately. Cancel anytime; no minimum term.
# Median Telegram response: 12 minutes during operating hours