No tracking. No cookie wall.·100 % EU-hosted on Hetzner
Services

When you need the deliverable, not another tool.

A threat model for the audit. A DPIA the regulator will actually read. A gap register the board can act on. We produce it on the same cited engine our customers use — and a senior practitioner reviews and signs every finding.

Read a real deliverable
Fixed scope · from €2,000 · quote and date after a 30-minute call.
The deliverables

Four documents, one standard.

Different regulations, same discipline: every finding cited to the provision, technique, or control it rests on, and every gap marked instead of papered over.

AI Act Readiness Assessment

Classify your AI systems against the EU AI Act, then know exactly which obligations apply before they bite.

  • System inventory and risk classification against Article 5, Article 6, and Annex III
  • Obligations mapped to your role: provider, deployer, importer, or distributor
  • Gap register with per-obligation status, evidence, and owner
  • Board-ready readout and a prioritised remediation plan

See a real run: an EU AI Act high-risk classification for credit scoring the same classification questions this assessment answers, cited to the Act with unresolved national points marked — captured verbatim.

Read the full sample deliverable → the complete document a paid engagement produces, on a fictional provider.

Threat Model as a Service

A structured threat model for your system, built on STRIDE and LINDDUN and your real architecture — typically delivered in 1–2 weeks at a fixed price.

  • Data-flow and trust-boundary mapping for the system in scope
  • Threat enumeration with STRIDE and LINDDUN
  • Prioritised mitigations, each cited to a source framework
  • Delivered as a structured report

See a real run: a STRIDE threat model of an authentication flow threats enumerated and mitigations cited to the source frameworks — captured verbatim.

Read the full sample deliverable → the complete document a paid engagement produces, on a fictional system.

DPIA as a Service

A Data Protection Impact Assessment, done for you and defensible to your regulator.

  • Processing description and a necessity-and-proportionality test
  • Risk assessment from the data subject's perspective
  • Mitigations mapped to GDPR Article 35 and EDPB guidance
  • Article 36 readiness note and an exportable evidence pack

See a real run: a full GDPR Article 35 DPIA for an HR vendor 23 workflow steps, CNIL severity-and-likelihood scoring, and an Article 36 determination — captured verbatim.

Read the full sample deliverable → a complete Article 35 DPIA, walked end-to-end on a fictional employer wellness app.

Compliance Gap Analysis

Where you stand against NIS2, DORA, ISO 27001, GDPR, and the EU AI Act — as a cited report, scoped at article and control level.

  • Scoped to your frameworks: ISO 27001, NIS2, DORA, GDPR, the EU AI Act, and sector regulators
  • Cited findings, each tracing to the provision and your own evidence
  • Delivered as PDF, CSV, and GRC-tool import format
  • Senior-reviewed before it ships

See a real run: a gap analysis built from a security policy requirements retrieved and cited to NIS2 and DORA at article level — captured verbatim.

Read the full sample deliverable → a complete NIS2 gap analysis, produced end-to-end on a fictional client.

How an engagement runs

Fixed scope, from €2,000.

No day rates, no open-ended discovery. The scoping call ends with a fixed price and a date in writing.

  1. 1

    Scoping call

    30 minutes. You leave with a fixed quote and a delivery date — or an honest “you don’t need this.”

  2. 2

    Intake

    Under your NDA, over EU-hosted upload. Architecture, processing records, policies — whatever the scope needs.

  3. 3

    Assessment

    Run on the Ansvar gateway, so every finding is grounded in the cited corpus — the same engine our customers use.

  4. 4

    Senior review

    A practitioner validates every finding and signs the result. Nothing ships on model output alone.

  5. 5

    Readout

    A walkthrough of the findings, then the deliverable and its evidence pack are yours to keep.

The quality contract

Same gateway, same citation contract, same refusal discipline.

Three things are true of every Ansvar engagement, regardless of which deliverable you buy.

01

Citation-grounded

Every finding traces to the underlying provision through the Ansvar gateway — same MCP, same citation contract that the public-tier customers use. No LLM-generated citations.

02

Expert-validated

Every finding is fully validated and reviewed by the expert who delivers it — always. Not a separate second pass; the expert stands behind every cited fact before it ships.

03

Refusal discipline

The expert does the research, and only validated information goes into the deliverable. When a regulation isn't in the corpus or a citation can't be verified, the gap is marked visibly — never filled with unvalidated prose.

Compliance metadata included. Every engagement ships with an added package of metadata about the end-to-end delivery — the sources, validation, and provenance behind each finding — built for your own compliance and audit records.
Questions buyers ask

Before you book the call

Who actually does the work?
The research runs on the Ansvar gateway — the same cited engine our customers use — and every finding is validated and reviewed by the senior practitioner who delivers it. Nothing ships on model output alone.
What do we need to provide?
Enough to scope honestly: an architecture sketch or data-flow diagram for a threat model; processing records and the DPO's view for a DPIA; existing policies and evidence for a gap analysis. We work under your NDA, and intake runs over EU-hosted upload.
How long does an engagement take?
Scope drives it, so you get the delivery date in writing together with the fixed quote. The scoping call itself is 30 minutes.
Is this legal advice?
No. Ansvar is not a law firm and the deliverables are not legal advice — they are cited compliance analysis: every conclusion traces to the provision it rests on, and judgment calls are marked as judgment calls instead of buried in prose. That format is deliberate, so your counsel can check every line and take the legal position.
Can we run these ourselves instead?
Yes. The same workflows — gap analysis, DPIA, threat models, AI Act readiness — run self-serve on the Team tier and produce the same cited artefacts. The service exists for when you need it done, reviewed, and signed by someone who does this daily.
What lands in our hands at the end?
The deliverable itself plus a compliance-metadata package — the sources, validation, and provenance behind each finding — built for your own audit records. Everything is yours to keep.

Tell us what has a date on it.

A threat model, a DPIA, a gap register, an AI Act classification — or something we haven't listed. If it can be cited, it can be delivered. We come back within two working days.

Prefer self-serve? See Team