We help organizations become demonstrably ready for the EU AI Act with a remote-first governance model built on Microsoft 365, Copilot Studio and Purview.
Netherlands-based
CDPO · AIGP Certified
Microsoft 365 Native
Evidence-based delivery
EU-wide · Remote-first
The EU AI Act requires documented evidence of governance not intentions, not policies, and not slide decks. Auditors need structured, traceble proof that your organisation has identified it’s AI systems, assessed the risks, and put controls in place. Most are not ready.
Organizations are increasingly utilizing AI technology across various departments, including HR, finance, and operations. However, many of these organizations operate without a centralized register or a standardized risk classification system.
DPIAs, FRIAs, and governance records sit in email threads, shared drives, and outdated Word documents not in a controlled, auditable system.
Most Microsoft 365 tenants have the tools for AI governance but have not activated the controls, labels, and audit trails that evidence requires.
A supervisory authority inquiry requires structured, retrievable documentation not a consultant's assurance that controls are in place.
Protect your board against the dual risks of data privacy violations and AI liability through our converged governance architecture.
Structured site architecture with document libraries for FRIAs, DPIAs, governance policies, incident records, and audit artefacts. Controlled permissions, version history, and sensitivity labels applied.
AUDIT-READY STORAGE
STRUCTURED CLASSIFICATION
A structured four-week engagement that produces your AI inventory, risk classification, gap analysis, and a prioritised compliance roadmap built on your existing Microsoft 365 environment.
Fixed investment · Delivered remotely
End-to-end implementation of your AI governance infrastructure inside Microsoft 365 from the evidence vault and risk registers to Purview controls, Copilot Studio workflows, and your first completed FRIAs.
Scoped investment · Remote delivery
Continuous compliance monitoring, regulatory update integration, quarterly assessments, and ongoing audit support so your governance infrastructure stays current as the AI Act is enforced.
Monthly retainer · Scales with usage
BUILT FOR MICROSOFT 365
SHAREPOINT
Evidence vault, registers, and version-controlled documentation
MICROSOFT LISTS
AI risk register, FRIA log, DPIA tracker, vendor register
COPILOT STUDIO
Intake workflows, FRIA triggers, DSAR automation
PURVIEW
Sensitivity labels, audit logging, retention, and DLP controls
All governance artefacts remain inside your Microsoft 365 environment. No data is held by a third party. Your evidence is yours, always.
Auditors receive structured, read-only access to the evidence vault through Microsoft 365's permission model — no email attachments, no ad-hoc document requests.
Microsoft Purview provides unified audit logging and DLP controls that make the governance posture visible, searchable, and exportable for regulatory submissions.
Every assessment and classification is reviewed by a qualified compliance professional before archiving. Automation speeds the process. Human judgement ensures defensibility.
Start with a focused AI Act Readiness Call. We will assess your current state and identify the fastest path to documented, audit-ready compliance.
We offer a focused set of remote services to help organisations turn complex privacy, AI governance and EU AI Act obligations into clear, practical action. Each solution is designed for lean teams that need expert support, simple workflows and concrete outcomes rather than long reports.
Watch how we leverage your existing Microsoft 365 environment to inventory your AI, classify risk, and build a prioritized roadmap for the Board.
We’re here to provide the insights and support your business requires.
The Act imposes strict "Duty of Care" requirements. Our architecture ensures you have an automated audit trail to prove oversight and mitigate personal legal risk.
We don't sell hours or PDF reports. We deploy pre-built, M365-native technical architectures that automate the compliance work other firms do manually.
A Fundamental Rights Impact Assessment is required for high-risk AI. Our "Automated FRIA Architect" handles the complexity, providing a legally defensible document in days, not months.
No. Our "Shield" acts as a governance layer that sits around your AI, enabling innovation within safe, compliant boundaries without slowing down your teams.
Yes. If you collect or process personal data, you must provide a privacy policy (or notice) that is transparent, clear and easily accessible.
It should explain what data you collect, how/why you use it, who you share it with (including third parties), data subjects’ rights, retention periods, and security measures.
You must keep personal data no longer than is necessary for the purpose for which it was collected (“storage limitation” principle). This means you should define retention schedules, justify retained data, and periodically review and delete or anonymise when no longer needed.
When a personal-data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, you must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of it. Affected data subjects must also be notified when the breach is likely to result in a high risk to their rights and freedoms.
Yes, but only if specific safeguards are in place. These may include: an adequacy decision on the recipient country, or appropriate safeguards (e.g., standard contractual clauses, binding corporate rules). You must also ensure data subjects are informed and there is documentation of the transfer.
You must appoint a DPO if: your organisation is a public authority, or your core activities require large-scale regular and systematic monitoring of individuals, or large-scale processing of special categories of data. Even if not mandatory, appointing a DPO is often a good best-practice to oversee compliance.
Organisations must facilitate these rights, respond without undue delay, and inform data subjects of their rights.
Individuals (data subjects) have multiple rights, including: right of access, right to rectification, right to erasure (right to be forgotten), right to data portability, right to restrict processing, right to object, and rights related to automated decision-making and profiling. Organisations must facilitate these rights, respond without undue delay, and inform data subjects of their rights.
