// work/ compliance
§ 04 of 07 · engagement surface

compliance &
data-trust engineering.

popia, audit, sovereign hosting, halal-compatible commercial structures. the trust surface — what the regulator, the auditor, and the board can each verify without us in the room.

the auditor reads the system, not the slide
cadenceembedded + advisory pair with counsel
term4–12 weeks scope-dependent
deliverableworking papers audit-ready
leaves witha trail the auditor reads alone

the work, named.

compliance is a slide deck until the day the auditor walks in. then it is whatever the system actually does. we engineer the system, write the working papers, and brief your counsel so the deck and the system are the same document.

what we engineer.

  • popia posture — controller register, lawful basis, data subject rights flows, dpia for every product surface.
  • sovereign hosting — data residency mapped to lawful basis. afrihost / hetzner / your tenancy.
  • audit trail — append-only, signed, queryable. the auditor reads it without us in the room.
  • halal-compatible commercial structure — for financing flows that need to avoid riba; pair with islamic-finance counsel.
  • access control — least privilege, reviewed quarterly, written down. the working paper is the artefact.
  • incident response — runbook, post-mortem template, regulator-notification flow drafted.

what we do not do.

  • we are not lawyers. we engineer the system; your counsel signs the legal posture.
  • we will not sell you a certification. the working paper is the artefact, not a logo.
  • we will not rubber-stamp a posture that does not hold under audit. we will say so on day one.
  • we will not write policy you cannot enforce technically. policy and system are one document.
§ posture the test of compliance work is whether your auditor, your regulator, and your board can each verify the same thing — without you in the room.

how it runs.

three phases. paired with counsel from week one. every primitive a working paper, signed and held.

cadence

  • read the posturew. 01–02
  • engineer the trailw. 03–10
  • hand to counselw. 11–12
  1. C.01 · read the posture

    two weeks. one working paper.

    we read your existing posture — policies, systems, contracts. we name the gap between policy and system. counsel reads the paper before scope is signed.

  2. C.02 · engineer the trail

    eight weeks. paired with counsel.

    we engineer the audit trail, the access controls, the data-subject flows, the incident runbook. every primitive is signed by counsel as we go.

  3. C.03 · hand to counsel

    two weeks. then we step out.

    closing working paper signed by counsel and engineering. the auditor walks the trail without us. quarterly office hours for twelve months.

this is for you if…

signals.

  • an auditor or regulator will be in the room within twelve months.
  • you closed series a / b and the data room is "we are getting to it."
  • your sector is regulated — health, fin, halal food, telco, public-sector.
  • you want a halal-compatible financing flow and the legal scaffolding is unclear.
  • your policy and your system are two documents. they should be one.

not for you if…

  • you want a compliance logo for the website. we do not sell logos.
  • you want to outsource counsel. we work with your counsel; we do not replace them.
  • you want a posture that looks compliant but is not. we will say no on day one.
  • you do not have engineering capacity to maintain the trail. we leave; the trail must keep running.

commercial shape.

fixed sow scoped to surface. priced in zar; vat applies. halal-compatible structuring available on enquiry.

popia posture · 4 wk controller register, lawful basis, dpia for one product surface. paired with counsel. r 320kfixed scope
data-trust build · 10 wk full audit trail, access controls, sovereign-hosting setup, incident runbook. r 920kfixed scope
halal commercial · 6 wk commercial structuring for a financing flow. paired with islamic-finance counsel. r 480kfixed scope · advisory

example · a fintech, popia + sovereign-hosting build.

a johannesburg fintech with a regulator-pending licence and a data room "in progress for nine months." ten-week build, paired with counsel, audit trail signed end-to-end. data resident in johannesburg; audit-ready on day seventy.

  1. w. 01–02

    read the posture.

    gap analysis between policy and system. counsel signed the working paper before scope locked.

  2. w. 03–10

    engineer the trail.

    append-only audit log. data-subject rights flows. quarterly access review automated. dpia for each product surface.

  3. w. 11–12

    hand to counsel.

    closing working paper signed. auditor walked the trail without us. regulator submission packaged.

next · 05productised returnall seven surfaces how we deliverthe approach

a corner missing?
tell us where.

open an enquiry other surfaces