GDPR and AI Act compliance, done for you.
The GDPR requires a Record of Processing Activities (Art. 30), NIS2 entered force in the Netherlands in 2024, and the EU AI Act phases in from August 2026. Two-week fixed-fee engagements leave you with a populated, audit-ready Readmodel® workspace and the documentation to back it up.
Fixed scope and price
Deliverables in 2 weeks
Workspace yours to keep
Why act now
Three reasons SMEs hire us for the first pass
01
Regulation is moving
A processing register is mandatory under GDPR Art. 30. NIS2 has been in force in the Netherlands since October 2024. The EU AI Act phases in from August 2026 and August 2027. The deadlines are fixed; the time you have to prepare is not.
02
Limited internal capacity
Most SMEs do not have a full-time DPO, and an internal compliance project competes with sales and operations work that pays the bills. A fixed-scope engagement reaches audit-readiness without adding headcount or pausing the business.
03
Fixed price, fixed timeline
Each package has a defined scope, defined deliverables and a defined fee — quoted upfront. The engagement letter sets the boundaries; add-ons are signed off in writing before any extra work begins. No surprise invoicing.
How it works
Four steps. Two weeks. One populated workspace.
No retainers. No open-ended scope. No surprise invoices.
1. 30-minute discovery call
We confirm package fit, scope and timeline. Free, no obligation.
2. We build it in Readmodel®
You complete a short intake worksheet. We populate the project — services, data items, risks, DPIAs — in our subscription.
3. You review (one round)
We share the deliverables for feedback. One revision round is included. Sign-off triggers final delivery.
4. Take ownership or hand back
Subscribe to a Readmodel® plan and we transfer the project to you — or keep the PDFs only and we archive the workspace.
Packages
Three fixed-scope engagements
Each package has a defined scope, deliverables and price. Add-ons are quoted separately. Full scope and exclusions in the engagement letter.
GDPR Quickstart
€2,950
Duration: 2 weeks
For organisations under ~30 people without a documented ROPA.
In scope
- Up to 10 data services and 5 user roles inventoried
- Up to 30 data items mapped to classifications
- Legal basis (Art. 6) and retention period per data item
- Risk register with computed scores per service
- DPIA stubs for the top-3 high-risk services
- Top-5 prioritised action plan and executive briefing
You receive
ROPA PDF, risk register PDF, executive 1-pager, three DPIA stubs, AI executive briefing, action plan.
Book engagement
Full scope and exclusions in the engagement letter.
AI Act Readiness
From €4,500
Duration: 2–3 weeks
For organisations that have deployed or are building AI systems and need clarity on Art. 3 role, risk class, FRIA and Art. 50 transparency.
In scope
- Inventory of up to 8 AI systems
- Art. 3 role classification (provider / deployer / importer / distributor)
- Risk class per system (prohibited / high-risk / limited / minimal)
- Up to 2 Fundamental Rights Impact Assessments (FRIAs)
- Documentation gap analysis (Art. 9, 10, 13, 14, 15)
- Art. 50 transparency review and action plan
You receive
AI System Register PDF, role and risk-class memo, two FRIA documents, gap analysis, action plan with AI Act milestone deadlines, executive briefing.
Book engagement
Full scope and exclusions in the engagement letter.
Sovereignty & Transfer Audit
€3,750
Duration: 2 weeks
For organisations that suspect personal data leaves the EEA via SaaS, sub-processors or hyperscalers and need a defensible Schrems II / GDPR Ch. V position.
In scope
- Up to 15 services mapped with country of processing
- Sub-processor disclosure mapping
- Cross-border flow identification (SCCs, DPF, BCRs)
- Up to 5 Transfer Impact Assessments (Schrems II structure)
- Cookie & tracker inventory + CMP sufficiency check
- AI provider sovereignty memo and action plan
You receive
Cross-border transfer register, country and sub-processor map, five TIA documents, cookie/tracker inventory, CMP memo, AI provider sovereignty memo, action plan, executive briefing.
Book engagement
Full scope and exclusions in the engagement letter.
Deliverables
What you actually receive
Every engagement closes with a delivery pack — PDFs you can show to a regulator, an auditor, your board or your own team.
Populated Readmodel® workspace
Live project with all services, data items, risks, DPIAs and access maps populated. Transferable to your own subscription so you keep working in the same place.
ROPA PDF
GDPR Art. 30 Record of Processing Activities, print-formatted, ready to file or share.
Risk register
Per-service computed risk scores, action items and overdue items flagged.
Executive 1-pager
A non-expert summary built for your board or stakeholder. Plain language, top findings, prioritised actions.
AI executive briefing
A 400–700 word narrative summary of the technical findings, in your language.
Prioritised action plan
Top items to fix first, with effort hints and links to the relevant evidence in your workspace.
About
Who you are working with
Engagements are delivered directly by LOCAVERDI B.V., the company behind Readmodel®. You work with the people who built the tool — not with junior associates assigned by a larger firm.
Background: ten years building data-management software, recent focus on GDPR, the EU AI Act and NIS2. Based in the Netherlands; engagements delivered in English or Dutch.
FAQ
Common questions
Who owns the data we share with you?
You do. We act as your processor under a written DPA (GDPR Art. 28). We do not use your data for any purpose other than the engagement, and we delete it on request or at the end of the contractual retention window.
Can we keep using the workspace after the engagement?
Yes. Subscribe to any paid Readmodel® plan and we transfer the project to your account. If you prefer not to subscribe, you keep all PDF deliverables and we archive the workspace.
What if our scope is bigger than the package?
Each package has defined limits (services, data items, AI systems). Anything beyond is quoted as an add-on at fixed rates — no surprise invoicing. Add-ons are signed off in writing before work starts.
Want to see if a package fits?
A 30-minute discovery call costs you nothing and ends with a clear go / no-go and a written quote.