Architecture & Compliance Review
A 2 to 4 week assessment of your current architecture and compliance posture. We review your codebase, infrastructure, security practices, and processes against the regulatory frameworks that affect your business. You receive a detailed, prioritized roadmap your auditor will respect and your engineering team can actually execute.
01
Best for
VP Engineering or CTO at mid-market regulated company
Companies preparing for audit (SOC2, SOX, PCI-DSS, etc.)
Engineering leaders who inherited legacy systems
Pre-acquisition technical due diligence
Pre-fundraising engineering credibility
02
What is included
Comprehensive end-to-end assessment, from kickoff to leadership presentation. Fixed scope, defined timeline, senior engineer leading.
2 to 4 weeks of senior engineering review
Architecture assessment of current state
Compliance gap analysis vs. relevant frameworks
Security review of critical paths
Performance and scalability assessment
Prioritized roadmap of recommendations (15-30 page document)
Effort estimates per recommendation
Live 90-minute presentation with leadership
30-day follow-up consultation included
03
How it works
Week 1
Discovery + access
Discovery interviews with key stakeholders. Codebase and documentation access setup.
Week 2
Architecture review
Deep architecture, infrastructure, and security review. Compliance audit against relevant frameworks.
Week 3
Synthesis
Roadmap synthesis. Recommendations document draft. Validation with technical stakeholders.
Week 4
Delivery
Live 90-minute presentation with leadership. Final document delivered. 30 days of follow-up consultation.
04
Frameworks we cover
Compliance we have lived on real projects — not learned in a certification course.
Sarbanes-Oxley — internal controls over financial reporting
Payment Card Industry — payment card data handling
Health Insurance Portability — US healthcare data
Service Organization Control — security, availability, confidentiality
General Data Protection Regulation — EU privacy
Anti-money laundering system (Colombia) — relevant for LATAM fintech
Colombian personal data protection regime
Lei Geral de Proteção de Dados (Brazil)
05
Frequently asked questions
How much does it cost exactly?
Pricing starts at USD 5,000 for simple scopes (single-system review). Complex engagements with multiple systems or frameworks can reach USD 15,000. We charge fixed per project, not hourly — no surprises.
Why is it not free?
Charging filters serious clients and reflects the value of the deliverable. Most clients who do the Architecture Review go on to implementation projects. If you need to convince your CFO, we can share references from prior engagements.
What if you find issues we cannot fix internally?
We can execute the recommendations with you — Custom Development, System Modernization, or Senior Team Augmentation. But the roadmap is yours: execute it with your team, another agency, or us.
Do you sign NDAs?
Yes, we sign NDAs before discovery starts. We also work in isolated environments if your compliance requires it (staging-only access, anonymized data, etc.).
Will the report work for our external auditor?
Yes. The document is structured in a format SOC2/SOX auditors recognize. We explicitly identify gaps against relevant controls. It does not replace a formal audit, but serves as a pre-audit assessment.
How fast can we start?
After the discovery call and SOW signature, we typically start within 1-2 weeks. If you have urgency (upcoming audit, investment in discussion), we can prioritize.
Start with a discovery call?
30 minutes. No commitment. I give you honest recommendations — even if you decide not to engage.