AI Compliance & Privacy Review · $999 · One Week

AI Compliance & Privacy Review — a $999, one-week read on what's leaving your organization.

We find out what sensitive data is already flowing into ChatGPT, Claude, and other AI tools, map it against the regulations that apply to you, and hand you a written remediation plan. $999 flat, one week from discovery call to readout.

One shape, three touchpoints, one written deliverable.

Every AI Compliance & Privacy Review runs the same way: a discovery call, a week of analysis, and a readout with a written remediation plan. No open-ended discovery, no hourly billing.

01 · 30 MIN

Discovery call

We map your workflows, current tools, and regulatory exposure — HIPAA, SOC 2, GDPR, the EU AI Act, and others as applicable to your business.

02 · 1 WEEK

Analysis window

AI usage inventory, risk register, and control-gap analysis, grounded in your actual tool usage, not a generic checklist.

03 · 30 MIN

Readout + remediation plan

We walk through the findings and the prioritized, written remediation plan.

frameworks we map against, as applicable to your business
HIPAA SOC 2 GDPR EU AI Act CCPA NIST AI RMF

What this review does not include.

So there's no ambiguity about what $999 buys.

  • Building, configuring, or deploying remediation controls — that's the optional Tier 2 engagement, quoted separately after you've seen the findings.
  • Formal certification or audit attestation (SOC 2 Type II, HIPAA audit, ISO certification) — those require a licensed auditor, not us.
  • Penetration testing or a technical security assessment of your infrastructure.
  • Legal advice — we map regulatory frameworks; we don't provide legal counsel.
  • Vendor contract negotiation or DPA drafting.
  • Any work outside the one-week analysis window without a separate scoping conversation.

Who this review is built for.

Good fit

  • Your team is already using ChatGPT, Claude, or similar tools, and nobody's mapped what data goes into them.
  • You operate in a regulated or semi-regulated industry (healthcare, finance, education, and similar) and need a documented view of exposure.
  • You want a written risk register and remediation plan you can act on or hand to counsel or security.
  • You can spare one 30-minute interview and reasonable access to your tools or their admin telemetry.

Not a fit

  • You need formal certification or audit attestation — that requires a licensed auditor, not a productized review.
  • You already have a mature GRC program and just need engineering hours to execute — go straight to Services.
  • Your primary concern is productivity, not data exposure — that's the AI Opportunity Review.
  • You're looking for legal advice rather than a technical and operational risk assessment.

What the written remediation plan looks like.

This is the structure of the deliverable, not a real client document — every section below is filled in with your findings, not a generic template.

acme-corp · ai-compliance-brief.pdf sample structure
Deliverable structure
01 Executive summary What's working, what isn't, what's urgent
02 AI usage inventory Tools, workflows, owners, data flows
03 Findings & risk register Severity × likelihood, with examples
04 Control gap analysis Mapped to applicable frameworks
05 Prioritized action plan Phased, with effort estimates
06 Tier 2 scope (optional) If you want us to execute the plan

You get a plan. What you do with it is up to you.

The review stands on its own. If the findings justify more, here's what that looks like.

option 2

Run it yourself

Take the written plan to your own team, counsel, or security function. No obligation — the review stands on its own.

FAQ

What people usually ask before booking a review.

What does the $999 include?

The $999 covers the full engagement: the 30-minute discovery call, the one-week analysis (AI usage inventory, risk register, control-gap analysis, regulatory mapping), the 30-minute readout call, and the written remediation plan — an executive summary, findings, and a prioritized action plan. Done-for-you remediation is a separate, optional Tier 2 engagement, quoted after you've seen the findings.

How much of my team's time does it take?

Mainly the 30-minute discovery call and the 30-minute readout — about an hour total, plus whatever it takes to grant tool access or point us to the workflows where AI tools are already in use. We do the analysis; we don't need your team in meetings all week.

What access do you need?

We start with a structured interview, then, with your permission, review telemetry from the tools you already run (Google Workspace, Microsoft 365, your AI vendors) via standard OAuth and admin scopes, so the inventory reflects what's actually happening. Prefer not to grant access? We work from your team's exports instead. Either way: conversation first, no inbox-trawling.

What happens after the review?

You get a written remediation plan you can act on with or without us. Some teams hand it to their own engineers, counsel, or security function. Others move into Tier 2 (done-for-you remediation, from $2,995). There's no pressure to buy more; the review stands on its own.

What's the difference between this and the AI Opportunity Review?

Same shape, different lens. This review looks at what sensitive data is already flowing into AI tools like ChatGPT and Claude, and what regulatory exposure that creates. The AI Opportunity Review looks for where AI can absorb hours of drudge work your team is already doing manually. Not sure which fits? Book the call and we'll help you pick.

Who is this NOT for?

Teams that need formal certification or audit attestation — that requires a licensed auditor, not a productized review. Teams that already have a mature GRC program and just need engineering hours to execute — go straight to Services. And teams whose primary concern is productivity rather than data exposure — that's the AI Opportunity Review.

Book a 30-minute call

Pick a time below. We'll confirm scope and schedule the one-week analysis window from there.