European enterprise buyers send 80-question security & privacy questionnaires. Their legal teams want a DPA, a sub-processor list, a named GDPR rep, audit rights, and evidence the last DSR got answered in 30 days. We build that pack — and staff the desk behind every section of it — so your sales cycle doesn't die in InfoSec review.
European enterprise procurement runs on a predictable set of privacy / security questionnaire items. Each one is a concrete artefact you either have, or your deal stalls.
"Share your GDPR Article 27 representative."
A non-EU controller or processor must designate one in writing. We are yours — named on your DPA, published on your privacy notice, reachable by every EU DPA.
"Do you have a named DPO?"
Asked by most EU financial, health, and public-sector buyers. We provide a senior privacy counsel as your DPO, filed with the supervisory authority, reachable by buyers' legal teams.
"Send the DPA, with EU SCCs."
We provide a pre-negotiated DPA template with Module 2 SCCs, TIAs, and schedule of sub-processors — already accepted by 200+ enterprise legal teams across Europe.
"Show us your sub-processor list."
A public, live, auto-updated page with every sub-processor, their role, location, and certifications — with email notification on change, per Art. 28.
"How do you handle DSRs? SLA?"
Hosted DSR inbox with automated triage and 30-day statutory SLA. Average response time is 2.1h. Every request is logged, archived, and auditable — evidence for the DD pack.
"Have you had any breaches?"
We maintain an incident register with drill history — zero breaches OR documented near-miss and response (breaches happen, buyers know this; what matters is that you caught, contained, and learned).
We assemble a single Due Diligence bundle your AE or legal counsel can send in response to every enterprise procurement. Typically 6 artefacts, 80-odd pages, signed where needed, under NDA-ready structure.
The pack lives in your Privacy Center. Every enterprise buyer gets the same bundle, pre-assembled, version-controlled, signed where needed. Your AE attaches a link; procurement downloads the ZIP. Answer time: minutes, not weeks.
Two items do the heavy lifting. The DPA and the Art. 27 appointment are what 80% of European InfoSec teams actually scrutinise. Both are pre-cleared with 200+ enterprise legal teams — we've had your counterargument before, so the procurement lawyer is reading familiar language.
Everything updates automatically. Add a sub-processor → public register updates → buyers get notified. Run a DSR → it's counted in the evidence log. File an incident drill → it drops into the register. Your next DD request never starts from zero.
GDPR is the hinge. DPO comes up on ~60% of enterprise asks. Privacy Center is where the bundle lives. The rest depends on your product shape — NIS 2 if you sell to digital infrastructure customers, DSA / AI Act if the regulations apply to your platform.
Art. 27 appointment · named on your DPA · on record with every EU DPA · covers UK GDPR as add-on.
Hosted trust hub · DPA templates · sub-processor register · DSR inbox · incident log · all auto-updated.
Senior privacy counsel as your named DPO · filed with the DPA · reachable by enterprise legal teams.
Incident reporting · risk management · enterprise buyers in regulated sectors will ask about this one.
Art. 22 + Annex IV technical file · becoming a standard DD ask for AI-embedded enterprise SaaS.
European AE, CSM, or SE roles — same engagement, local compliant contracts, live in 5 days.
No — SOC 2 and ISO 27001 answer security questions. GDPR is a privacy framework that's orthogonal. European enterprise buyers ask for both. The typical DD pack includes your SOC 2 report and your GDPR Art. 27 appointment letter in the same ZIP; they're complementary, not alternatives.
You can, and many startups do — then ship a DPA that can't be cleanly performed ("we'll delete on request" when the sub-processor can't), or accept SCCs that don't fit their transfer posture. Better: lead with your pre-cleared DPA; fall back to theirs only if they insist. Most large buyers accept a well-drafted seller-side DPA.
Unchanged at the policy layer: post-Schrems II, any EU → US personal data transfer needs Module 2 SCCs + a Transfer Impact Assessment documenting technical and legal safeguards. The Data Privacy Framework (DPF) softens this for certified US importers. Our TIA template covers both cases; we re-paper when DPF certification changes.
Technically, DPO is only mandatory if you meet the Art. 37(1) thresholds — large-scale systematic monitoring, large-scale special-category data, public authority. Practically, enterprise procurement asks about it whether or not you meet the threshold. If 50%+ of your target buyers ask "who's your DPO?", having one unblocks deal flow even if you're not strictly required to.
GDPR Rep: same-day for the appointment, DPA-filed within 5 business days. Privacy Center with the DPA templates and sub-processor list: 24–48h. DPO: 5 business days for onboarding and DPA filing. If a deal is stuck specifically on one of these, we'll expedite — most "Q4 close or die" situations land in under a week.
OneTrust is privacy-operations software (DSR workflows, cookie consent, vendor-risk assessment). We are the legal layer underneath — named representatives, a real DPO, actual counsel response to DPAs. Many customers run OneTrust on top of us (tool for the ops, us for the name on the paper). Privacy Center substitutes for the DSR, policy, and sub-processor pieces; cookie consent is not yet part of Privacy Center, so your CMP of choice stays in place.
30-minute discovery call. We'll audit your current DD pack, fill the gaps, and quote the enterprise stack in writing.