Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Global Trust Index99.8%|
EU Regulatory SyncActive|
Network Latency12ms|
Uptime (90d)99.997%|
Threat PostureNominal|
DORA ReadinessCompliant|
Edge Nodes47 / 47|
Bergson

Services

Security, compliance and technology delivery, scoped tightly.

Engagements are led by the people who deliver them. Each one is shaped around an audit, a regulator, an enterprise customer or a release.

Compliance & Audit Readiness

ISO 27001 Readiness & Implementation

View service

What it is

ISMS scope, risk register, SoA, policies and certification support.

Who it is for

SaaS, fintech and B2B teams heading into certification or enterprise procurement.

Typical outputs

  • · Gap assessment
  • · Risk register and treatment plan
  • · Statement of Applicability
  • · Right-sized policy suite
  • · Internal audit pack

Why it matters

Enterprise buyers and regulators expect a certificate backed by evidence — not a logo on a website.

Common triggers

  • Enterprise customer due diligence
  • Certification target date
  • Policy and evidence gaps

Typical engagement

6–12 weeks for readiness implementation

PCI DSS Evidence & Payment Security

View service

What it is

Scoping, evidence and remediation across cloud-native payment platforms.

Who it is for

Payment institutions, EMIs and merchants handling card data, including SAQ D.

Typical outputs

  • · CDE scoping note
  • · Evidence workbook
  • · Segmentation review
  • · ASV scan coordination
  • · Control mapping

Why it matters

Acquirers and brands want traceable evidence per requirement, not an attestation cover sheet.

Common triggers

  • SAQ D evidence work
  • ASV or segmentation findings
  • Payment platform review

Typical engagement

4–10 weeks depending on CDE scope

ICT Risk & Resilience

DORA ICT Risk & Operational Resilience

View service

What it is

DORA Articles turned into governance, registers and operating routines.

Who it is for

Financial entities and ICT third-party providers in scope of DORA.

Typical outputs

  • · ICT risk framework
  • · Incident classification
  • · Resilience testing plan
  • · Third-party register
  • · Board reporting pack

Why it matters

Regulators, auditors and management bodies expect ownership, not policy that has never been exercised.

Common triggers

  • Board asks for ICT risk clarity
  • Regulator or audit pressure
  • Third-party register and incident process gaps

Typical engagement

6–12 weeks for framework and operating routines

Technology Leadership

Fractional CIO / CTO / ICT Governance

View service

What it is

Senior technology, risk and governance leadership at a fractional cadence.

Who it is for

Founders, boards and executive teams in regulated or growth-stage tech firms.

Typical outputs

  • · Technology strategy
  • · Board reports
  • · Risk and vendor oversight
  • · Cloud and security roadmap
  • · Regulator-facing narratives

Why it matters

Most firms need senior technology judgement well before they can justify a full-time CIO.

Common triggers

  • No senior technology owner
  • Board reporting needs
  • Audit or regulator-facing technology narrative

Typical engagement

Monthly retainer for fractional CIO support

Secure Engineering & AI

Secure AI & Software Delivery

View service

What it is

Secure architecture, SDLC and AI delivery from prototype to production.

Who it is for

Product, platform and AI teams building for regulated or sensitive environments.

Typical outputs

  • · Architecture review
  • · Secure SDLC plan
  • · DevSecOps practices
  • · AI governance notes
  • · Refactoring roadmap

Why it matters

Enterprise buyers and regulators now ask AI questions auditors used to ask about databases.

Common triggers

  • AI prototype moving to production
  • Data governance concerns
  • Secure architecture review

Typical engagement

2–6 weeks for focused review

Cloud Security & Operations

Cloud Security & Governance

View service

What it is

AWS, Azure and Kubernetes reviews for security, resilience and audit defensibility.

Who it is for

Engineering and platform teams running regulated workloads in public cloud.

Typical outputs

  • · Cloud review report
  • · IAM and secrets posture
  • · Logging and SIEM design
  • · BCDR evidence
  • · Remediation plan

Why it matters

Identity sprawl, configuration drift and weak logging account for most audit findings we see.

Common triggers

  • AWS/Azure risk review
  • Kubernetes or database security concerns
  • Backup, logging or IAM evidence gaps

Typical engagement

2–6 weeks for focused review

Next step

Not sure where to start?

Tell us the audit, regulator query, customer questionnaire or release driving this. A short call will tell us if we are the right fit.

Talk to Bergson