Where most SDLCs have hidden privacy risk
Governance
"We have a privacy policy" isn't the same as having a privacy programme.
Do you know your team's actual privacy risk appetite, and can you measure whether your controls are working? We score whether privacy governance is embedded in your SDLC or just sitting in a document nobody reads.
Implementation
Most teams track bugs. Few track which bugs are actually PrivSec risks.
A secure build process, dependency hygiene, and least-privilege secret management are table stakes, but do your developers actually differentiate PrivSec defects from normal issues, and act on them? We assess how rigorously privacy is built into your code, not bolted on afterwards.
Design
If your team isn't threat modelling for privacy, you're designing in blind spots from day one.
From risk-classifying your apps to evaluating the privacy track record of every vendor and AI tool you adopt, this is where most teams skip steps they can't afford to. We assess whether privacy is designed in before the architecture is locked.
Verification
Testing that features work is not the same as testing that privacy features work correctly - or can't be abused.
Do you test for how your app could be misused, not just whether it functions? We assess whether your verification covers PrivSec feature correctness, abuse scenarios, automated scanning, and high-risk component review, not just a QA checklist.
Operations
PII in dev environments and unpatched systems are two of the most common audit findings - and most avoidable.
From configuration hardening and patch discipline to how you handle personal data in dev environments and decommission end-of-life components. This is where real-world exposure lives. We assess whether your production privacy posture holds up, not just in theory.
20 Years Navigating Privacy, Tech, & GRC
Ross Saunders is a 'Nerd with Trust Issues' with over 20 years of experience navigating the complex intersection of privacy, technology, and cybersecurity governance.
With a background in Software-as-a-Service and more than a decade dedicated to governance consulting in privacy and security, Ross has helped organizations translate regulatory requirements into actionable strategies.
He has served as Chief Privacy Officer in both in-house and fractional roles at several global software companies across multiple verticals, including GRC, hospitality, gaming, and hardware.