English GRC exists because growing tech companies shouldn't have to choose between hiring an expensive big-city consultancy and winging SOC 2 with a template pack.
Every control we recommend has to earn its place. If it doesn't make your product safer or your next enterprise deal easier, we won't sell you on implementing it.
You'll work with the same senior practitioner from the first call to the signed auditor's letter. No bait-and-switch to a junior team after the contract is signed.
Policies you'll actually follow. Controls that reflect how your team actually builds. Evidence that holds up when an auditor asks the follow-up question.
Tech companies in the 5–50 person range, typically in New Brunswick and across Canada, usually one or two enterprise contracts away from needing a real security story.
Seed → Series B, SaaS & AI, HealthTech, FinTech.
Fixed-fee for bounded engagements (gap analyses, policy packs, SOC 2 readiness). Monthly retainer for fractional work. We'll quote a range on the first call.
Transparent. No hour-padding.
We don't sell tools we don't use. We don't staff audits we don't run. If you need something outside our wheelhouse, we'll tell you and, where we can, point you to someone we trust.
No reseller agreements. No kickbacks.
A 30-minute conversation is usually all it takes to figure out whether we can help — and if not, where you should look instead.