ComplyIQ Compliance Dashboard · Demo

NexusFlow SAS · B2B SaaS · FinTech · 142 FTE · Paris / EU

Full plan · Live dashboard · Secure link by email

Home
Demo·Interactive demo with sample data (NexusFlow SAS). Your paid plan uses your real onboarding inputs.

Overall score

38/100

Maturity

Developing · Level 2 of 5

Critical gaps

4

Gaps by priority

30 days8
60 days10
90 days7

Key findings

  • No maintained Record of Processing Activities (RoPA) — GDPR Art. 30 breach risk across 14 processing purposes
  • Incident response plan untested; mean time to contain unknown — NIS2 Art. 23 gap
  • ICT third-party register covers only 62% of critical vendors — DORA & NIS2 supply-chain risk
  • SOC 2 Type II: 11 control exceptions open; customer audit requests at risk
  • Cookie/consent stack not aligned with ePrivacy — marketing tags fire before consent
  • PCI scope creep: staging environment processes live PAN in logs (critical)
  • CSRD double materiality assessment not started — EU customer ESG due diligence blocked
  • HIPAA BAA missing for US telehealth pilot sub-processor

Industry benchmarks

MetricYour orgIndustry avg.
Overall compliance score38/10067/100 (SaaS B2B EU)
Mean time to patch critical CVEs18 days7 days
Vendor risk assessments completed62%89%
DSAR response within SLA78%94%
Security training completion54%91%
Open critical gaps258 (median)

Total exposure

up to €47.2M + certification & contract risk

Gaps identified

25

Regulations

9

Executive summary

NexusFlow operates a B2B SaaS platform processing EU customer PII, payment metadata, and audit logs across AWS (eu-west-1) with subcontractors in the US (SCCs in place but not fully documented). Our assessment covers nine frameworks selected for FinTech-adjacent SaaS: material gaps exist in incident readiness (NIS2), financial operational resilience (DORA), and core GDPR accountability. Overall compliance maturity is Developing (score 38/100) with CRITICAL concentration in cybersecurity governance and third-party oversight. Estimated aggregate regulatory exposure exceeds €47M when combining GDPR administrative fines, NIS2 penalties, and contractual/certification risks (ISO 27001, SOC 2 Type II renewal in Q3). Leadership should treat the next 90 days as a stabilization program: appoint accountable owners per domain, close Art. 30 and DPIA backlog, complete ICT third-party mapping, and run a board-level tabletop before SOC 2 observation window. This dashboard prioritizes gaps by financial exposure and implementation effort so legal, security, and product can execute in parallel.

Compliance scores

GDPRHIGH

41

/100

NIS2CRITICAL

26

/100

DORAHIGH

33

/100

ISO 27001HIGH

44

/100

SOC 2MEDIUM

52

/100

PCI-DSSCRITICAL

31

/100

CSRDHIGH

22

/100

HIPAAHIGH

29

/100

PSD2MEDIUM

48

/100