ComplyIQ Tableau de bord conformité · Démo

NexusFlow SAS · B2B SaaS · FinTech · 142 FTE · Paris / EU

Plan complet · Tableau de bord live · Lien sécurisé par e-mail

Accueil
Demo·Démo interactive avec données fictives (NexusFlow SAS). Votre plan payant repose sur vos réponses d'onboarding.

Score global

38/100

Maturité

Developing · Level 2 of 5

Écarts critiques

4

Écarts par priorité

30 jours8
60 jours10
90 jours7

Constats clés

  • No maintained Record of Processing Activities (RoPA) — GDPR Art. 30 breach risk across 14 processing purposes
  • Incident response plan untested; mean time to contain unknown — NIS2 Art. 23 gap
  • ICT third-party register covers only 62% of critical vendors — DORA & NIS2 supply-chain risk
  • SOC 2 Type II: 11 control exceptions open; customer audit requests at risk
  • Cookie/consent stack not aligned with ePrivacy — marketing tags fire before consent
  • PCI scope creep: staging environment processes live PAN in logs (critical)
  • CSRD double materiality assessment not started — EU customer ESG due diligence blocked
  • HIPAA BAA missing for US telehealth pilot sub-processor

Benchmarks sectoriels

MetricVotre org.Moy. secteur
Overall compliance score38/10067/100 (SaaS B2B EU)
Mean time to patch critical CVEs18 days7 days
Vendor risk assessments completed62%89%
DSAR response within SLA78%94%
Security training completion54%91%
Open critical gaps258 (median)

Exposition totale

up to €47.2M + certification & contract risk

Écarts identifiés

25

Réglementations

9

Synthèse exécutive

NexusFlow operates a B2B SaaS platform processing EU customer PII, payment metadata, and audit logs across AWS (eu-west-1) with subcontractors in the US (SCCs in place but not fully documented). Our assessment covers nine frameworks selected for FinTech-adjacent SaaS: material gaps exist in incident readiness (NIS2), financial operational resilience (DORA), and core GDPR accountability. Overall compliance maturity is Developing (score 38/100) with CRITICAL concentration in cybersecurity governance and third-party oversight. Estimated aggregate regulatory exposure exceeds €47M when combining GDPR administrative fines, NIS2 penalties, and contractual/certification risks (ISO 27001, SOC 2 Type II renewal in Q3). Leadership should treat the next 90 days as a stabilization program: appoint accountable owners per domain, close Art. 30 and DPIA backlog, complete ICT third-party mapping, and run a board-level tabletop before SOC 2 observation window. This dashboard prioritizes gaps by financial exposure and implementation effort so legal, security, and product can execute in parallel.

Scores de conformité

GDPRHIGH

41

/100

NIS2CRITICAL

26

/100

DORAHIGH

33

/100

ISO 27001HIGH

44

/100

SOC 2MEDIUM

52

/100

PCI-DSSCRITICAL

31

/100

CSRDHIGH

22

/100

HIPAAHIGH

29

/100

PSD2MEDIUM

48

/100