ComplyIQ Painel de conformidade · Demo

NexusFlow SAS · B2B SaaS · FinTech · 142 FTE · Paris / EU

Plano completo · Painel em direto · Ligação segura por email

Início
Demo·Demo interativa com dados de exemplo (NexusFlow SAS). O plano pago usa os seus dados de onboarding.

Pontuação global

38/100

Maturidade

Developing · Level 2 of 5

Lacunas críticas

4

Lacunas por prioridade

30 dias8
60 dias10
90 dias7

Conclusões-chave

  • No maintained Record of Processing Activities (RoPA) — GDPR Art. 30 breach risk across 14 processing purposes
  • Incident response plan untested; mean time to contain unknown — NIS2 Art. 23 gap
  • ICT third-party register covers only 62% of critical vendors — DORA & NIS2 supply-chain risk
  • SOC 2 Type II: 11 control exceptions open; customer audit requests at risk
  • Cookie/consent stack not aligned with ePrivacy — marketing tags fire before consent
  • PCI scope creep: staging environment processes live PAN in logs (critical)
  • CSRD double materiality assessment not started — EU customer ESG due diligence blocked
  • HIPAA BAA missing for US telehealth pilot sub-processor

Benchmarks do setor

MetricA sua org.Média do setor
Overall compliance score38/10067/100 (SaaS B2B EU)
Mean time to patch critical CVEs18 days7 days
Vendor risk assessments completed62%89%
DSAR response within SLA78%94%
Security training completion54%91%
Open critical gaps258 (median)

Exposição total

up to €47.2M + certification & contract risk

Lacunas identificadas

25

Regulamentos

9

Resumo executivo

NexusFlow operates a B2B SaaS platform processing EU customer PII, payment metadata, and audit logs across AWS (eu-west-1) with subcontractors in the US (SCCs in place but not fully documented). Our assessment covers nine frameworks selected for FinTech-adjacent SaaS: material gaps exist in incident readiness (NIS2), financial operational resilience (DORA), and core GDPR accountability. Overall compliance maturity is Developing (score 38/100) with CRITICAL concentration in cybersecurity governance and third-party oversight. Estimated aggregate regulatory exposure exceeds €47M when combining GDPR administrative fines, NIS2 penalties, and contractual/certification risks (ISO 27001, SOC 2 Type II renewal in Q3). Leadership should treat the next 90 days as a stabilization program: appoint accountable owners per domain, close Art. 30 and DPIA backlog, complete ICT third-party mapping, and run a board-level tabletop before SOC 2 observation window. This dashboard prioritizes gaps by financial exposure and implementation effort so legal, security, and product can execute in parallel.

Pontuações de conformidade

GDPRHIGH

41

/100

NIS2CRITICAL

26

/100

DORAHIGH

33

/100

ISO 27001HIGH

44

/100

SOC 2MEDIUM

52

/100

PCI-DSSCRITICAL

31

/100

CSRDHIGH

22

/100

HIPAAHIGH

29

/100

PSD2MEDIUM

48

/100