Why We Built Our Entire Service Model Around Compliance
22 Jun 2026
by Guido van Beek, CTO & Co-founder
Editor: Nadiy, Senior Content Writer
22 Jun 2026
by Guido van Beek, CTO & Co-founder
Editor: Nadiy, Senior Content Writer
Why We Built Our Entire Service Model Around Compliance
Table of contents
Contact us
We will get back to you in the next 48 hours.
Most software agencies treat compliance as a checkbox. A client asks if you're ISO 27001 certified, you say you're working on it, and everyone moves on. We took a different approach. When we redesigned how we work with clients post-launch, we made compliance the backbone of the entire model. Not because a consultant told us to. Because when you actually look at what enterprise clients need from a long-term software partner, compliance and quality of service turn out to be the same thing. Here is how we think about it, and why it changed everything about how we structure our engagements.
The problem with the old model
key takeaways
The problem with the old model
For years, the post-launch conversation in software agencies goes something like this: the product is delivered, the client signs an SLA, and a monthly fee is invoiced for "support and maintenance." The SLA has response time matrices and priority levels. Everyone files it away and hopes nothing goes wrong.
The problem is that this model is largely theatre. The SLA defines what happens when something breaks. It says nothing about what is being done to make sure things do not break. There is no monitoring commitment, no reporting obligation, no documentation trail. The agency responds when called. The client pays for the peace of mind of knowing someone will pick up the phone.
For a startup founder who trusts you, that is fine. For a corporate innovation team with a procurement department and a legal team, it is not enough. They will ask questions you cannot answer.
What compliance actually requires
ISO 27001 is not a technical standard in the narrow sense. It is a management standard. It defines how you handle information security as an ongoing practice, not a one-time setup.
In practical terms, for a software platform, it requires:
Continuous monitoring. You need to know what is happening in your systems at all times. Error rates, performance, access patterns, infrastructure health. Not when a client reports a problem. Continuously, with documented evidence.
An incident log. Every significant event (a service interruption, a security finding, an unexpected access attempt) needs to be recorded, investigated, and documented. Not just fixed and forgotten.
A change management log. Every change to the production environment needs to be tracked. Who approved it, what was changed, when, and why. This is what makes a system auditable.
Access control. Who has access to what, reviewed regularly. This sounds basic but most agencies have no formal record of which developer has production credentials for which client.
Backup verification. Not just taking backups. Regularly testing that they can actually be restored. There is a meaningful difference.
Data retention and GDPR alignment. If you process personal data (and almost every platform does), you need documented protocols for how that data is handled, retained, and deleted.
None of this is exotic. But doing it properly, for every client, consistently, requires a system.
How we structured our service model around it
When we looked at what ISO 27001 actually requires in a managed hosting context, we realised we were already doing most of it informally. Our team was monitoring platforms, logging incidents, managing access. The work was happening. It just was not structured, documented, or charged for correctly.
So we rebuilt the service model from the ground up with compliance as the organising principle. Instead of selling an SLA as a standalone product, we now offer four levels of managed service, and the level a client needs is determined by their compliance obligations and internal capacity.
Minimal is for prototypes and internal tools with no real user data. Reactive hosting management, basic uptime monitoring. We respond when called.
Platform Guard is for clients processing personal data who already have their own DPO or internal legal team. Proactive platform monitoring, GDPR-aligned access controls, dependency management, incident logging, and documented change management. The platform is maintained in a way that satisfies a corporate procurement or legal team, without us acting as the client's compliance function.
Compliance Partner is for companies processing meaningful volumes of personal data without an internal compliance team. We act on the client's behalf across GDPR obligations: DPIAs, Record of Processing Activities, data subject requests, privacy reviews of new features, and acting as DPA contact point where applicable. This comprehensive safeguarding approach is exactly how we protect user trust in specialized applications like ChatLicense, where handling sensitive data for family environments demands rigorous compliance.
Secure is for platforms with ISO 27001, NEN 7510, or comparable requirements. Everything in Platform Guard, plus a monthly Platform Health Report covering uptime trends, error analysis, security findings, and recommendations. Plus the full audit-ready documentation trail: incident log, change management log, access control register, GDPR data retention protocol, and quarterly business reviews. Complex data infrastructures within regulated fields such as large-scale real estate ecosystems like Elfi depend entirely on this level of ironclad infrastructure security.
The level a client is on is not a commercial decision. It is a compliance decision. If you operate in a regulated industry (healthcare, finance, government), you need Secure. If you are processing personal data but have your own legal team, Platform Guard is the right default. If you are a growth-stage company handling significant user data without a dedicated compliance function, Compliance Partner is for you. If you are a prototype with no real user data yet, Minimal is honest.
What this means in practice
For a CTO evaluating whether to work with us, this model gives you something most agencies cannot offer: a direct line between the compliance requirements your organisation has and the service commitment we make.
When establishing your long-term roadmap, aligning these requirements early through a comprehensive digital strategy and consultancy phase ensures your technical execution never runs afoul of strict regulatory frameworks.
When your security officer asks what monitoring is in place, we have a documented answer. When your legal team asks how incidents are handled, we have a log. When your auditor asks for evidence of access controls, we have the register.
We have built an agent-based system that pulls from our monitoring stack, error tracking, and code quality tools to generate the monthly Platform Health Report automatically for each client: structured, consistent, and delivered without manual overhead. This means the compliance documentation is not a burden. It is a byproduct of how we operate.
Why most agencies do not do this
The honest answer is that it is easier not to. Maintaining an incident log, reviewing access controls, generating monthly reports: these things take time and discipline. It is simpler to offer a phone number and call it an SLA.
The other reason is that most agencies are not sure their clients will pay for it. In our experience, the right clients, the ones building products that matter with real users and real data, are not just willing to pay for it. They are relieved someone finally offers it clearly.
If you are evaluating software partners and the conversation about post-launch support does not include any of the above, it is worth asking why. If you want to build a secure, fully auditable platform from day one, Get in touch with us today.
Most software agencies treat compliance as a checkbox. A client asks if you're ISO 27001 certified, you say you're working on it, and everyone moves on. We took a different approach. When we redesigned how we work with clients post-launch, we made compliance the backbone of the entire model. Not because a consultant told us to. Because when you actually look at what enterprise clients need from a long-term software partner, compliance and quality of service turn out to be the same thing. Here is how we think about it, and why it changed everything about how we structure our engagements.
The problem with the old model
The problem with the old model
For years, the post-launch conversation in software agencies goes something like this: the product is delivered, the client signs an SLA, and a monthly fee is invoiced for "support and maintenance." The SLA has response time matrices and priority levels. Everyone files it away and hopes nothing goes wrong.
The problem is that this model is largely theatre. The SLA defines what happens when something breaks. It says nothing about what is being done to make sure things do not break. There is no monitoring commitment, no reporting obligation, no documentation trail. The agency responds when called. The client pays for the peace of mind of knowing someone will pick up the phone.
For a startup founder who trusts you, that is fine. For a corporate innovation team with a procurement department and a legal team, it is not enough. They will ask questions you cannot answer.
What compliance actually requires
ISO 27001 is not a technical standard in the narrow sense. It is a management standard. It defines how you handle information security as an ongoing practice, not a one-time setup.
In practical terms, for a software platform, it requires:
Continuous monitoring. You need to know what is happening in your systems at all times. Error rates, performance, access patterns, infrastructure health. Not when a client reports a problem. Continuously, with documented evidence.
An incident log. Every significant event (a service interruption, a security finding, an unexpected access attempt) needs to be recorded, investigated, and documented. Not just fixed and forgotten.
A change management log. Every change to the production environment needs to be tracked. Who approved it, what was changed, when, and why. This is what makes a system auditable.
Access control. Who has access to what, reviewed regularly. This sounds basic but most agencies have no formal record of which developer has production credentials for which client.
Backup verification. Not just taking backups. Regularly testing that they can actually be restored. There is a meaningful difference.
Data retention and GDPR alignment. If you process personal data (and almost every platform does), you need documented protocols for how that data is handled, retained, and deleted.
None of this is exotic. But doing it properly, for every client, consistently, requires a system.
How we structured our service model around it
When we looked at what ISO 27001 actually requires in a managed hosting context, we realised we were already doing most of it informally. Our team was monitoring platforms, logging incidents, managing access. The work was happening. It just was not structured, documented, or charged for correctly.
So we rebuilt the service model from the ground up with compliance as the organising principle. Instead of selling an SLA as a standalone product, we now offer four levels of managed service, and the level a client needs is determined by their compliance obligations and internal capacity.
Minimal is for prototypes and internal tools with no real user data. Reactive hosting management, basic uptime monitoring. We respond when called.
Platform Guard is for clients processing personal data who already have their own DPO or internal legal team. Proactive platform monitoring, GDPR-aligned access controls, dependency management, incident logging, and documented change management. The platform is maintained in a way that satisfies a corporate procurement or legal team, without us acting as the client's compliance function.
Compliance Partner is for companies processing meaningful volumes of personal data without an internal compliance team. We act on the client's behalf across GDPR obligations: DPIAs, Record of Processing Activities, data subject requests, privacy reviews of new features, and acting as DPA contact point where applicable. This comprehensive safeguarding approach is exactly how we protect user trust in specialized applications like ChatLicense, where handling sensitive data for family environments demands rigorous compliance.
Secure is for platforms with ISO 27001, NEN 7510, or comparable requirements. Everything in Platform Guard, plus a monthly Platform Health Report covering uptime trends, error analysis, security findings, and recommendations. Plus the full audit-ready documentation trail: incident log, change management log, access control register, GDPR data retention protocol, and quarterly business reviews. Complex data infrastructures within regulated fields such as large-scale real estate ecosystems like Elfi depend entirely on this level of ironclad infrastructure security.
The level a client is on is not a commercial decision. It is a compliance decision. If you operate in a regulated industry (healthcare, finance, government), you need Secure. If you are processing personal data but have your own legal team, Platform Guard is the right default. If you are a growth-stage company handling significant user data without a dedicated compliance function, Compliance Partner is for you. If you are a prototype with no real user data yet, Minimal is honest.
What this means in practice
For a CTO evaluating whether to work with us, this model gives you something most agencies cannot offer: a direct line between the compliance requirements your organisation has and the service commitment we make.
When establishing your long-term roadmap, aligning these requirements early through a comprehensive digital strategy and consultancy phase ensures your technical execution never runs afoul of strict regulatory frameworks.
When your security officer asks what monitoring is in place, we have a documented answer. When your legal team asks how incidents are handled, we have a log. When your auditor asks for evidence of access controls, we have the register.
We have built an agent-based system that pulls from our monitoring stack, error tracking, and code quality tools to generate the monthly Platform Health Report automatically for each client: structured, consistent, and delivered without manual overhead. This means the compliance documentation is not a burden. It is a byproduct of how we operate.
Why most agencies do not do this
The honest answer is that it is easier not to. Maintaining an incident log, reviewing access controls, generating monthly reports: these things take time and discipline. It is simpler to offer a phone number and call it an SLA.
The other reason is that most agencies are not sure their clients will pay for it. In our experience, the right clients, the ones building products that matter with real users and real data, are not just willing to pay for it. They are relieved someone finally offers it clearly.
If you are evaluating software partners and the conversation about post-launch support does not include any of the above, it is worth asking why. If you want to build a secure, fully auditable platform from day one, Get in touch with us today.
FAQs
You're targeting ISO 27001 certification for Q4 2026. What does that mean for clients who need certified compliance today?
How do we know which tier is right for us?
We already have our own DPO and legal team. Do we still need managed services?
What happens to our compliance documentation if we stop working with you?
We are still in development. When should we start thinking about managed services?
Can we move between tiers as our situation changes?
similar reads
Case Studies & Interviews
Lereng Tanah: Developing a Direct Booking Platform Malaysian Boutique Villa
29 January 2026
Case Studies & Interviews
Tactlink: How a Malaysian Entrepreneur Turned Networking Chaos into a Digital Community
22 January 2026
Case Studies & Interviews
PropTech Innovation: How Custom Software Development Transformed Homes In Asia
18 June 2026
Stuck between a great idea and the right team to build it?Let's talk.
We work with corporate innovation teams and ambitious scale-ups across the Netherlands, Singapore, and Australia, and wherever great software needs to be built. Drop us a message and we'll get back to you within one business day.
Markus Monnikendam
Global Commercial Director
hello@lizard.global