Case Studies

Selected cybersecurity and privacy compliance projects demonstrating expertise across fintech, SaaS, and regulated industries.

Pro-Bono Consultations

Remove this section

Merging Finances, LLC

Cybersecurity and privacy compliance engagement for SaaS fintech platform. Scope included third-party security questionnaire advisement, infrastructure security assessment, and regulatory compliance guidance for GDPR and US state privacy laws.

Case Study · FinTech

Type: Pro-Bono Advisory Duration: Multi-Month Sector: FinTech / Payments Regulatory Scope: GLBA · BSA · CCPA · GDPR

Background

An early-stage FinTech startup approached GRC-Path seeking informal guidance on their security posture during the product development phase. No formal engagement existed at the outset. Over several months, GRC-Path provided strategic advisory support at no cost — reviewing the company's technical architecture, compliance posture, and operational risks. The startup operated in a dual-jurisdiction environment with customers subject to both US and EU data protection law, adding regulatory complexity from day one.

The Challenge

The startup had moved quickly into production without a dedicated security or compliance function. Key risks included no formal security review prior to launch, foundational vulnerabilities in a core business algorithm, gaps in financial data integration security across encryption, MFA, and consent flows, no documented data retention policy, a missing Terms of Service and Data Consent Framework, and a high-severity production exposure that had gone undetected.

What GRC-Path Delivered

Security Posture Discovery — Full security review of the production environment documented in a structured discovery report covering infrastructure risks, integration vulnerabilities, and operational gaps.

Critical Production Exposure High Severity — Identified a live exposure where admin edit access was accessible via a public URL with no authentication gate. Disclosed responsibly with immediate remediation guidance.

Algorithm & Foundational Vulnerability Identification — A broken core algorithm was identified before any formal agreement existed, preventing downstream financial and reputational damage at scale.

Financial Integration Security Review — Findings across encryption configuration, TLS implementation, MFA gaps, and missing user consent flows required under applicable law.

Compliance Framework — Data Retention — Researched and documented retention requirements across GLBA, BSA, CCPA, and GDPR applicable to the client's operating model.

Terms of Service & Data Consent Framework — Authored a ToS and consent framework addressing CCPA and GDPR, covering lawful basis, consent mechanics, user rights, retention commitments, and cross-border transfer language.

14-Section Technical Reference Document — Comprehensive internal reference covering infrastructure, integrations, product tiers, AI layer, regulatory mapping, and competitive landscape.

Outcomes

Production Finding

1 High-Severity Exposure Identified

Frameworks Mapped

GLBA · BSA · CCPA · GDPR

Deliverables

6 Documents

IP Retained

All Frameworks & Templates