— Notes

What we've been writing.

Short reads on the rules our clients are bumping into. Written for the engineer, the GC, and the founder — in roughly that order.

9 NOTES
AI Act 14 May 2026 6 min read

Article 6 in practice: what "high-risk" really means for your inference layer.

A working map of when a system crosses into Annex III, what evidence the regulator will actually look at, and the three artefacts you should already be producing — drawn from twelve recent client matters.

Léa Marchand · Founding Partner Read note →
Featured · Note 014 06
GDPR02 May 2026 · 4 min

The DPA clause that quietly broke 11 of your vendor contracts.

Audit cadence (clause 7.3) is doing more work than most teams realise. A short walkthrough of why we redline it on every paper that crosses our desk.

Tomás AldeaRead note →
Incident18 Apr 2026 · 9 min

The first 72 hours: a playbook for the call you hope to never make.

What we tell clients to do in hour one, hour eight, and hour seventy-one — and why the calmest people in the room usually end up writing the disclosure.

Léa MarchandRead note →
AI Act09 Apr 2026 · 5 min

Conformity for the rest of us: when "internal control" is enough.

Three quarters of Annex III systems use the provider's internal control route. Here's the actual paper trail you need — and what you can stop worrying about.

Tomás AldeaRead note →
Tools27 Mar 2026 · 3 min

A two-page ROPA we actually use with clients.

The over-engineered ROPA dies on contact with a real product team. Our short version captures what regulators need without the busywork. Template inside.

Marta SønstebøRead note →
GDPR14 Mar 2026 · 7 min

Schrems III is closer than your transfer-impact assessment.

The 2025 EU-US framework is on borrowed time. We map what changes if it falls, what doesn't, and which of your contracts have the bigger problem.

Léa MarchandRead note →
AI Act02 Mar 2026 · 6 min

Model cards as living documents — five fields that age well.

Most model cards become stale within a sprint. The fields that keep up are the ones tied to behaviour, not architecture. A field-by-field defence of the short card.

Rohan IyerRead note →
Tools20 Feb 2026 · 4 min

Our DSAR triage script — 80 lines, 80 percent of the work.

A Python script we use to triage data-subject access requests across CRMs. Open source, opinionated, and saves about half a paralegal day per request.

Rohan IyerRead note →
Incident06 Feb 2026 · 8 min

"Notifiable, probably." How we draft the Article 33 notification.

Three rules for the regulator notification: name the personal data, name the likely impact, name what you've done. A redlined sample, with the language we delete.

Léa MarchandRead note →
GDPR22 Jan 2026 · 5 min

Article 28(3) and the joke of the "appropriate" subprocessor clause.

Half of vendor papers we see paste in Article 28 verbatim. Here's what regulators read between those lines — and the four words to actually add.

Tomás AldeaRead note →