Compliance engagements shouldn't be open-ended consulting projects. These six packages have fixed scope, defined timelines, specific deliverables, and one price quoted after a scoping call — no hourly billing, no change orders for work within scope, no surprise invoices. Every package includes Lavawall® evidence automation. Every engagement is run by ThreeShield's CISSP/CISA team.
Each package is scoped for a specific compliance outcome. ✅ Direct Delivery means ThreeShield's CISSP/CISA team signs the attestation — no external partner required. 🤝 Partner-Attested means ThreeShield delivers all the work and an independent licensed partner issues the final opinion — one contract, one price.
HIPAA Compliance
Security Risk Assessment, Privacy Rule policies, BAA templates, Lavawall® monitoring. For Canadian Business Associates and US small covered entities.
Full package details →SOC 2 Type II Readiness
90 days to Type I observation period start. Evidence automation via Lavawall®, control design, policy library, CPA firm coordination. For health tech and SaaS entering US enterprise.
Full package details →PCI DSS — Level 2, 3 & 4 Merchants
All SAQ types (A, A-EP, B, B-IP, C, C-VT, D). Merchant level determination, scope reduction, remediation, Attestation of Compliance. Under 6M transactions annually.
Full package details →Alberta HIA Compliance
HIA safeguard assessment, Privacy Impact Assessment, OIPC submission support, affiliate agreement review. Calgary-based with AHS audit experience.
Full package details →Canadian Privacy Compliance
PIPEDA/CPPA, Alberta PIPA, BC PIPA, and Quebec Law 25 in one integrated engagement. Privacy officer support, breach notification, consent framework, Law 25 automated decision-making.
Full package details →Cyber Insurance Readiness
Pass your questionnaire. Reduce your premium 10–20%. MFA, EDR, backups, email security, IR plan, Lavawall® monitoring, ThreeShield attestation letter.
Full package details →Every package includes Lavawall® for the engagement period. Lavawall® is what makes fixed-timeline compliance economically viable — without it, evidence gathering is a months-long manual exercise. With it, evidence is automated from day one.
Patch compliance, MFA enforcement, access controls, backup status, email authentication — all monitored and documented continuously. No scramble at audit time.
Evidence collected once is mapped to multiple frameworks simultaneously. HIPAA + SOC 2 together is more efficient than either alone. PCI + cyber insurance readiness shares controls.
After your initial engagement, annual renewals — SOC 2 Type II, PCI SAQ refresh, HIPAA annual reassessment — are delta reviews against Lavawall® ongoing monitoring, not starting from scratch.
Lavawall® identifies shadow IT, personal email on work devices, exposed domains, and missing controls before the auditor, underwriter, or enterprise buyer does.
Most engagements start with a conversation about what you're trying to achieve and who's asking. ThreeShield will tell you which frameworks apply, which package fits, and what the realistic timeline and scope look like. No sales pitch — just an honest assessment. If ThreeShield isn't the right fit for your situation, we'll tell you that too.
No hourly billing. No open-ended consulting. No surprise invoices. Book a scoping call and we'll have a quote within two business days.
Book a Scoping Call Free Domain Scan →B-Corp standards. 10% of service fees donated to charity clients. No minimums.