Menu
Services/Data Governance

Privacy, GRC, and AI governance programs that actually work.

Privacy engineering, WISP and 201 CMR 17.00 compliance, HIPAA programs, AI governance frameworks, and GRC program maturity. Built for operators, auditors, and the product teams that have to live inside the policy.

What we do

Six service lines. Operator-led.

Privacy engineering

Data mapping, minimization, retention, and technical privacy controls. DLP architecture, encryption standards, and access governance engineered into the stack — not bolted on.

WISP & 201 CMR 17.00

Written information security programs drafted to the Massachusetts standard. Annual review, incident response plans, and third-party oversight language that matches your operational reality.

HIPAA programs

End-to-end HIPAA Security Rule and Privacy Rule programs for covered entities and business associates. Policy, technical safeguards, workforce training, and BAA management.

GRC program maturity

Framework alignment, control-testing cadence, evidence automation, and audit readiness. We run GRC programs for the way your business actually works.

AI governance framework

Acceptable-use policy, model risk management, and NIST AI RMF alignment. Guardrails that product teams can actually ship against — not documents nobody reads.

Vendor risk management

Vendor due-diligence frameworks, SIG questionnaire response strategy, and ongoing third-party risk monitoring. For the supply chain you actually depend on.

Framework alignment

Built to the standards auditors cite.

HIPAA
Security & Privacy Rules
201 CMR 17.00
Massachusetts WISP standard
NIST CSF 2.0
Cybersecurity Framework
NIST AI RMF
AI Risk Management
CMMC
Cybersecurity Maturity Model
SOC 2
Trust Services Criteria
VB
Practice lead

Virginia Bartlett

Practice Lead · Digital Governance

Virginia leads Colossus's privacy, GRC, and AI governance practice. She's built WISPs for Massachusetts-regulated entities, stood up HIPAA-compliant data-handling programs in healthcare, and drafted AI acceptable-use frameworks for enterprises moving past pilots. Before Colossus, Virginia held privacy and compliance leadership roles at technology services firms.

Request a consultation
Selected engagement

Representative healthcare data engagement.

Case · Healthcare

Healthcare analytics platform · HIPAA-compliant data pipeline

Scope

Design and build a secure, compliant data pipeline to support a HIPAA-regulated application. AWS-native architecture with a PostgreSQL datamart.

Approach

Automated pipeline using AWS Glue and Python, integrated with PostgreSQL in AWS, with controls aligned to SOC 2 compliance requirements from the start.

Outcome

HIPAA-compliant data platform delivered. Streamlined analytics workflows and reduced compliance risk through pipeline automation.

HIPAA SOC 2 AWS Data pipeline

Audit coming, WISP overdue, AI pilot in flight? We can help.

Every engagement begins with a short scoping call. If we're not the right fit, we'll tell you.

Schedule a call