AdapttoAI
Confidential

Compliance Operations Platform

Proposal · June 2026
Overview

What we're building.

A compliance automation platform that connects your 6 systems, eliminates manual data entry, and gives your team a single place to see the full picture on any counterparty.

Today, the same data is entered by hand across Sumsub, Elliptic, Asana, Fireblocks, Google Drive, and Google Sheets. Every status change, KYC update, and KYT alert requires a manual update in multiple places. There is no central view.

The Solution

Three layers. One platform.

Layer 1 Track A: 6 workflows · Track B: 8

Automation Layer

Workflows that connect your systems. When something changes in one place, the others update automatically. Track A covers 6 automation workflows. Track B adds Fireblocks activation and full Slack bi-directional integration for a total of 8.

Layer 2 Both tracks

Unified Dashboard

Search any counterparty. See current status across all systems in a cards view. Track B adds a full chronological timeline: every action, alert, review, and decision logged in one place. The dashboard reads from your existing systems — it does not become a new database.

Layer 3 Track B only

Slack Integration

Outbound: onboarding completions, status changes, and alerts posted to your topic channels. Inbound: discussions in Slack that require follow-up automatically create Asana tasks or trigger investigations. No context switching required.

Scope

Two tracks. Same outcome, different scope.

Track A is the core platform: 6 workflows, status cards dashboard, no Slack. Track B is the full build: all 8 workflows, timeline dashboard, full Slack, and data export.

Track A
Core
  • 6 core automation workflows
  • Status cards dashboard
  • Two access tiers (operator / compliance lead)
  • Audit log (5-year archival)
  • Design phase (shared)
  • Timeline view
  • Slack integration
  • Fireblocks workflow
  • Full multi-role RBAC
  • CSV / JSON export
Track B
Full
  • All 8 automation workflows
  • Status cards + timeline dashboard
  • Full multi-role RBAC (3-line-of-defence)
  • Audit log (5-year archival)
  • Design phase (shared)
  • Slack outbound notifications
  • Slack inbound → Asana task creation
  • Fireblocks approval → activation workflow
  • CSV / JSON export

Not included in either track: mobile app, integrations outside the 6 listed systems, Slack messages surfaced inside the dashboard (pending your internal privacy review — available as a future add-on).

Design Phase — Shared

We design before we build.

The design phase is the same for both tracks: 3 focused sessions over the next 14–21 days. The output is a signed-off technical specification and a privacy spec that covers data flows, retention, and GDPR Art. 28 scope. Build starts only after sign-off.

1

Current state mapping

Walk through each of the 8 workflows as they exist today. We document every system, every manual step, every handoff. This is the source of truth for the build specification.

2

Future state + privacy

Define the target workflows. Jointly map what data flows through AdapttoAI infrastructure during processing, what is persisted and where, and what GDPR Art. 28 obligations apply. Output: a draft privacy spec your team can validate internally.

3

Spec sign-off

Walk through the full technical spec and privacy spec. Align on track choice. Sign off. Build begins.

Approx. 10–14 hours from your team.

Investment

Pricing.

Track A — Core
6 workflows + status dashboard
Design phase€4,000
Build (incl. go-live)€6,000 / mo × ~4 mo
Est. build total ~€28,000 (confirmed after design)
Ongoing from month 6 €1,200 / mo
Track B — Full
All 8 workflows + full dashboard + Slack
Design phase€5,000
Build (incl. go-live)€6,000 / mo × ~6 mo
Est. build total ~€41,000 (confirmed after design)
Ongoing from month 8 €1,600 / mo

Build months run after the design phase. Total time to go-live: approximately 5 months (Track A) or 7 months (Track B) from signing. After the design phase, we provide a firm, fixed-price quote for the build — giving your board a confirmed number before committing.

Privacy & Data

How we handle your data.

We've reviewed your AML Policy and Privacy Policy before writing this proposal. The design phase will define exactly what data persists in our infrastructure and for how long. Our intent is that workflow execution is transient — client records are not replicated in our systems — but the design-phase privacy spec is where that gets confirmed, not this proposal. Here is what we can commit to now, and what the design phase will resolve.

Our infrastructure role

The platform connects your existing systems. Personal data flows through our infrastructure during workflow execution (routing, transformation, triggering). Our goal is a minimal data footprint: we do not replicate your client database, and nothing is persisted beyond what is operationally necessary for the workflow to function.

What the design phase resolves

Session 2 produces a privacy spec: exactly what data fields pass through our infrastructure, for how long, and under what conditions. Until that mapping is done, we will not make commitments we cannot verify.

Sub-processor status

Where personal data passes through our infrastructure during processing, AdapttoAI acts as a data processor (Art. 28 GDPR). We sign a Data Processing Agreement as part of the contract. The DPA scope is defined by the design-phase privacy spec.

Your team's input

The privacy spec requires your DPO or legal team to review and validate the data flow mapping before we sign off on scope. We structure Session 2 so that review can happen internally between sessions, without blocking the timeline.

Security architecture

The following commitments apply from the moment the design-phase agreement is signed, for the duration of the design phase:

  • Hosting region: all AdapttoAI infrastructure used in this engagement is hosted in the EU (DigitalOcean, Frankfurt/Amsterdam region). No personal data leaves the EU; no US-based processing or storage.
  • Encryption: all data in transit is encrypted (TLS 1.2+); any data at rest on our infrastructure is encrypted (AES-256).
  • Data minimisation during design: the design phase works from documentation, screen-shares, and redacted or sample data wherever possible. We do not request or ingest live production client records to complete the design work. Any sample data shared is deleted within 30 days of the relevant session.
  • Access control: access to material you share is limited to the named AdapttoAI personnel on this engagement. No subcontractors, no third-party access.
  • Confidentiality & breach notification: all shared material is covered by the NDA. In the event of any suspected breach affecting your data, we notify your DPO without undue delay and within 24 hours of becoming aware.
  • Deletion on design-phase end: if the engagement does not proceed to a build contract, all material shared during the design phase is permanently deleted within 30 days of the design phase closing, with written confirmation.

The fuller production security architecture — infrastructure isolation, incident-response SLAs, penetration testing, and certifications — is confirmed in the build-phase technical spec and committed in the build contract, scoped to the workflows and data surfaces defined during design.

Service levels & exit

Uptime commitments, alerting on failed syncs, handover terms, and data deletion on contract end are defined in the build contract alongside the DPA. They are scoped to the specific workflows and data surfaces confirmed in the design phase.

Next Steps

How to move forward.

Feedback on this proposal. If yes:

  1. Sign NDA and design-phase services agreement. This covers data access during the design sessions only — limited scope, limited term.
  2. Design phase runs (3 sessions, 14–21 days). Output: technical specification and privacy spec mapping exactly what data flows through our infrastructure.
  3. Sign build contract including firm fixed-price quote and GDPR Art. 28 DPA — scoped by the design-phase privacy spec. Service levels, exit terms, and data deletion obligations are defined here. Build begins.
Appendix A

The problem.

The operational context behind this engagement.

6
Systems with no central case manager
5+ hrs
Daily manual update time per operator
~40
Concurrent onboarding processes at any time

The team spends 5+ hours per day on manual updates across 6 systems. The same client data is entered by hand across Sumsub, Google Sheets, Elliptic, Asana, Fireblocks, and Google Drive — with no single source of truth. Every status change requires updating multiple systems. Errors compound. Reviews are delayed.

The team has already mapped what the automation should look like. The problem is not a lack of process clarity — it is the absence of an implementation layer to connect the systems that already hold the data.

Appendix B

Features explained.

What each component does and which track it belongs to.

Workflow 1
KYC completion → Asana + Sheets
When Sumsub marks a counterparty as KYC complete, the platform automatically creates or updates the corresponding Asana task and logs the status change in Google Sheets. No manual update needed.
Both tracks
Workflow 2
KYT alert → Asana investigation
When Elliptic flags a transaction, an Asana investigation task is created automatically with the alert details pre-populated. The team is notified; nothing falls through the cracks.
Both tracks
Workflow 3
Document upload → Drive filing
Documents uploaded in Sumsub during onboarding are automatically filed to the correct Google Drive folder structure. Folder creation, naming, and access are handled by the workflow.
Both tracks
Workflow 4
Cross-system status sync
Status changes across Sumsub, Elliptic, and Asana are kept in sync. When a case moves to a new stage in one system, the corresponding records in the others update automatically. Google Sheets remains the consolidated log.
Both tracks
Workflow 5
Client follow-up reminders
Daily automated check across all active cases: has the counterparty responded or submitted pending documents? If not, a follow-up is triggered automatically — no manual case-by-case review required. Reduces the daily monitoring load across ~40 concurrent onboardings.
Both tracks
Workflow 6
Periodic review auto-creation
Risk ratings in Google Sheets carry a scheduled review date (1–3 year cycle). When a review date is due, the workflow automatically creates the corresponding Asana project. Eliminates the daily manual check for upcoming reviews.
Both tracks
Workflow 7
Asana approval → Fireblocks activation
When a compliance review is marked approved in Asana, the workflow triggers the corresponding Fireblocks onboarding or activation step. Removes a high-risk manual handoff in the final step of onboarding.
Track B only
Workflow 8
Slack bi-directional
Outbound: onboarding completions, KYT alerts, and status changes are posted to your Slack topic channels. Inbound: discussions in Slack tagged for follow-up automatically create Asana tasks or trigger investigation workflows — without leaving Slack.
Track B only
Status cards dashboard
Search any counterparty by name or ID. See their current status across all connected systems displayed as a set of cards: Sumsub KYC status, Elliptic screening status, open Asana tasks, Fireblocks state, latest document date. One screen. No tab switching.
Both tracks
Timeline dashboard
The full chronological history of every action, alert, review, and decision for a counterparty, aggregated across all systems in one feed. Available in Track B. Designed for audit reviews and escalation support.
Track B only
Google SSO
Authentication via your existing Google Workspace account. No new credentials to manage. Access is scoped to the Compliance team. Track A includes two access tiers: operator and compliance lead. Full multi-role RBAC (three-line-of-defence model) is included in Track B.
Both tracks
Audit log
Every action taken inside the platform — searches, exports, workflow triggers — is logged with timestamp and user identity. The log is read-only and append-only. Exportable on request.
Both tracks
CSV / JSON export
Export counterparty status snapshots or audit log ranges in CSV or JSON format. Designed for periodic compliance reporting and external audit requests.
Track B only