CNIL €1.7M, AEPD €950K, CPPA $1.35M — three enforcement actions scored article by article. Art. 5, 9, 30, 32. CCPA, NIS2, SOC2, DORA.
Download the white paperEach case followed the same pattern: documentation existed, but the data told a different story.
Systems handling health records with shared credentials, weak passwords, and no encryption. Article 32 violations confirmed during investigation.
Facial biometric data — Art. 9 special category. Pre-checked consent boxes. Biometric data retained indefinitely with no deletion schedule.
No opt-out mechanism in data flows. 0 of 7 vendors with compliant data processing addendums. No consent records for third-party sharing.
8 pages. No filler. Scored cases, methodology, and a pricing comparison.
Every GDPR fine starts with a gap between what was declared and what regulators found. This paper traces the structural reason that gap exists.
CNIL €1.7M, AEPD €950K, CPPA $1.35M — each scored article by article. What APOLLO would have surfaced before the investigation started.
Not a maturity score. An article-level grade based on actual data: Art. 9 detection, Art. 32 encryption, Art. 30 register completeness — each graded A–F.
GDPR by article, CCPA gap analysis, NIS2 posture, SOC2 readiness, DORA digital resilience. One scan, one dashboard — not five questionnaires.
Each corrective action shows what it fixes, which article it addresses, and the exact penalty reduction if implemented. The DPO sees what each fix is worth.
GRC at $200K/year, privacy tools at €50K, enterprise DSPM at $500K. What they cover, what they miss. Starter: €2,999/year.
A French healthcare software company had policies in place and its processing register documented. When the CNIL investigated, it found shared accounts and 0% encryption on systems handling health records.
APOLLO's scan returned a 74% gap between declared and detected processing activities. Art. 9: 0/100. Art. 32: 0/100. Estimated exposure: €2.1M — before the investigation opened.
“The company had declared its data processing activities. But it had never scanned its own systems to verify whether the technical measures matched the declarations.”
— CNIL investigation findings, 2025Four modules. Four papers. One scan that covers them all.
PII mapping, financial exposure in € and $, toxic combinations, risk zones.
Read the paper93% of ransomware attacks target backups first. Backup resilience, encryption, access control.
Read the paper85% of AI projects fail because of data quality, not model quality. AI Readiness + EU AI Act Art. 10.
Read the paperSee your actual exposure — not a sample score. 5 sources, 60 scans, no commitment.
Start my free audit →