SaaS
The security review was fine. Then the buyer's privacy team asked where EU personal data actually goes, on what transfer mechanism, and with which sub-processors - and the answers did not exist.
ISO 27001 secures the data; it does not decide whether an international transfer is lawful. GDPR requires a valid transfer mechanism, a documented transfer impact assessment for onward flows, and a maintained sub-processor register with the right contract terms. The SaaS moved EU data to the US and to sub-processors without any of that on paper.
Finding 01
EU personal data reached US systems with no Standard Contractual Clauses or documented basis a buyer could accept.
Finding 02
Onward flows to sub-processors had never been assessed for the risk the transfer actually carries.
Finding 03
There was no maintained list of who processes personal data, where, and under what terms - the first artefact a DPA review asks for.
Finding 04
Nobody could show, end to end, where EU personal data travels once it enters the product.
Finding 05
The certified controls existed, but privacy obligations were never mapped onto them via ISO 27701.
The SaaS answered the buyer's privacy due diligence with a data-flow map, a transfer mechanism and a sub-processor register - so the deal moved on the privacy question it had stalled on. Kellwick provides advisory and management-system support, not legal advice; a data protection lawyer confirmed the transfer positions.
Enterprise EU deals increasingly stall on privacy, not security. A certificate proves you protect data; the buyer's privacy team wants to see where it goes, on what basis, and who else touches it - and that is a GDPR and ISO 27701 question.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.