FinTech SaaS · Tri-geo
FinTech SaaS: ISO 27001 in 9 months, zero velocity regression.
Roadmap frozen by cert. DevSecOps, IaC policies, Vault, incident runbook. DORA stays elite.
KPI
9 mois
ISO 27001 (vs 18 est.)
Duration
11 mois
Team
6 engineers
Hub(s)
Tri-geo
ISO 27001 in 9 months without freezing the roadmap: feasible, but you prepare it like a release train, not like an audit.
The context
European B2B SaaS FinTech, 95 employees, Paris, Montreal, and Singapore presence. Strong growth (14M EUR ARR, +85% YoY), imminent entry into the enterprise segment which contractually required ISO 27001. Initial internal estimate: 18 months and feature freeze.
The problem
- ISO 27001 mandatory for 6 strategic deals in pipeline
- Heavy product roadmap, DORA elite velocity to maintain
- CTO and CISO agreed on target, disagreed on method
- No formalized IaC policy, cleartext secrets in CI
- Previous audit (2024): 23 findings, 5 critical
The approach
End-to-end DevSecOps: security becomes a platform feature, not an audit checklist. Industrialization of controls, automation of evidence, mock audit three months before the final to clear the minefield.
The workstreams
- SAST/DAST integrated into pipelines (Snyk Code, OWASP ZAP)
- Terraform IaC with Sentinel policies: no non-compliant resource deploys
- Vault for secret rotation and injection, KMS for encryption
- Documented incident runbooks, quarterly table-top exercises
- Internal mock audit at month 7, official audit at month 9
The stack
- Terraform Cloud with Sentinel policies
- HashiCorp Vault, AWS KMS
- Snyk Code, Snyk IaC, OWASP ZAP
- GitHub Actions with OIDC, mandatory signed commits
- AWS Control Tower for multi-account governance
The results
- ISO 27001 certification obtained in 9 months (vs 18 estimated)
- 0 critical finding at final audit, 3 minor
- DORA velocity: maintained elite (deploys/day, MTTR < 1h)
- SAST coverage: 92% of code base in blocking CI
- Secret rotation: 100% automated
« Abbeal turned a regulatory constraint into a commercial advantage. We signed three enterprise accounts in the eight weeks following certification. »
What we learned
Sentinel is expensive but pays back ROI in 6 months by avoiding post-deploy remediation. The internal mock audit avoided 8 potential findings: to redo systematically. What we'd do differently: embed legal from month 1, not month 5. Contractual rewording cost us three weeks we hadn't planned.
// Read next
Luxury jewellery & watchmaking · Genève + Paris + Tokyo
Cartier: from audit to in-house private LLM.
Compass (front + back architecture audits), Mapper (watchmaking + jewellery product generator), competitive data ETL on BigQuery, and now a private LLM fine-tuned on Cartier's own infra. A long-term tech partnership on the data and AI stack of a luxury house.
LLM privé
fine-tuned on Cartier infra
Tier-1 bank · Paris
BNP Paribas: Reference Book PO, from React/Redux to product AI agents.
Three Abbeal engineers at the core of the PO Marketplace. React/Redux/Node platform initially, now augmented with a product RAG, Claude agents for PM assistance, and an event-driven Kafka layer to scale.
RAG
PO product catalog
Digital banking / FinTech · Tokyo (Tamachi)
Money Forward: data backbone of a brand-new digital bank in Tokyo.
Money Forward, a Japanese FinTech leader listed in Tokyo, partnered with a top-tier Japanese banking group to launch a brand-new digital bank built from scratch. Abbeal partners on the Data Engineering side: designing and operating the Data Hub (Databricks + Delta Lake + dbt + AWS Tokyo) serving JFSA reporting, AML, risk management.
Data Hub
from-scratch digital bank Tokyo