The Compliance Operating System for UK SMEs

    Compliance you can trust, without the busywork.

    GuardianStack turns obligations into guided work, source-cited evidence and a path to ongoing checks. Start with a free public website check for the privacy, cookie, security and business-identity signals people can see before they trust you.

    Read-only public scanAbout 30 secondsDetected / inferred / needs confirmation
    Sample

    Website trust check

    Ref · GS-public · yourshop.co.uk

    78/ 100 trust signals
    Privacy notice present
    HTTPS across the public site
    Cookie consent needs review
    Processor wording needs confirmation

    What the public check reviews

    • Privacy notice
    • Cookie signals
    • Secure checkout
    • Contact route
    • Business identity
    • Processor detail

    Illustrative preview — run the free check for your actual public website signals.

    Shopify is our first beta proving ground. Selected UK merchants can connect their store to review the operating layer: DPAs, cookies, retention, marketing consent records and privacy notice accountability.
    One operating system

    One Compliance Operating System. Three layers of evidence.

    The free scan shows the outside view. The operating layer helps turn obligations into guided work and evidence. The continuous layer is designed to help keep that position current as the business changes.

    1. Layer 1Free

      Outside view

      Privacy notice, ICO registration, SSL/TLS, cookies, DNS/email auth, Companies House, processor coverage — what customers, clients, and regulators can see from outside.

      Who:
      Anyone with a UK website
      When:
      Free, instant, every scan
    2. Layer 2Beta

      Operating layer

      DPA coverage, marketing consent records, data retention, lawful-basis gating, privacy-notice completeness — what you actually do internally that public scanning cannot see. Four AI agents handle these.

      Who:
      Connected stores (Shopify today, more platforms next)
      When:
      After connection
    3. Layer 3Cookies live, others rolling out

      Continuous

      Cookie re-checks are live today. Wider re-checks for apps, processors, retention rules, and policies are rolling out so gaps do not reappear quietly between manual reviews.

      Who:
      Connected stores
      When:
      Cookies live; wider checks rolling out
    Layer 2 · 4 AI agents · platform-agnostic

    Four agents. Five operating-layer checks.

    Estimated £3,400–£9,300 of equivalent manual compliance work, free for selected beta users.

    Four agents cover five operating-layer checks — the Cookie agent handles two (marketing consent records and lawful-basis gating, PECR Reg. 6 + GDPR Art. 6); the others map one-to-one to DPAs, retention, and privacy notices. Cookie re-checks are live; continuous monitoring for the remaining checks is rolling out. UK SMEs often stitch this work together manually across tools, templates, and consultants; GuardianStack brings the workflow into one evidence-led workspace.Click any agent to see exactly how they work.

    Most Used

    DPA Agent

    Drafts real DOCX agreements for Klaviyo, Hotjar, and other apps — ready for your review.

    ✓ Article 28-aligned draft · ✓ Ready for review
    Vendor Agreements

    Cookie Agent

    Scans and classifies cookies and highlights pre-consent risks.

    ✓ PECR compliant · ✓ Audit evidence
    Consent Audit

    Retention Agent

    Identifies records past ICO retention periods. Flags what to review and export.

    ✓ Article 5(1)(e) · ✓ Data minimisation
    Data Cleanup

    Review Agent

    Privacy Policy reviews with audit trails. Proves due diligence.

    ✓ Article 5(2) · ✓ Accountability
    Audit Trail

    Cookie apps focus on 1 slice. Manual upkeep often means extra tools, spreadsheets, and review cycles. GuardianStack covers 5 checks with AI agents — Pro starts at £49/month.

    Glass Box Transparency

    See Exactly How We Calculate Your Risk

    No black boxes. We show you the exact ICO methodology we use, the weights we apply, and how each gap affects your score. You'll understand exactly where you stand.

    • Risk scores grounded in real ICO enforcement decisions — not estimates
    • Full citation chain: which regulation, which article, which precedent
    • ICO-weighted scoring methodology — see exactly how each gap affects your score
    • Penalty exposure calculated from your actual business profile and sector
    What you'll see after connecting
    Demo Preview
    Data Processing Agreements
    Art. 28
    Action needed
    Privacy Notices
    Art. 13/14
    Compliant
    Cookie Consent
    PECR
    Review needed
    Data Retention
    Art. 5(1)(e)
    Action needed

    Your actual results will be based on your store's apps, policies, and customer data.

    Architecture film · current + roadmap · 55 seconds

    How we’re building the Compliance Operating System

    The model decides what a question needs. Verified facts stay outside its control. A measurement harness tests every change, while bounded improvement loops strengthen coverage without rewriting the facts.

    This is the architecture GuardianStack is building towards. The trust spine and development loop are running today; the wider in-product compounding loop remains part of the roadmap.

    Read the film transcript

    Most AI tools let the model make up the answer. So you can't really trust it.

    GuardianStack flips that. The model only picks the path. The wording may be generated. The facts never are.

    A fenced router reads the question, then builds the answer from certified facts. Because those facts stay locked, every answer can be checked.

    And we prove every change. Answers are tested against a growing labelled benchmark, with safety gates that block regressions.

    When testing finds a weakness, the improvement loop makes one bounded fix, then proves it again, while the facts stay locked.

    GuardianStack. Compliance answers you can finally trust.

    Production note: narration uses an AI-generated British voice.

    Beta output

    What we verify in your operating layer

    After the public scan, GuardianStack’s agents confirm what is actually happening inside — the five operating-layer checks below. You review every output before anything is used or applied.

    DPA coverage

    Beta

    Article 28-aligned DPA drafts for third-party apps detected in your store.

    GDPR Art. 28

    Retention review

    Beta

    Highlights old customer records and asks you to confirm the lawful basis before cleanup decisions.

    Storage Limitation

    Cookie consent

    Live audit

    Checks whether tracking appears before consent and preserves evidence for review.

    PECR / ePrivacy

    Marketing consent records

    Beta

    Checks whether marketing consent records are timestamped, traceable, and ready to evidence.

    PECR Reg. 6 + GDPR Art. 6

    Privacy notice accountability

    Beta

    Reviews privacy notice gaps and keeps an audit trail of what was checked and approved.

    Accountability
    Included during your 30-day beta: DPA Agent, Cookie Agent, Retention Agent, and Review Agent — working together for your compliance.

    You review first

    Every document requires your approval

    ICO-referenced

    Cites relevant GDPR articles

    Regenerate anytime

    Update when your apps change

    How we compare

    Most UK SMEs stitch three or four point solutions — a cookie tool, a DPA generator, a privacy policy maker, maybe a retention tracker — each solving one obligation with no shared evidence trail. Enterprise GRC platforms cover the same ground but at enterprise price and complexity. GuardianStack brings the five operating-layer checks into one workspace, with Glass Box reasoning and a staged path to continuous monitoring.

    Swipe to compare →

    Cookie-only tools
    Cookiebot, Osano, Termly
    Enterprise GRC
    OneTrust, TrustArc
    GuardianStack
    UK SME, five checks
    Typical buyer
    Anyone needing a banner
    Enterprise privacy team
    UK SME, founder-led
    Price
    £9–35/mo each tool
    £10k+/yr
    £0 beta · £49/mo Pro
    Scope
    Cookies only
    Many obligations, heavy
    5 operating-layer checks, right-sized
    Cookie consent
    ✓ + drift checks
    DPAs (Article 28)
    ✓ via integrations
    ✓ AI-drafted per processor
    Marketing consent records
    Limited
    ✓ timestamped audit trail
    Retention rules
    ✓ via add-ons
    ✓ review + rollout monitoring
    Privacy notice gaps
    Generator only
    Manual review
    ✓ checked + cited
    Reasoning behind findings
    Static checklist
    Black-box scoring
    Glass Box — every finding cited
    Setup
    Per tool, stitched
    Months of implementation
    One workspace, minutes

    Not on this table: HR/employment-law consultants like Peninsula, Citation, or Mentor. They cover employment law and broader compliance advisory — a different buyer job, not an alternative to GuardianStack.

    Safe by Design

    How we build trust into every interaction

    Read-Only by Default

    We scan your store without making changes. Every action requires your explicit approval.

    Glass Box Transparency

    See exactly how we reach each recommendation. No black-box magic - full decision logs.

    You Review Everything

    AI generates drafts. You review before anything applies. Your business, your call.

    GuardianStack is operated by MikaHari Labs Ltd (Company No. 14894353). GuardianStack is not a law firm. Generated documents are AI-assisted drafts for your review. Consult legal counsel for advice specific to your situation.

    First beta proving ground
    Shopify
    Opening to selected UK merchants
    Planned nextWordPress·WooCommerce·HubSpot·Xero·Standalone
    Honest Pricing

    Limited Beta Access. Selected Users Get 30 Days Free.

    Beta is currently Shopify-first — selected users get 30 days free. Non-Shopify SMEs can request beta access for early review of the operating-layer checks. After beta closes, new merchants begin on a standard 14-day free trial.

    Typical add-on stack

    Separate tools & templates, billed in pieces

    Multiple subscriptions

    Costs stack with each tool — no single headline price

    • Consent, tags & policies handled in different places
    • Mostly manual upkeep & vendor spreadsheets
    • No unified DPA workflow
    • No ongoing retention analysis
    • No single audit-ready trail

    GuardianStack Beta

    Selected Beta Users

    Shopify-first. Opening to selected UK merchants.

    £0/mo

    30 days free from installation

    Limited places available during beta.

    Selected beta users receive:
    DPA Agent Drafts for review
    Cookie Agent Part of Pro — not sold alone
    Retention Agent Cleanup analysis
    Review Agent Audit trails

    No credit card required

    After Beta — Paid Plans

    Pro
    Paid continuation after beta · single store
    £49/month
    Business
    Multi-store support · audit reports
    Coming soon
    Enterprise
    Full autonomous · API · white-label
    Coming soon

    Cheaper than stitching 4 point solutions; a fraction of enterprise GRC.

    Founding Members
    • Launch pricing locked for life
    • Selected beta users get 30 days free
    • After beta closes, new merchants start on a 14-day trial
    • Priority access to new agents
    Common Questions

    Got Questions?

    More questions? Contact us

    The Full Story

    What is the ICO?(Information Commissioner's Office)

    The ICO is the UK's independent regulator for data rights. They don't just fine businesses; they enforce the 7 Principles of GDPR.

    Most stores think a "cookie banner" makes them compliant.It covers only one part of your operating-layer compliance picture.

    The Cost of Ignorance

    ICO enforcement can be expensive, but the everyday risk for SMEs is usually simpler: losing customer trust, time, and evidence when something is challenged.

    Vendor Liability

    Article 28 (GDPR)

    You are legally liable if apps like Klaviyo lose your customer data—unless you have a contract.

    DPA Agent writes this

    Storage Limitation

    Article 5(1)(e)

    Keeping data "just in case" is illegal. You must delete old customer records when no lawful basis remains.

    Retention Agent finds this

    Prior Consent

    PECR / ePrivacy

    Banners aren't enough. You must ensure tracking scripts do not load until the user clicks "Accept".

    Cookie Agent audits this

    Accountability

    Article 5(2)

    Doing the right thing isn't enough. You must prove it with logs and audit trails.

    Review Agent logs this
    Check Your Status
    Free audit · No credit card
    Limited Beta · Apply for Access

    See your public gaps in about 30 seconds. Then fix the operating-layer risks behind them.

    Start with a free read-only website check. Selected beta users can connect Shopify to review DPAs, cookies, retention, consent records, and privacy notices in one evidence-led workspace.

    Read-only scan About 30 seconds No credit card