Field Notes

Engineered compliance, written down.

Technical essays from the CPLT engagement team — deterministic audit mechanics, EU regulation as code, and what zero-retention actually looks like when you ship it in production.

deterministic auditGRCSOC 2

The Death of the Subjective Audit

Why the compliance industry's reliance on human judgment has become a liability, and what a deterministic pipeline replaces it with.

Apr 28, 2026 · 6 min read

DORAKubernetesfintech

Kubernetes, DORA, and the Compliance Gap in European Fintech

DORA comes into force with teeth in 2025. Your Kubernetes cluster probably cannot prove the controls it requires. Here is what the regulation actually asks, and what a deterministic pipeline produces.

Apr 21, 2026 · 9 min read

sovereign cloudair-gappedEU data residency

Sovereign GRC: Air-Gapped and Data-Resident Systems

When the data cannot leave the jurisdiction, the control plane cannot phone home, and the auditor cannot VPN in — traditional GRC tooling breaks. Here is what replaces it.

Apr 14, 2026 · 8 min read