360° analysis of the IT environment, including a scan of the Git history

Focus on Human capital, tech stack maturity, architecture, build up potential and cloud readiness

OPEX and CAPEX estimation, to scale, in alignment with business strategy

Full Tech report with assessment, observations and recommendations to match business objectives

Validating technology scalability to support investment growth strategies

Get a report with risk analysis and action plan 

Scalability Audit: one dashboard, complete control

Results are available on an online dashboard that enables long-term management and value creation. 

The Scalability Audit provides the following : 

• 360 IT Audit including IT organisation and human capital
 • Roadmap review and alignment with business strategy
 • Architecture, infrastructure, and cloud readiness
 • Tech stack maturity
 • Methodology and tooling
 • Technical debt and recommendations
 • CAPEX OPEX scenarios

Our unique combination of scanners and experts provides a thorough analysis of the technology asset

Comprehensive online evaluation of the software development process that analyses: 
• Team organisation
• Tools and technology
• Quality and product testing
• Operations (deployment, data management...)

Our unique scanning methodology collects data from the Git repository to identify:
• Number of languages used per project over time 
• Risk of obsolescence
• Methodology issues (such as ratio of test over time) 
• Maintainability risks linked to Human Capital (such as high turnover rate, knowledge distribution, individual efficiency...)

Once the online assessment and the Git scan are complete, the IT expert reviews the company’s IT environment and delivers a contextualised report, that includes:
• Maintainability risks linked to Human Capital (such as high turnover rate, knowledge distribution, individual efficiency...)
• Scoring from the online assessments
• 360° view of the company’s IT organisation, including IT infrastructure, tooling and methodologies
• View on cloud readiness, architecture and HR
• Analysis of build-up readiness, tech stacks optimisation and Tech Stack maintenance costs
• Human Capital Risk analysis (knowledge sharing, turnover)

Vaultinum will deliver a full risk report that summarises findings to show:​
• Overall performance rating, with industry​ benchmark
• Key scalability and software development risks 
• Key people/human risks (efficiency, knowledge and availability)
• Suggested remediations​
• Operational action plan ​
• OPEX and CAPEX estimation
• Architecture and infrastructure assessment

Get in touch with our experts to assess scalabilty

Analyses a software's scalability, maintainability, cost and delivery schedule, to improve the software development process and facilitate growth

Online software scalability and quality audits | Vaultinum

Data-driven, Comprehensive Approach to Vendor and Buy-Side Tech Due Diligence

AI Act or GDPR: which legal framework applies to my AI system?

The GDPR applies wherever an organisation processes personal data—whether for communication, commercial or analytical purposes. 

The AI Act applies where an Artificial Intelligence System (AIS) is implemented. 

The AI Act defines an AI system as “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”. 

Where AI systems process personal data, the two regulations are both applicable and complementary. 

The remainder of this article outlines best practices for ensuring that AI systems processing personal data remain compliant with both regulations. 

Phase 1: establishing dedicated governance 

Before developing an AIS, the organisation responsible must implement a structured governance framework and establish a steering committee to oversee compliance with both the GDPR and the AI Act throughout the system’s entire lifecycle. The committee should assess the need for the AIS, map data processing activities, develop an action plan, and monitor the implementation of legal recommendations. 

Phase 2: defining the roles and responsibilities of stakeholders 

The development and deployment of an AIS typically involves multiple stakeholders—developers, vendors, end users, providers of training data, and so forth. For each phase of the system’s lifecycle, it is essential to identify the role and responsibility of each party with regard to data processing. This requires a detailed analysis of the AIS lifecycle to assign responsibility—either as data controller or processor—for the stages of development, training, deployment, and operation. 

Let’s take a practical example: if an AIS is developed according to a client’s specifications for internal use, the client is likely to be the data controller, while the development team acts as the processor. Conversely, if a company develops an AIS and its functionalities independently for commercial sale “off the shelf”, the company will be considered the data controller during both the design and training phases. 

Phase 3: determining the purpose of processing under the GDPR 

Article 5 of the GDPR sets out the core principles governing the processing of personal data. Any use of personal data must meet the criteria of lawfulness, data minimisation, proportionality, and transparency—ensuring that individuals can modify or withdraw consent. The use of data must be governed by a clearly defined purpose. This purpose may remain constant throughout the AIS lifecycle or evolve during its development and use. 

Phase 4: selecting the legal basis for processing 

Once the purpose of the AIS has been defined, it is necessary to select the right legal basis for processing under the GDPR. These legal bases are the following : consent; contract; legal obligation; vital interests; public task; or legitimate interests. 

In the context of AIS development, legitimate interest can be a suitable basis, provided that the requirements of the GDPR and the former Article 29 Working Party (G29) are met—namely, restricting data use to what is strictly necessary, facilitating the exercise of data subjects’ rights, and ensuring that the AIS is free from discriminatory bias. 

The use of third-party datasets requires heightened diligence, particularly to verify the compatibility between the original purpose of data collection and the intended use. Where such compatibility cannot be demonstrated, data usage becomes problematic. As a general rule, it is strongly recommended to confirm that third-party datasets do not contain sensitive information and were collected in compliance with the GDPR. 

Phase 5: informing individuals and facilitating the exercise of their rights 

Transparency is a core principle of the GDPR. Organisations must therefore develop a clear strategy to ensure that individuals receive accessible and comprehensible information about the processing of their personal data by AI systems—at every stage of the data processing lifecycle. 

Furthermore, to ensure compliance and avoid penalties, AIS must incorporate, by design, features that enable users to exercise their rights of access, rectification, or removal of data. 

Phase 6: applying the principles of data minimisation and accuracy

AI systems require substantial volumes of data to function effectively—an apparent contradiction with the GDPR’s principle of minimisation. Nevertheless, where personal data is involved, only data that is strictly necessary should be collected and used. In addition, the AIS must offer guarantees concerning data accuracy and reliability, in order to avoid bias. 

To that end, French CNIL recommends the following best practices: 

Implementing pseudonymisation, data aggregation or synthetic data generation; 

Ensuring that data is deleted once it is no longer required; 

Continuously verifying data accuracy throughout the AIS lifecycle; 

Combining automated alert systems with human oversight to assess data sources and their accuracy. 

Data protection is a critical requirement under the GDPR. Failure to comply with security obligations—or to report breaches—can lead to severe penalties. 

Data protection should be ensured through both technical and organisational measures, including: 

Where data is transferred outside the European Economic Area, contractual safeguards must be in place to guarantee a level of protection equivalent to that required by the GDPR. 

If the AIS presents a high level of risk, a Data Protection Impact Assessment (DPIA) must be carried out before deployment. 

Fostering a culture of compliance and documenting all actions 

Ensuring that an AI system complies with both the AI Act and the GDPR should not fall to a select few. It must be a collective effort, supported by all stakeholders involved in the system’s design and implementation. Each actor should carefully document all phases of the AIS lifecycle, specifying the types of data used, and the respective roles and obligations of all parties. 

It is also advisable to organise awareness sessions on the requirements and good practices related to the AI Act and GDPR, for anyone involved in data collection or system development. 

The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.

The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.

Audrey Arbusa is a Partner at TGS FRANCE AVOCATS. She has developed specific expertise in IT contracts, e-commerce, and personal data protection. She also serves as an outsourced DPO.

Audrey ARBUSA

The AI Act  entered into force in the European Union on 1 August 2024 and will be applied progressively over a two-year period, between 2025 and 2027. This new regulation aims to govern the use of artificial intelligence (AI) within the EU, with the dual objective of protecting individuals’ fundamental rights—particularly by prohibiting citizen scoring—and classifying AI systems according to their level of risk, setting out the applicable conditions for each category. 

AI systems require access to millions of data points to be trained effectively and deliver reliable outputs. Depending on the intended use of the AI, this may involve processing personal data. As a result, both the AI Act and the GDPR may apply concurrently. Companies developing or deploying AI systems must therefore take steps to ensure compliance with both sets of regulations. 

Discover how to ensure your AI system complies with both the AI Act and GDPR, from governance and data protection to stakeholder responsibilities.

AI and GDPR Compliance: What you need to know

Tech Due Diligence helps investors and other stakeholders identify potential risks and opportunities that may impact the success of an investment or partnership. It provides valuable insights into a company's technological capabilities and can reveal areas that may require improvement.

During the Tech Due Diligence process, a thorough code scan is conducted to evaluate the quality of a company's codebase. This scan helps identify any coding issues or vulnerabilities that could lead to security breaches or other issues down the line. It also helps evaluate the scalability and maintainability of a company's systems, which are critical factors in determining long-term success.

In addition to the code scan, Tech Due Diligence also assesses a company's hardware and software infrastructure, cyber security protocols, and data management processes. These evaluations help identify any potential data breaches, system failures, or other technological risks that could harm the company's operations.

The benefits of Tech Due Diligence in the legal and tech industry

In the legal and tech industry, Tech Due Diligence is particularly critical. Companies in these industries often handle sensitive information, making cyber security and data privacy top priorities. Tech Due Diligence can help identify any potential security risks and ensure that a company's data management protocols are up to par. 

Furthermore, Tech Due Diligence can help identify opportunities for innovation and growth. By evaluating a company's technological capabilities, investors can determine whether it has the potential to develop new products or services or improve existing ones. This information can be invaluable in making investment decisions or negotiating partnerships. 

Conducting Tech Due Diligence requires a team of experienced professionals with specialised skills in technology and cyber security. These experts will evaluate a company's technological infrastructure, systems, and processes, and provide detailed reports outlining any potential risks or opportunities.

The Tech Due Diligence process typically involves the following steps:

The team will conduct an initial assessment of the company's technological infrastructure to identify any potential red flags.

A thorough code scan is conducted to evaluate the quality of the company's codebase and identify any coding issues or vulnerabilities.

The team will assess the company's cyber security protocols to identify any potential vulnerabilities or data breaches.

The team will evaluate the company's data management processes to identify any potential risks or compliance issues.

The team will assess the company's hardware and software infrastructure to identify any potential issues or scalability concerns.

A detailed report will be provided outlining any potential risks or opportunities identified during the tech due diligence process.

Tech Due Diligence and Strategy Due Diligence: two complementary assessments

Strategy due diligence involves assessing the strategic fit of the target company with the acquiring company. This includes evaluating the target company's market position, competitive landscape, go-to-market and growth potential, as well as assessing the potential synergies and integration challenges associated with the acquisition.

By combining the insights gained from technology due diligence and strategy due diligence, M&A investors can develop a more comprehensive understanding of the target company and its potential impact on the acquiring company's overall strategy. 

For example, if the target company has strong technology assets but lacks a strong market position, the acquiring company may be able to leverage the target company's technology assets to improve its own market position. On the other hand, if the target acquisition has a strong market position but lacks strong technology assets, the acquiring company may need to invest in improving the target company's technology assets to fully leverage its strategic potential.

Overall, technology due diligence and strategy due diligence are complementary processes that can provide M&A investors with a more complete understanding of the target company and its potential impact on the acquiring company's overall strategy. By combining the insights gained from both processes, M&A investors are better equipped to understand how they can integrate the new acquisition into their overall growth plan, and thus decide whether or not to make the acquisition or negotiate the right price. 

In conclusion, Tech Due Diligence is a critical component of any comprehensive strategic due diligence process in the legal and tech industry. It helps investors and other stakeholders identify potential risks and opportunities and provides valuable insights into a company's technological capabilities. By conducting a thorough Tech Due Diligence assessment, investors can make informed investment decisions and negotiate partnerships with confidence.

As a trusted third party with over four decades of experience in the legal and tech industry, Vaultinum is uniquely positioned to provide comprehensive Tech Due Diligence solutions to its clients. Our team of experts has the specialized skills and knowledge necessary to conduct in-depth assessments of a company's technological infrastructure, systems, and processes, and provide detailed reports outlining any potential risks or opportunities. By partnering with Vaultinum for Tech Due Diligence, investors and other stakeholders can gain valuable insights into a company's technological capabilities and make informed investment decisions.

Marine is our Marketing Director. She is a branding and brand activation specialist with international experience in BtoB and BtoC.

Marine YBORRA

As the legal and tech industries continue to converge, it has become increasingly essential to conduct comprehensive due diligence when evaluating potential investments or partnerships. The due diligence process may include auditing the financial elements of the target company, as well as the legal aspects and the overall business strategy. If the M&A is tech-oriented then it's very likely that the investor will also require a Tech Due Diligence, which involves a detailed assessment of a company's technological infrastructure, systems, and processes. This last piece of the due diligence process is sometimes overlooked by investors, for reasons of timing or budget; but this is a mistake as Tech Due Diligence when done correctly, will provide strong insights into the overall strategy due diligence.

Understand how a thorough Tech Due Diligence can strengthen the strategic evaluation of an acquisition, prior to a tech M&A.

Tech Due diligence as a base to execute a comprehensive Strategic Due Diligence

Tech Due Diligence: base for a Strategic Due Diligence

Vaultinum

Tech Due Diligence

Tech Vendor Due Diligence

IP Audit

Cyber Audit

Scalability and Quality Audit

IP Deposit

Software Escrow

Solutions

Our Solutions adapted to your needs

Our Solutions

Blog

Resources

Learn

About us

Contact

Change Language

This website uses cookies to enhance user experience. You can learn more about how we handle your data in our legal notice.

Use this sitemap to find all the information you need about Vaultinumand go directly to the sections you're interested in.

Scalability Audit

Our clients