IT security, operations and governance for small and mid-size companies across Europe. Structured methodology. Senior expertise. Accountable delivery.
Named after Trimontium — the Roman name for Plovdiv, "Three Hills." Every service maps to one of three pillars.
Small and mid-size companies facing IT compliance pressure, growth without governance, or a security incident they were not prepared for.
A specialist IT consultancy named after Trimontium — the Roman name for Plovdiv. Named for three hills; structured around three pillars of expertise. Built to last.
Trimontia takes its name from Trimontium — the Roman name for Plovdiv, meaning "Three Hills." Our name reflects our structure: three pillars of expertise, one unified consultancy, built on foundations that hold.
We are an IT security, operations and governance consultancy based in Plovdiv, Bulgaria, working with companies under 100 employees across the EMEA region. We combine deep technical expertise with structured consulting methodology — delivering the kind of work that enterprise firms charge enterprise prices for, at a price point that growing companies can actually justify.
Every engagement is led by a senior consultant from day one. Structured deliverables. Clear scope. Documented outcomes. No ambiguity about what you receive and when.
"Three hills built Plovdiv over 8,000 years — one stone at a time. Deep foundations outlast everything built on sand. We build the same way: structured, documented, defensible — so what we deliver holds up long after the engagement ends."
Every service we deliver maps to one of three pillars. Every retainer spans all three.
You have a product that works — and clients who are starting to ask hard questions about security.
No risk register. No incident response plan. No internal lead who owns it — and no board-ready answer when someone asks.
The NIS2 or ISO 27001 deadline is not abstract. It is already affecting your deals.
Here is where we come in.
We bring a decade of production IT security and infrastructure experience to companies that need it most. No agency overhead. No account manager layer. No enterprise price tag.
Five sectors where we most commonly work — each with their own compliance pressures and timelines.
Primary markets we serve:
Monthly rolling contracts. Structured outputs on a fixed schedule. All three pillars. Senior-led delivery throughout.
All retainers: Monthly rolling · 30 days written notice to cancel · Unused hours do not roll over · Overage at €120/hr (business hours) · Out-of-hours emergency advisory at €180/hr available on request for Tier 3 and Tier 4 · Annual prepay: 10% discount · Project-to-retainer conversion: 50% off Month 1 retainer
Fixed reports, fixed deadlines, a published response SLA that is contractually honoured. A substantive reply — not an automated acknowledgement — every business day.
| Tier | Monthly Fee | Response SLA | Advisory Hours |
|---|---|---|---|
| Enterprise Guardian | €4,000/mo | Same business day | ~10h/mo |
| Fractional IT Lead | €2,800/mo | Next business day | ~7h/mo |
| IT Co-Pilot | €1,600/mo | 2 business days | ~4h/mo |
| Security Watch | €800/mo | 3 business days | ~1.5h/mo |
Response means a substantive reply — not an auto-acknowledgement. SLA runs Mon–Fri CET. Advisory hours are included in the monthly fee; overage at €120/hr (business hours). Out-of-hours emergency advisory available on request for Tier 3–4 at €180/hr.
No retainer required. Fixed-price, fixed-scope. Agreed in writing before work begins. 40% of project clients move to a retainer within 30 days.
Two board-ready reports from one engagement. The most common entry point for companies facing investor scrutiny and compliance pressure simultaneously.
Structured review — endpoints, identity, access, cloud — with a prioritised remediation plan your team can act on.
Gap analysis, risk register, remediation roadmap, and board-ready documentation in plain language.
EDR and email security properly deployed and tuned. Tool-agnostic — we work with your existing stack or recommend the right fit.
Every company device enrolled, compliant, and centrally managed — with full handover documentation your team can operate independently.
Governance framework for your cloud environment and AI tools — DLP, access controls, and EU AI Act-aligned acceptable use policy.
Active Directory and hybrid identity assessed, redesigned, and hardened — with full architecture documentation included.
Cloud infrastructure designed, deployed, and documented — VMs, storage, backup, disaster recovery, and networking with an operations runbook.
IT operations documented from scratch — escalation flows, incident procedures, SOPs, and leadership reporting. Everything editable.
Standalone AI governance — risk classification, data handling rules, approved tools register, and EU AI Act alignment.
Professional wireless assessment using Ekahau Sidekick — coverage heatmaps, interference analysis, full action plan. Available across EMEA. Quote on request based on site size and location.
Specific outcomes tied to specific project types. Every figure is real.
Outcomes reflect the environments and starting conditions of each engagement. Individual results vary based on your infrastructure complexity, team availability, and the current maturity of your IT setup. We provide a realistic assessment of expected outcomes before any engagement begins — never a guarantee we cannot keep.
We are an IT consulting firm. Not a helpdesk, not a managed service provider, not a software reseller. Clear scope means better outcomes for both sides.
Every service Trimontia delivers is backed by hands-on production experience — grouped by what it does.
Twelve questions we hear most often — answered plainly. If yours is not here, send it to contact@trimontia.io.
No pitch, no deck, no obligation. A short description of your situation is enough to get a meaningful first response from our team within 2 business days.
If none of the packages are quite right, or you are not sure where to start — describe your situation and we will tell you honestly what we would do about it.
Thank you for getting in touch. You'll hear from us personally within 24 hours.
Effective 1 June 2026 · Trimontia LTD · Plovdiv, Bulgaria
These Terms govern all services provided by Trimontia LTD, a limited liability company registered in Plovdiv, Bulgaria ("Trimontia", "we", "us") to its clients ("Client", "you").
By signing a Statement of Work or Master Services Agreement referencing these Terms, or by commencing an engagement, the Client agrees to be bound by these Terms.
Trimontia provides IT security consulting, governance advisory, infrastructure consulting, and related professional services as specified in a signed Statement of Work (SoW). Work begins only after a signed SoW is in place. Work outside the agreed SoW requires a written Change Request signed by both parties before it commences.
Trimontia does not provide: Level 1 IT helpdesk; 24/7 security operations centre or continuous monitoring; legal advice; software or hardware procurement; or managed IT services — unless separately and specifically agreed in a signed SoW.
Retainers: Invoiced monthly in advance on the 1st of each month. Payment due within 14 calendar days. Unused advisory hours do not carry over.
Projects: 40% of the total fee invoiced on contract signing. 60% invoiced on delivery. Payment due within 14 calendar days of each invoice.
Overage: Time in excess of the agreed monthly allocation is billed at €120/hour (standard, business hours) or €180/hour (emergency or out-of-hours, subject to prior written approval). Overage is added to the following month's invoice.
Currency: All fees invoiced in EUR. Wire transfer to the account specified on the invoice.
Late payment: Invoices unpaid after 30 calendar days accrue interest at 0.5% per month on the outstanding balance. Trimontia reserves the right to suspend services for accounts more than 30 days overdue.
Monthly retainer agreements may be cancelled by either party with 30 calendar days' written notice. The Client remains liable for retainer fees accrued during the notice period.
Upon full payment, all client-specific deliverables become the property of the Client. Trimontia retains ownership of all methodologies, templates, frameworks, and processes used to produce deliverables.
Both parties agree to hold in strict confidence all non-public information disclosed by the other party. This obligation continues for three (3) years after termination of the engagement.
A Data Processing Agreement (DPA) is signed before any system access is granted. All access is scoped to what is strictly necessary, MFA-protected, logged, and revoked immediately upon engagement completion or at the Client's request.
Trimontia's total cumulative liability shall not exceed the total fees paid in the three (3) months immediately preceding the event giving rise to the claim.
Trimontia shall not be liable for indirect, consequential, special, or punitive damages.
These Terms are subject to the laws of the Republic of Bulgaria. Disputes are submitted first to good-faith mediation, then to the competent courts of Plovdiv, Bulgaria.
Questions regarding these Terms: contact@trimontia.io
Trimontia LTD · Plovdiv, Bulgaria · Effective 1 June 2026
Effective 1 June 2026 · Trimontia LTD · Plovdiv, Bulgaria
Data controller: Trimontia LTD, Plovdiv, Bulgaria.
Contact: contact@trimontia.io
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under GDPR and applicable Bulgarian data protection law.
What: Name, work email, company name, and message content from our contact form.
Why: To respond to your enquiry and deliver requested services.
Legal basis: Legitimate interests (responding to a business enquiry); performance of a contract where services are engaged.
What: Contact person names and emails, contractual information (MSA, SoW, invoices), and any data shared to enable delivery of agreed services.
Legal basis: Performance of a contract.
This website does not use cookies, tracking scripts, or third-party analytics. Contact form submissions are processed via Formspree (formspree.io) — see their privacy policy at formspree.io/legal/privacy-policy.
Enquiry data (no contract): Deleted within 12 months of last contact.
Client data (active engagement): Retained for the duration of the engagement plus 5 years for statutory compliance.
System access credentials: Revoked immediately upon engagement completion.
We do not sell or rent personal data. We share data only where strictly necessary with: Formspree Inc. (contact form processor); our accountant (invoicing data for statutory compliance); law enforcement where required by law or court order.
Where Trimontia accesses or processes the Client's personal data, a DPA is signed before any access is granted. The DPA governs categories of data accessed, purpose, security measures, sub-processors, and deletion obligations.
Contact contact@trimontia.io to exercise any right. We respond within 30 calendar days.
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Ask us to delete data where there is no lawful basis for continued processing.
Suspend processing while a dispute is resolved.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests.
We apply MFA on all business accounts, end-to-end encryption where applicable, and minimum necessary access to all data. Data breaches are reported to the CPDP within 72 hours and to affected individuals where required.
If unhappy with how we handle your data, contact contact@trimontia.io. You may also lodge a complaint with the Bulgarian supervisory authority: CPDP — www.cpdp.bg.
Material changes notified to active clients by email at least 14 days before taking effect.
Trimontia LTD · Plovdiv, Bulgaria · Effective 1 June 2026 · contact@trimontia.io