IT security, operations and governance for small and mid-size companies across Europe. Structured methodology. Senior expertise. Accountable delivery.
Named after Trimontium — the Roman name for Plovdiv, "Three Hills." Every service maps to one of three pillars.
Small and mid-size companies facing IT compliance pressure, growth without governance, or a security incident they were not prepared for.
A consultancy named after the city that has stood for 8,000 years — built on foundations that hold.
Trimontia takes its name from Trimontium — the Roman name for Plovdiv, meaning "Three Hills." Our name reflects our structure: three pillars of expertise, one unified consultancy, built on foundations that hold.
We are an IT security, operations and governance consultancy based in Plovdiv, Bulgaria, working with companies under 100 employees across the EMEA region. We combine deep technical expertise with structured consulting methodology — delivering the kind of work that enterprise firms charge enterprise prices for, at a price point that growing companies can actually justify.
Every engagement is led by a senior consultant from day one. Structured deliverables. Clear scope. Documented outcomes. No ambiguity about what you receive and when.
"Three hills built Plovdiv over 8,000 years — one stone at a time. Deep foundations outlast everything built on sand. We build the same way: structured, documented, defensible — so what we deliver holds up long after the engagement ends."
Every service we deliver maps to one of three pillars. Every retainer spans all three.
You have a product that works — and clients who are starting to ask hard questions about security.
No risk register. No incident response plan. No internal lead who owns it — and no board-ready answer when someone asks.
The NIS2 or ISO 27001 deadline is not abstract. It is already affecting your deals.
Here is where we come in.
We bring a decade of production IT security and infrastructure experience to companies that need it most. No agency overhead. No account manager layer. No enterprise price tag.
Five sectors where we most commonly work — each with their own compliance pressures and timelines.
Primary markets we serve:
Monthly rolling contracts. Structured outputs on a fixed schedule. All three pillars. Senior-led delivery throughout.
All retainers: Monthly rolling · 30 days written notice to cancel · Unused hours do not roll over · Overage at €120/hr (business hours) · Out-of-hours emergency advisory at €180/hr available on request for Tier 3 and Tier 4 · Annual prepay: 10% discount · Project-to-retainer conversion: 50% off Month 1 retainer
Fixed reports, fixed deadlines, a published response SLA that is honoured. A substantive reply — not an acknowledgement — every day.
| Tier | Price | Response SLA | What it means |
|---|---|---|---|
| Enterprise Guardian | €4,000/mo | Same business day | Response by end of the same business day the message is received |
| Fractional IT Lead | €2,800/mo | Next business day | Response by close of the following business day |
| IT Co-Pilot | €1,600/mo | 2 business days | Response within two business days of receipt |
| Security Watch | €800/mo | 3 business days | Response within three business days of receipt |
Response means a substantive reply, not an automated acknowledgement. SLA runs on business days (Mon–Fri, CET). Emergency out-of-hours support is available at the published overage rate for Tier 3 and Tier 4 clients.
No retainer required. Fixed-price, fixed-scope. Agreed in writing before work begins. 40% of project clients move to a retainer within 30 days.
Two board-ready reports from one engagement. The most common entry point for companies facing investor scrutiny and compliance pressure simultaneously.
Structured review — endpoints, identity, access, cloud — with a prioritised remediation plan your team can act on.
Gap analysis, risk register, remediation roadmap, and board-ready documentation in plain language.
EDR and email security properly deployed and tuned. Tool-agnostic — we work with your existing stack or recommend the right fit.
Every company device enrolled, compliant, and centrally managed — with full handover documentation your team can operate independently.
Governance framework for your cloud environment and AI tools — DLP, access controls, and EU AI Act-aligned acceptable use policy.
Active Directory and hybrid identity assessed, redesigned, and hardened — with full architecture documentation included.
Cloud infrastructure designed, deployed, and documented — VMs, storage, backup, disaster recovery, and networking with an operations runbook.
IT operations documented from scratch — escalation flows, incident procedures, SOPs, and leadership reporting. Everything editable.
Standalone AI governance — risk classification, data handling rules, approved tools register, and EU AI Act alignment.
Professional wireless assessment using Ekahau Sidekick — coverage heatmaps, interference analysis, full action plan. Available across EMEA. Quote on request based on site size and location.
Specific outcomes tied to specific project types. Every figure is real.
Outcomes reflect the environments and starting conditions of each engagement. Individual results vary based on your infrastructure complexity, team availability, and the current maturity of your IT setup. We provide a realistic assessment of expected outcomes before any engagement begins — never a guarantee we cannot keep.
We are an IT consulting firm. Not a helpdesk, not a managed service provider, not a software reseller. Clear scope means better outcomes for both sides.
Every service Trimontia delivers is backed by hands-on production experience — grouped by what it does.
Twelve questions we hear most often — answered plainly. If yours is not here, send it to contact@trimontia.io.
No pitch. No obligation. Describe your situation and our team will tell you honestly what we'd do about it.
If none of the packages are quite right, or you are not sure where to start — describe your situation and we will tell you honestly what we would do about it.
Thank you for getting in touch. You'll hear from us personally within 24 hours.
Effective date: 1 June 2026 · Trimontia ЕООД · Plovdiv, Bulgaria
These Terms and Conditions ("Terms") govern all services provided by Trimontia ЕООД, a limited liability company registered in Bulgaria (UIC pending registration), with registered address in Plovdiv, Bulgaria ("Trimontia", "we", "us", "our") to its clients ("Client", "you").
By signing a Statement of Work (SoW) or Master Services Agreement (MSA) referencing these Terms, or by commencing an engagement with Trimontia, the Client agrees to be bound by these Terms.
Trimontia provides IT security consulting, governance advisory, infrastructure consulting, and related professional services as specified in a signed Statement of Work (SoW) for each engagement.
All work is initiated only after a signed SoW is in place. The SoW defines the deliverables, timeline, fee, and any specific conditions. Work that falls outside the agreed SoW scope requires a written Change Request signed by both parties before it is commenced.
Trimontia does not provide: Level 1 IT helpdesk or day-to-day support; 24/7 security operations centre (SOC) or continuous monitoring; legal advice; software or hardware procurement; or managed IT services. These exclusions apply unless separately and specifically agreed in a signed SoW.
Retainer engagements: Invoiced monthly in advance on the 1st of each month. Payment due within 14 calendar days of invoice date. Unused advisory hours within a calendar month do not carry over to subsequent months.
Fixed-price project engagements: 40% of the total fee is invoiced on contract signing. The remaining 60% is invoiced on delivery of the final deliverable. Payment due within 14 calendar days of each invoice.
Overage: Advisory time in excess of the agreed monthly retainer allocation is billed at €120/hour (standard, business hours) or €180/hour (emergency or out-of-hours, subject to prior written approval). Overage is added to the following month's invoice.
Currency: All fees are invoiced in EUR. Wire transfer to the Trimontia ЕООД bank account specified on the invoice. No credit card payments.
Late payment: Invoices unpaid after 30 calendar days accrue interest at 0.5% per month on the outstanding balance. Trimontia reserves the right to suspend services for accounts more than 30 days overdue.
Monthly retainer agreements may be cancelled by either party with 30 calendar days' written notice sent to the other party's registered email address. Notice must be provided in writing; verbal notice is not accepted.
The Client remains liable for retainer fees accrued during the notice period. Trimontia will complete any outstanding deliverables due during the notice period unless both parties agree otherwise in writing.
Upon receipt of full payment for an engagement, all client-specific deliverables (reports, policies, documentation, frameworks) produced under that engagement become the property of the Client.
Trimontia retains ownership of all methodologies, templates, frameworks, and processes used to produce deliverables. Trimontia may reuse its own methodologies and templates for other clients. No client-specific or confidential information is reused.
Both parties agree to hold in strict confidence all non-public information disclosed by the other party in connection with the engagement ("Confidential Information"). This obligation continues for three (3) years after the termination of the engagement.
Confidential Information does not include information that: (a) is or becomes publicly available through no breach of this agreement; (b) was known to the receiving party before disclosure; (c) is independently developed without use of Confidential Information; or (d) is required to be disclosed by law, regulation, or court order.
A Data Processing Agreement (DPA) is signed before any access to the Client's systems, data, or infrastructure is granted.
All system access is: scoped to what is strictly necessary for the engagement; protected by multi-factor authentication; logged; and revoked immediately upon completion of the engagement or at the Client's request. Trimontia does not retain persistent administrative access beyond the scope and duration of the agreed engagement.
Trimontia's total cumulative liability to the Client under or in connection with any engagement shall not exceed the total fees paid by the Client to Trimontia in the three (3) months immediately preceding the event giving rise to the claim.
Trimontia shall not be liable for any indirect, consequential, special, or punitive damages, including but not limited to loss of profit, loss of revenue, loss of data, or business interruption, regardless of whether such damages were foreseeable.
Trimontia's services are advisory in nature. The Client is responsible for all implementation decisions, system changes, and business decisions made on the basis of Trimontia's advice. Trimontia does not guarantee specific outcomes or compliance certification results.
Trimontia warrants that services will be performed: (a) by personnel with relevant skills and experience; (b) with reasonable care and professional diligence; and (c) in accordance with the agreed SoW.
All other warranties, express or implied, are excluded to the fullest extent permitted by applicable law. In particular, Trimontia makes no warranty that its recommendations will prevent security incidents, achieve regulatory compliance, or satisfy the requirements of any specific certification body or regulatory authority.
Neither party shall be liable for delays or failure to perform obligations caused by circumstances beyond that party's reasonable control, including but not limited to acts of God, war, civil unrest, epidemic, pandemic, government action, or internet infrastructure failure. The affected party shall notify the other in writing as soon as practicable and shall use reasonable efforts to resume performance.
These Terms and all engagements governed by them are subject to the laws of the Republic of Bulgaria, without regard to its conflict of law provisions.
Any dispute arising from or in connection with these Terms shall be submitted first to good-faith mediation between senior representatives of both parties. If mediation does not resolve the dispute within 30 days, the dispute shall be referred to the competent courts of Plovdiv, Bulgaria.
Trimontia may update these Terms from time to time. Clients with active engagements will be notified of material changes by email at least 30 days before the change takes effect. Continued use of services after the effective date constitutes acceptance of the updated Terms.
Questions regarding these Terms should be directed to: contact@trimontia.io
Trimontia ЕООД · Plovdiv, Bulgaria · EU · Effective 1 June 2026
Effective date: 1 June 2026 · Trimontia ЕООД · Plovdiv, Bulgaria
Data controller: Trimontia ЕООД, registered in Plovdiv, Bulgaria.
Contact: contact@trimontia.io
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and applicable Bulgarian data protection law.
What: Name, work email address, company name, and the content of your message when you submit our contact form.
Why: To respond to your enquiry and, if applicable, to deliver the requested services.
Legal basis: Legitimate interests (responding to a business enquiry) and, where services are engaged, performance of a contract.
What: Names and email addresses of contact persons, contractual information (MSA, SoW, invoices), and any data shared with us to enable delivery of the agreed services.
Why: To fulfil our contractual obligations and deliver the agreed scope of work.
Legal basis: Performance of a contract.
What: This website does not use cookies, tracking scripts, or third-party analytics. No personal data is collected by visiting trimontia.io.
Contact form: Submissions are processed via Formspree (formspree.io). Formspree acts as a data processor on our behalf. Please review Formspree's privacy policy at formspree.io/legal/privacy-policy for details of their processing.
Enquiry data (no contract followed): Deleted within 12 months of last contact.
Client data (active engagement): Retained for the duration of the engagement plus 5 years, to comply with Bulgarian accounting and tax law requirements for business records.
System access credentials: Revoked immediately upon engagement completion or at the Client's request. Not retained beyond the engagement period.
We do not sell, rent, or trade personal data. We do not share personal data with third parties for marketing purposes.
We share data only with the following categories of recipients where strictly necessary:
Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V.
Where Trimontia is engaged to access, process, or handle the Client's personal data (for example, during a security audit or system configuration), a Data Processing Agreement (DPA) is signed between Trimontia and the Client before any such access is granted.
The DPA governs: the categories of data accessed, the purpose and scope of processing, technical and organisational security measures applied, sub-processors engaged (if any), and data return or deletion obligations upon engagement completion.
As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at contact@trimontia.io. We will respond within 30 calendar days.
You may request a copy of the personal data we hold about you.
You may ask us to correct inaccurate or incomplete personal data.
You may ask us to delete your personal data where there is no lawful basis for continued processing.
You may ask us to suspend processing in certain circumstances while a dispute is resolved.
Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
You may object to processing based on legitimate interests. We will cease unless we can demonstrate compelling grounds that override your interests.
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction, including: multi-factor authentication on all business accounts, end-to-end encrypted communications where applicable, and a principle of minimum necessary access to any data entrusted to us.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay.
If you are unhappy with how we handle your personal data, please contact us first at contact@trimontia.io. We will investigate and respond within 30 calendar days.
You also have the right to lodge a complaint with the Bulgarian supervisory authority: Commission for Personal Data Protection (CPDP), Sofia, Bulgaria — www.cpdp.bg — or the supervisory authority in your EU member state of residence or place of work.
We may update this Privacy Policy from time to time. Material changes will be communicated to active clients by email at least 14 days before taking effect. The current version is always available at trimontia.io.
Trimontia ЕООД · Plovdiv, Bulgaria · EU · Effective 1 June 2026 · contact@trimontia.io