Company
About Us
Who We Help
Results
Services
IT Health Check — €1,500 fixed
Security Watch — €800/mo
IT Co-Pilot — €1,600/mo
Fractional IT Lead — €2,800/mo
Enterprise Guardian — €4,000/mo
One-Time Projects
Expertise
How We Work
FAQ
IT Security Consulting · Operations · Governance · AI · EMEA

Ancient foundations.
Modern security.

IT security, operations and governance for small and mid-size companies across Europe. Structured methodology. Senior expertise. Accountable delivery.

0Years hands-on enterprise IT & security delivery
0Annex A controls across ISO 27001 engagements
Same-day SLATop tier response — business hours
EMEARemote delivery
What We Do

Three pillars. One consultancy.

Named after Trimontium — the Roman name for Plovdiv, "Three Hills." Every service maps to one of three pillars.

I
Security
Endpoint protection, email security, threat detection, NIS2 and ISO 27001 compliance. The citadel.
Learn more →
II
Operations & Infrastructure
Identity, device management, Azure infrastructure, Active Directory, cloud migration. The engine room.
Learn more →
III
Governance & AI
M365 governance, AI policy, ISO 27001 ISMS, IT operations frameworks, board reporting. The framework.
Learn more →
01 — Scoping
Discovery call
30 minutes. We understand your situation and tell you honestly whether we can help and what it would involve.
02 — Proposal
Fixed-price scope
A one-page proposal — exact deliverables, timeline, and fee — agreed and signed before any work begins.
03 — Delivery
Senior-led execution
The engagement lead is your direct contact. Structured milestone updates. No handoffs or junior relay.
04 — Handover
Documented & yours
All deliverables are editable, client-owned, and designed to operate without us after handover.
At a Glance

Retainers & Projects.

Security WatchRetainer
€800/mo
IT Co-PilotRetainer
€1,600/mo
Fractional IT LeadRetainer
€2,800/mo
Enterprise GuardianRetainer
€4,000/mo
IT Health CheckEntry
€1,500 fixed
IT Security AuditProject
from €5,500
NIS2 AssessmentProject
from €6,500
AI Governance FrameworkProject
from €7,500
View all 11 projectsProjects
Industries

Companies like yours.

Small and mid-size companies facing IT compliance pressure, growth without governance, or a security incident they were not prepared for.

SaaS & Tech
Professional Services
Manufacturing
Healthcare & MedTech
Fintech & Regulated
Ready to talk? No sales pitch. No obligation.
Our Story

Founded in Plovdiv.
Trusted across Europe.

A specialist IT consultancy named after Trimontium — the Roman name for Plovdiv. Named for three hills; structured around three pillars of expertise. Built to last.

Who We Are

Senior expertise.
Direct accountability.

Trimontia takes its name from Trimontium — the Roman name for Plovdiv, meaning "Three Hills." Our name reflects our structure: three pillars of expertise, one unified consultancy, built on foundations that hold.

We are an IT security, operations and governance consultancy based in Plovdiv, Bulgaria, working with companies under 100 employees across the EMEA region. We combine deep technical expertise with structured consulting methodology — delivering the kind of work that enterprise firms charge enterprise prices for, at a price point that growing companies can actually justify.

Every engagement is led by a senior consultant from day one. Structured deliverables. Clear scope. Documented outcomes. No ambiguity about what you receive and when.

"Three hills built Plovdiv over 8,000 years — one stone at a time. Deep foundations outlast everything built on sand. We build the same way: structured, documented, defensible — so what we deliver holds up long after the engagement ends."
Our Approach

How we work.

Fixed scope, written before we start
Every engagement begins with a signed Statement of Work. Deliverables, timeline, and fee agreed in writing. No scope creep billed without a prior change request.
Everything documented and yours
Every deliverable is editable, client-owned, and designed so your team can operate independently after handover — without depending on us to stay involved.
Data protection before access
A DPA is signed before any system access is granted. Access is scoped, MFA-protected, logged, and revoked at engagement completion.
The Three Hills

Three pillars. One consultancy.

Every service we deliver maps to one of three pillars. Every retainer spans all three.

I
Security
The citadel. The oldest hill. The first line of defence.
CrowdStrike Falcon EDR — policy, triage, remediation
Microsoft Defender Suite — Endpoint, Identity, Office 365
Email security — SPF/DKIM/DMARC, anti-phishing
NIS2 readiness — gap analysis, risk register, roadmap
IT Security Audits — endpoint, identity, access, cloud
WiFi site surveys (EMEA) — Ekahau Sidekick
II
Operations & Infrastructure
The engine room. Where things get built and maintained.
Microsoft Entra ID — identity lifecycle, conditional access
Microsoft Intune / MDM — enrolment, compliance, Autopilot
Active Directory DS — GPO design, hybrid identity, tiering
Azure Virtual Machines — deployment, backup, Site Recovery
Azure Networking — VNet, Firewall, App Gateway, Bastion
Patch management, onboarding/offboarding SOPs
III
Governance & AI
The framework that makes everything else defensible.
M365 & Copilot governance — DLP, lifecycle, admin controls
AI Governance Frameworks — EU AI Act mapping
ISO 27001 — full ISMS build, internal audit, cert prep
NIS2 / ISO 9001 alignment and audit preparation
IT operations frameworks — escalation maps, RACI, SOPs
Monthly board-ready leadership & security summaries
The Basics

Three things worth knowing.

Based in Plovdiv, Bulgaria
Registered as a Bulgarian LTD — a full EU legal entity. VAT-compliant invoicing in EUR. All services delivered remotely. On-site across EMEA where needed.
Senior consultants, not an agency
Every engagement is led by a senior consultant from scope through delivery. No account manager layers. No hand-off to juniors. Direct access to the expertise you hired at every stage.
Guaranteed response SLA
A substantive reply — not an acknowledgement. SLAs range from 3 business days (Security Watch) to same business day (Enterprise Guardian). Published, contractual, and honoured. Mon–Fri CET.
The Situation We Solve

Growing companies that have
outgrown ad-hoc IT.

You have a product that works — and clients who are starting to ask hard questions about security.

The Problem

Your IT is held together
by whoever has time.

No risk register. No incident response plan. No internal lead who owns it — and no board-ready answer when someone asks.

The NIS2 or ISO 27001 deadline is not abstract. It is already affecting your deals.

Here is where we come in.

We bring a decade of production IT security and infrastructure experience to companies that need it most. No agency overhead. No account manager layer. No enterprise price tag.

01
NIS2 & ISO 27001 deadlines
Enforcement is active. Clients and auditors are asking for documented compliance. Most companies have nothing to show.
02
No internal IT or security lead
No one owns it. No risk register. No incident response plan. Just the hope that nothing goes wrong.
03
Rapid growth, no governance
New people, new tools, new clients — with no identity governance, no device management, no baseline keeping pace.
04
A breach or phishing incident
Something happened. Now: what do we actually have in place, and who is responsible for fixing it?
Industries

Companies like yours.

Five sectors where we most commonly work — each with their own compliance pressures and timelines.

Primary markets we serve:

🇳🇱 Netherlands 🇩🇪 Germany 🇸🇪 Sweden 🇮🇪 Ireland 🇬🇧 United Kingdom 🇩🇰 Denmark 🇧🇪 Belgium 🇫🇮 Finland
SaaS & Tech
Security questionnaires, ISO 27001, investor due diligence. Security is now a sales blocker.
Talk to us →
Professional Services
Law firms, accounting, consulting — sensitive client data under GDPR and NIS2.
Talk to us →
Manufacturing
Supply chain audits, OT/IT boundary controls, NIS2 obligations for critical sector suppliers.
Talk to us →
Healthcare & MedTech
Strict data handling, device security requirements, sector-specific compliance.
Talk to us →
Fintech & Regulated
DORA, PCI-DSS adjacent, regulated client requirements before onboarding.
Talk to us →
Monthly Retainers

Four tiers. Cancel anytime.

Monthly rolling contracts. Structured outputs on a fixed schedule. All three pillars. Senior-led delivery throughout.

Security Watch€800
IT Co-Pilot€1,600
Fractional IT Lead€2,800
Enterprise Guardian€4,000
Security Watch
Visibility without the overhead
€800/month
UsersUp to 50
Response SLA3 business days
Monthly hours~1.5h
ContractMonthly rolling
What's included
Monthly security posture report — executive-ready PDF, delivered by the 5th
Patch compliance summary — gaps flagged, priorities ranked by severity
Endpoint health overview (CrowdStrike / Defender / ManageEngine)
2 async Q&A sessions per month — email or Slack
IT hygiene checklist with action priorities
Onboarding baseline report delivered within 7 days of contract signing
IT Co-Pilot
Ongoing IT ops, handled
€1,600/month
UsersUp to 100
Response SLA2 business days
Monthly hours~4h
ContractMonthly rolling
Everything in Security Watch, plus
Microsoft 365 & Copilot governance oversight — admin controls, DLP, lifecycle
Microsoft Defender Suite monitoring — endpoint, identity, cloud alerts
1 policy document per quarter — tailored to your environment
NIS2 compliance gap tracking against current obligations
Azure Entra ID & identity management oversight
Quarterly IT roadmap call (30 min) — months 3, 6, 9, 12
Fractional IT Lead
Your senior IT function, on retainer
€2,800/month
UsersUp to 100
Response SLANext business day
Monthly hours~7h
ContractMonthly rolling
Everything in IT Co-Pilot, plus
Azure infrastructure advisory — VMs, networking, backup, migration
On-prem / hybrid Active Directory oversight — AD DS, GPO, security tiering
Monthly board-ready leadership summary — 1 page, investor-ready
NIS2 / ISO 9001 alignment and audit preparation support
IT operations framework maintenance — escalation maps, RACI, SOPs
Vendor contract review and tooling rationalisation advice
Enterprise Guardian
Continuous oversight, full stack
€4,000/month
UsersUp to 100
Response SLASame business day
Monthly hours~10h
ContractMonthly rolling
Everything in Fractional IT Lead, plus
Multi-tenant governance — M365, Copilot Enterprise, multi-region Entra ID
Full Azure networking & VM oversight — VNet, NSGs, Firewall, Bastion
Continuous NIS2/ISO audit readiness — risk registers updated monthly
Priority 8-hour response SLA — every day of the week
Quarterly executive security briefing — board-ready slide deck
Annual IT strategy roadmap — 8–12 page report delivered Month 12

All retainers: Monthly rolling · 30 days written notice to cancel · Unused hours do not roll over · Overage at €120/hr (business hours) · Out-of-hours emergency advisory at €180/hr available on request for Tier 3 and Tier 4 · Annual prepay: 10% discount · Project-to-retainer conversion: 50% off Month 1 retainer

Not sure which plan fits?Every company situation is different. Get in touch and we'll put together a tailored proposal.
Working Model

Async-first. Reliable SLA.

Fixed reports, fixed deadlines, a published response SLA that is contractually honoured. A substantive reply — not an automated acknowledgement — every business day.

TierMonthly FeeResponse SLAAdvisory Hours
Enterprise Guardian€4,000/moSame business day~10h/mo
Fractional IT Lead€2,800/moNext business day~7h/mo
IT Co-Pilot€1,600/mo2 business days~4h/mo
Security Watch€800/mo3 business days~1.5h/mo

Response means a substantive reply — not an auto-acknowledgement. SLA runs Mon–Fri CET. Advisory hours are included in the monthly fee; overage at €120/hr (business hours). Out-of-hours emergency advisory available on request for Tier 3–4 at €180/hr.

Pricing
Structured & fair
Bulgarian operations base — EU country. Lower cost structure passed directly to clients, not absorbed as margin.
Response SLA
3BD → Same Day
3 business days at Tier 1, rising to same business day at Tier 4. Contractually defined in every MSA. Mon–Fri CET. Out-of-hours advisory available for Tier 3–4 on request.
Coverage
EMEA
Remote delivery across EMEA. On-site for surveys and implementation. Travel at cost, zero markup.
One-Time Projects

Fixed scope. Defined deliverables.

No retainer required. Fixed-price, fixed-scope. Agreed in writing before work begins. 40% of project clients move to a retainer within 30 days.

Preparing for ISO 27001 certification?
We deliver the complete ISMS build — gap analysis against all 93 Annex A controls, full risk register, 12+ policy documents, Statement of Applicability, internal audit, and Stage 2 prep.
Not sure where to start?
Our IT Health Check is a fixed-price, 5-day remote assessment — a structured snapshot of your current security posture, top 5 priorities, and a clear recommended next step. No commitment beyond the engagement. Converts to a full project or retainer in over 60% of cases.
Bundle · Best Value

Security Audit + NIS2 Bundle

Two board-ready reports from one engagement. The most common entry point for companies facing investor scrutiny and compliance pressure simultaneously.

€10,000–18,0006–9 weeks · Remote
Security

IT Security Audit

Structured review — endpoints, identity, access, cloud — with a prioritised remediation plan your team can act on.

€5,500–9,5003–4 weeks
Compliance

NIS2 Readiness Assessment

Gap analysis, risk register, remediation roadmap, and board-ready documentation in plain language.

€6,500–12,0003–5 weeks
Security

Endpoint & Threat Protection

EDR and email security properly deployed and tuned. Tool-agnostic — we work with your existing stack or recommend the right fit.

€2,800–6,5002–3 weeks
Operations

Device Management

Every company device enrolled, compliant, and centrally managed — with full handover documentation your team can operate independently.

€3,500–9,0002–4 weeks
Governance

Cloud Governance & AI Policy

Governance framework for your cloud environment and AI tools — DLP, access controls, and EU AI Act-aligned acceptable use policy.

€4,000–10,0002–5 weeks
Infrastructure

Identity & Directory Modernisation

Active Directory and hybrid identity assessed, redesigned, and hardened — with full architecture documentation included.

€4,500–9,0003–5 weeks
Infrastructure

Cloud Infrastructure Setup

Cloud infrastructure designed, deployed, and documented — VMs, storage, backup, disaster recovery, and networking with an operations runbook.

€5,000–11,0003–6 weeks
Operations

IT Operations Framework

IT operations documented from scratch — escalation flows, incident procedures, SOPs, and leadership reporting. Everything editable.

€9,000–20,0006–10 weeks
AI Governance

AI Governance Framework

Standalone AI governance — risk classification, data handling rules, approved tools register, and EU AI Act alignment.

€7,500–18,0005–8 weeks
On-Site · By Request

WiFi Site Survey — EMEA

Professional wireless assessment using Ekahau Sidekick — coverage heatmaps, interference analysis, full action plan. Available across EMEA. Quote on request based on site size and location.

Quote on request1–3 days on-site
Client Outcomes

What clients actually achieve.

Specific outcomes tied to specific project types. Every figure is real.

18 weeks
ISO 27001 Certified
A 20-person SaaS startup with no prior ISMS documentation. Gap analysis to Stage 2 certification in under five months — on time, no major non-conformities at the certification audit.
20-person SaaS startup · Netherlands · Q4 2024
34% → 71%
Microsoft Secure Score
A 45-person company on Microsoft 365 Business Premium. Conditional Access, Defender configuration, DLP, DKIM and DMARC implemented across a four-week engagement. Documented before and after.
45-person company · EMEA · Q1 2025
6 weeks
NIS2 Gap Closed
A professional services firm with active regulatory pressure and an enterprise client requiring evidence of NIS2 compliance. Full risk register, policy library, and board-ready assessment delivered.
Professional services firm · EU · Q2 2025
sub-40 min
New hire IT onboarding
IT Ops Framework implementation for a 55-person company that previously had no documented onboarding process. New hire laptop-to-productive time reduced from half a day to under 40 minutes with zero IT involvement required.
55-person company · Belgium · Q3 2024

Outcomes reflect the environments and starting conditions of each engagement. Individual results vary based on your infrastructure complexity, team availability, and the current maturity of your IT setup. We provide a realistic assessment of expected outcomes before any engagement begins — never a guarantee we cannot keep.

Scope & Approach

What we do —
and how we do it.

We are an IT consulting firm. Not a helpdesk, not a managed service provider, not a software reseller. Clear scope means better outcomes for both sides.

✓ What Trimontia does
IT security audits — endpoint, identity, access, cloud, email
NIS2 readiness — gap analysis, risk register, remediation roadmap
ISO 27001 — complete ISMS build, internal audit, certification preparation
Microsoft 365 and Copilot governance — DLP, lifecycle, admin controls
Azure infrastructure — virtual machines, networking, backup, migration
Active Directory — on-premises and hybrid, GPO design, security tiering
Microsoft Defender Suite — full deployment, tuning, and monitoring
Monthly oversight retainers — structured reports, async advisory
AI governance frameworks — EU AI Act mapping, acceptable use policy
WiFi site surveys — professional RF assessment, EMEA on-site
Outside our standard scope
L1 IT support and helpdesk. Password resets, printer issues, and service desk tickets are not what we do. Trimontia provides IT governance and consulting — not reactive frontline support. We can refer you to a complementary MSP partner who operates that layer.
Operations centre and 24/7 monitoring. We are not a Security Operations Centre or managed service provider. We do not staff continuous monitoring infrastructure. Incident response advisory is available under retainer during business hours.
Legal interpretation of compliance obligations. We identify gaps and document controls — specific legal obligations under GDPR, NIS2, or sector regulation require qualified legal counsel. We work alongside lawyers, not in place of them.
Certification body audit. ISO 27001 and NIS2 certificates are issued by independent certification bodies. We prepare you — the audit is conducted by the body you engage directly.
Software and licence procurement. We are tool-agnostic and earn no commissions on tools we recommend. Procurement happens directly between you and the vendor.
+Available on request — subject to separate scoping and pricing: Penetration testing and red team exercises · Phishing simulations · Out-of-hours emergency advisory · Extended SLA windows · Security awareness training · Software procurement coordination. Contact us to discuss scope and fee.
Not sure if your situation fits? Send a short description to contact@trimontia.io and we will tell you honestly whether we are the right fit — or point you toward someone who is.
What We Work With

The tools. Used daily, not just listed.

Every service Trimontia delivers is backed by hands-on production experience — grouped by what it does.

Cybersecurity
Identity & Devices
Cloud Infrastructure
Azure Networking
WiFi & On-Site
  • CrowdStrike FalconEDR — endpoint detection, policy tuning, alert triage, remediation tracking
  • Microsoft Defender SuiteEndpoint, Identity, Office 365, Cloud Apps — unified threat platform
  • Microsoft SentinelSIEM — log aggregation, threat detection, incident correlation
  • Proofpoint · MimecastEmail security gateway — filtering, sandboxing, threat intelligence
  • Email AuthenticationSPF, DKIM, DMARC — anti-spoofing and deliverability hardening
  • Zero TrustArchitecture framework — never trust, always verify, least privilege
  • NIS2 · ISO 27001Compliance frameworks — gap analysis, risk register, certification prep
  • Microsoft Entra IDCloud identity — user lifecycle, SSO, external access, Privileged Identity Management
  • Conditional AccessPolicy engine — enforce MFA, device compliance, location and risk-based rules
  • Microsoft IntuneMDM/MAM — device enrolment, compliance policies, app deployment, Autopilot
  • Active Directory DSOn-premises directory — OU design, GPO hardening, security tiering, LAPS
  • Entra Connect · Cloud SyncHybrid identity — sync on-prem AD to cloud, password hash, SSPR
  • MFA & PasswordlessAuthentication hardening — Authenticator app, FIDO2, phishing-resistant MFA
  • ManageEngine Endpoint CentralEndpoint management — patching, software deployment, remote control
  • Azure Virtual MachinesIaaS compute — sizing, deployment, image management, OS hardening, availability sets
  • Azure BackupData protection — VM backups, retention policies, restore testing and documentation
  • Azure Site RecoveryDisaster recovery — VM replication, failover testing, DR runbooks
  • Azure MigrateMigration platform — on-premises to cloud assessment, planning, and execution
  • Azure Update ManagerPatch management — scheduled patching, compliance reporting across VM fleet
  • Microsoft PurviewData governance — sensitivity labels, DLP policies, compliance centre
  • Azure VNet · NSGsNetwork foundation — address spaces, subnet structure, traffic rules, route tables
  • VPN Gateway · ExpressRouteHybrid connectivity — site-to-site, point-to-site, private circuits
  • Azure Firewall · App GatewayPerimeter security — L4/L7 filtering, WAF, DDoS protection, TLS termination
  • Azure Bastion · Private LinkSecure access — browser-based RDP/SSH, private service endpoints, zero public IP
  • Azure DNS · Front DoorName resolution and global routing — private DNS zones, CDN, global load balancing
  • Zero Trust SegmentationNetwork micro-segmentation strategy — least-access networking across hybrid environments
  • Ekahau SidekickRF survey hardware — passive and active site surveys, professional-grade measurement
  • Coverage HeatmapsSignal strength and data rate maps per floor, per band (2.4GHz / 5GHz / 6GHz)
  • AP Placement PlanningOptimal access point positioning before hardware is installed — prevents costly rework
  • Interference AnalysisIdentify RF interference sources, channel congestion, and neighbouring network impact
  • Post-Deployment ValidationVerify installed network performs to design spec — active throughput and roaming testing
Common Questions

Before you get in touch.

Twelve questions we hear most often — answered plainly. If yours is not here, send it to contact@trimontia.io.

Getting started
Send a short message via the contact form or directly to contact@trimontia.io. Describe your situation in a few sentences — what you are dealing with, what your company does, and roughly how many people you have. That is enough.

We will reply within two business days with one of three things: a direct proposal if your situation is clear, a short list of follow-up questions, or an honest note if we are not the right fit and who might be.

If there is likely a match, we schedule a 30-minute discovery call — no pitch, no deck, no obligation. We understand your situation and you understand whether we can help. From there, we produce a one-page proposal with fixed scope, fixed fee, and a start date. Nothing starts until the proposal is signed.
The IT Health Check exists precisely for this situation. It is a fixed-price, 5-day remote assessment — €1,500 — that gives you a structured picture of where your security and compliance posture actually stands, the top 5 priorities you should address, and a clear recommended next step.

It is not a sales tool. If the answer is that your environment is in reasonable shape and you do not need anything urgently, we will tell you that. Around 60% of Health Check clients move to a follow-on project or retainer — because once you can see the gaps clearly, the decision is usually obvious.

Services & scope
Every retainer begins with a baseline assessment of your environment delivered within 7 days of signing — so you start with a documented picture, not a blank page.

Security Watch (€800/mo): Monthly security posture report delivered by the 5th of each month, patch compliance summary, endpoint health overview, and two async advisory sessions per month.

IT Co-Pilot (€1,600/mo): Everything above, plus Microsoft 365 and Copilot governance oversight, Microsoft Defender Suite monitoring, NIS2 compliance gap tracking, Entra ID oversight, one policy document per quarter, and a quarterly IT roadmap call.

Fractional IT Lead (€2,800/mo): Everything above, plus Azure infrastructure advisory, on-premises and hybrid Active Directory oversight, monthly board-ready leadership summary, ISO 9001/NIS2 audit preparation support, IT operations framework maintenance, and vendor rationalisation advice.

Enterprise Guardian (€4,000/mo): Everything above, plus multi-tenant M365 governance, full Azure networking oversight, continuous NIS2/ISO audit readiness, same-business-day response SLA, quarterly executive security briefing, and an annual IT strategy roadmap.

All tiers: monthly rolling contract, 30 days written notice to cancel, no minimum term. Unused advisory hours do not carry over. Overage at €120/hr (business hours).
No. Trimontia provides IT governance, security consulting, and infrastructure advisory — not frontline support. We do not handle password resets, printer issues, application errors, or Level 1 service desk requests.

If you need both governance consulting and a helpdesk, the most effective model is to run both in parallel: a dedicated MSP for reactive support, and Trimontia for the strategic and compliance layer above it. We are happy to advise on what to look for in an MSP partner if needed.
Yes, NIS2 readiness is one of our core services.

The NIS2 Readiness Assessment (€6,500–12,000, 3–5 weeks) delivers: a gap analysis against all applicable NIS2 requirements with a RAG rating (Red / Amber / Green) per control, a formal risk register, a risk treatment plan with named owners and deadlines, a prioritised remediation roadmap, and a board-ready executive report suitable for leadership presentation or regulatory dialogue.

If you also need an IT Security Audit at the same time — which most companies do — the Security + NIS2 Bundle (€10,000–18,000) combines both into one engagement. The same discovery work powers both deliverables, saving time and reducing the disruption to your team.

On timelines: most companies doing this for the first time are at least partially non-compliant. We set realistic expectations at the scoping stage — compliance remediation typically takes 3–12 months depending on where you start. The assessment tells you exactly where you stand; the roadmap tells you what to prioritise.
Yes. We deliver the complete ISO 27001:2022 ISMS build — gap analysis against all 93 Annex A controls, risk assessment and treatment plan, full policy library (12+ documents), Statement of Applicability, technical controls implementation guidance, internal audit, and management review preparation ahead of Stage 2.

The certification body (Kiwa, Bureau Veritas, BSI, TÜV, or your preferred body) is engaged and paid directly by you — we help you choose the right one for your context and prepare you thoroughly for Stage 1 and Stage 2 audits.

Realistic timeline from engagement start to certification: 14–22 weeks for a company with some existing controls in place; longer if starting from scratch. We will give you an honest estimate after the initial gap analysis — never a guarantee we cannot keep.
A signed Data Processing Agreement (DPA) is required before any system access is granted. This is non-negotiable and not a formality — it governs exactly what data we access, why, and what happens to it.

For monitoring and reporting (retainer): Read-only access to your admin portals — typically Global Reader role in Microsoft 365 and equivalent read-only roles in Azure and other platforms. No write access, no configuration changes under this level.

For implementation work (projects): Temporary, scoped delegated access to the specific workloads involved — for example, Intune administrator during a device management project. This access is: granted for the duration of the task only, protected by multi-factor authentication, logged, and revoked in writing when the task is complete.

We never retain persistent broad administrative access beyond what is needed for the current engagement. Client admins retain full control and can revoke access at any moment.
Pricing & commercial
A senior IT security or governance specialist in the Netherlands, Germany, or UK typically costs €70,000–110,000 per year in salary — before employer contributions, benefits, equipment, onboarding time, and management overhead. Total employment cost is usually 1.3–1.5× the gross salary figure.

Trimontia's IT Co-Pilot retainer (€1,600/mo) runs €19,200 per year. Fractional IT Lead (€2,800/mo) runs €33,600 per year. Either is a fraction of a comparable in-house hire, with no headcount commitment, no notice period beyond 30 days, and no risk of the person leaving mid-project.

The other difference: a single in-house hire covers one person's knowledge. Trimontia brings a breadth of specialisms — security, cloud infrastructure, compliance, identity, AI governance — that no single hire realistically covers.

Annual prepay option: pay 12 months upfront and receive 10% off the total. For IT Co-Pilot, that means €17,280 instead of €19,200 — saving €1,920.
Less than you would expect. The entire model is built around minimising the time burden on your team.

For a retainer: Typically 30–60 minutes per month for your point of contact — reviewing the monthly report, answering our questions asynchronously, and a brief call each quarter. The work happens on our side; you review and decide.

For a project: The main requirement is a 60–90 minute kick-off call to understand your environment, access to the relevant systems, and availability for a final delivery call. For a security audit, for example, we work from the admin consoles — we do not need to interview every staff member or run sessions that pull your team away from their work.

We will always tell you upfront what we need from you and when. Surprises in both directions — unexpected time demands, or deliverables that arrive without any context from your team — are avoidable with clear upfront scoping, which is why every engagement starts with a signed SoW.
Practicalities
Every engagement is led by a senior IT consultant from scoping through delivery. You will have a named engagement lead who is responsible for all deliverables and who you contact directly — not a rotating team, not a junior analyst who escalates to a senior for sign-off.

Trimontia operates as a specialist consultancy. The people doing your work have production-level, hands-on experience with the specific tools and environments your engagement involves. If a particular engagement requires a specialist outside our core capability, we will tell you that at the scoping stage rather than proceeding and delivering substandard work.
There are two scenarios worth being clear about:

If a deliverable is not what was agreed: We fix it at no extra cost. Every engagement is governed by a signed SoW that defines deliverables precisely. If what we deliver does not match what was agreed, the SoW is the reference point and we are accountable to it.

If scope changes mid-engagement: Nothing happens without a written change request agreed by both parties first. We will not expand scope without your approval, and we will not charge for work outside the original SoW without that same approval in writing.

In the event of a security incident during an engagement: All access is immediately revoked on request. We carry professional indemnity insurance. A Data Processing Agreement governs what data we accessed and how. Full cooperation with any investigation is provided as standard.

If at any point during an engagement you have a concern — about scope, quality, or approach — we expect you to raise it directly. Problems raised early are solved. Problems that accumulate in silence are not.
Trimontia is registered in Bulgaria as a private limited company (LTD) — a full EU legal entity. Invoicing is in EUR with valid EU VAT documentation. All engagements are governed by Bulgarian law, which is EU law.

All services are delivered remotely and asynchronously. Time zone: Eastern European Time (EET, UTC+2 / UTC+3 summer). Business hours overlap comfortably with Western and Northern Europe across the entire working day.

For on-site engagements (WiFi surveys, specific infrastructure work), we travel to the client site. Travel and accommodation are billed at cost with zero markup.

On pricing: being based in Bulgaria is why our rates are structured the way they are — lower operational costs than a Western European firm, passed directly to clients. The methodology, deliverables, and depth of expertise are identical to what a London or Amsterdam boutique firm would deliver at 2–3× the price.
Both are published in full on this site:


The Terms cover: scope of services, fees and invoicing, IP ownership, confidentiality, system access, liability limitations, governing law, and contact.

The Privacy Policy covers: what data we collect and why, retention periods, who we share data with, DPA obligations, your GDPR rights (access, rectification, erasure, portability, restriction, objection), and how to complain.
Get a Proposal

Tell us what's happening.
We'll tell you what we'd do.

No pitch, no deck, no obligation. A short description of your situation is enough to get a meaningful first response from our team within 2 business days.

Direct Contact

Start the conversation.

If none of the packages are quite right, or you are not sure where to start — describe your situation and we will tell you honestly what we would do about it.

Emailcontact@trimontia.io
ResponseWithin 2 business days (Tier 2+: faster)
RegionEMEA · Remote delivery
Mention Security Checklist in your message and we'll include a free 15-point IT hygiene checklist with our reply.

Message received.

Thank you for getting in touch. You'll hear from us personally within 24 hours.

We reply personally within 24 hours. Your data is never shared or sold.

Legal

Terms & Conditions

Effective 1 June 2026 · Trimontia LTD · Plovdiv, Bulgaria

1. Parties

These Terms govern all services provided by Trimontia LTD, a limited liability company registered in Plovdiv, Bulgaria ("Trimontia", "we", "us") to its clients ("Client", "you").

By signing a Statement of Work or Master Services Agreement referencing these Terms, or by commencing an engagement, the Client agrees to be bound by these Terms.

2. Scope of Services

Trimontia provides IT security consulting, governance advisory, infrastructure consulting, and related professional services as specified in a signed Statement of Work (SoW). Work begins only after a signed SoW is in place. Work outside the agreed SoW requires a written Change Request signed by both parties before it commences.

Trimontia does not provide: Level 1 IT helpdesk; 24/7 security operations centre or continuous monitoring; legal advice; software or hardware procurement; or managed IT services — unless separately and specifically agreed in a signed SoW.

3. Fees, Invoicing & Payment

Retainers: Invoiced monthly in advance on the 1st of each month. Payment due within 14 calendar days. Unused advisory hours do not carry over.

Projects: 40% of the total fee invoiced on contract signing. 60% invoiced on delivery. Payment due within 14 calendar days of each invoice.

Overage: Time in excess of the agreed monthly allocation is billed at €120/hour (standard, business hours) or €180/hour (emergency or out-of-hours, subject to prior written approval). Overage is added to the following month's invoice.

Currency: All fees invoiced in EUR. Wire transfer to the account specified on the invoice.

Late payment: Invoices unpaid after 30 calendar days accrue interest at 0.5% per month on the outstanding balance. Trimontia reserves the right to suspend services for accounts more than 30 days overdue.

4. Retainer Cancellation

Monthly retainer agreements may be cancelled by either party with 30 calendar days' written notice. The Client remains liable for retainer fees accrued during the notice period.

5. Intellectual Property

Upon full payment, all client-specific deliverables become the property of the Client. Trimontia retains ownership of all methodologies, templates, frameworks, and processes used to produce deliverables.

6. Confidentiality

Both parties agree to hold in strict confidence all non-public information disclosed by the other party. This obligation continues for three (3) years after termination of the engagement.

7. System Access

A Data Processing Agreement (DPA) is signed before any system access is granted. All access is scoped to what is strictly necessary, MFA-protected, logged, and revoked immediately upon engagement completion or at the Client's request.

8. Limitation of Liability

Trimontia's total cumulative liability shall not exceed the total fees paid in the three (3) months immediately preceding the event giving rise to the claim.

Trimontia shall not be liable for indirect, consequential, special, or punitive damages.

9. Governing Law

These Terms are subject to the laws of the Republic of Bulgaria. Disputes are submitted first to good-faith mediation, then to the competent courts of Plovdiv, Bulgaria.

10. Contact

Questions regarding these Terms: contact@trimontia.io

Trimontia LTD · Plovdiv, Bulgaria · Effective 1 June 2026

Legal

Privacy Policy

Effective 1 June 2026 · Trimontia LTD · Plovdiv, Bulgaria

1. Who We Are

Data controller: Trimontia LTD, Plovdiv, Bulgaria.

Contact: contact@trimontia.io

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under GDPR and applicable Bulgarian data protection law.

2. Data We Collect and Why

Contact enquiries

What: Name, work email, company name, and message content from our contact form.

Why: To respond to your enquiry and deliver requested services.

Legal basis: Legitimate interests (responding to a business enquiry); performance of a contract where services are engaged.

Service delivery

What: Contact person names and emails, contractual information (MSA, SoW, invoices), and any data shared to enable delivery of agreed services.

Legal basis: Performance of a contract.

Website analytics

This website does not use cookies, tracking scripts, or third-party analytics. Contact form submissions are processed via Formspree (formspree.io) — see their privacy policy at formspree.io/legal/privacy-policy.

3. Retention

Enquiry data (no contract): Deleted within 12 months of last contact.

Client data (active engagement): Retained for the duration of the engagement plus 5 years for statutory compliance.

System access credentials: Revoked immediately upon engagement completion.

4. Who We Share Data With

We do not sell or rent personal data. We share data only where strictly necessary with: Formspree Inc. (contact form processor); our accountant (invoicing data for statutory compliance); law enforcement where required by law or court order.

5. Data Processing Agreements

Where Trimontia accesses or processes the Client's personal data, a DPA is signed before any access is granted. The DPA governs categories of data accessed, purpose, security measures, sub-processors, and deletion obligations.

6. Your GDPR Rights

Contact contact@trimontia.io to exercise any right. We respond within 30 calendar days.

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure

Ask us to delete data where there is no lawful basis for continued processing.

Right to restrict

Suspend processing while a dispute is resolved.

Right to portability

Receive your data in a structured, machine-readable format.

Right to object

Object to processing based on legitimate interests.

7. Security

We apply MFA on all business accounts, end-to-end encryption where applicable, and minimum necessary access to all data. Data breaches are reported to the CPDP within 72 hours and to affected individuals where required.

8. Complaints

If unhappy with how we handle your data, contact contact@trimontia.io. You may also lodge a complaint with the Bulgarian supervisory authority: CPDP — www.cpdp.bg.

9. Changes to This Policy

Material changes notified to active clients by email at least 14 days before taking effect.

Trimontia LTD · Plovdiv, Bulgaria · Effective 1 June 2026 · contact@trimontia.io