Fifteen years building platforms for regulated industries taught me one simple thing. Compliance, when treated as an option to plug in at the end of a project, becomes theatre — noisy, costly and fragile. It only has value when it is in the product's DNA.

The “compliance module” trap

You find it in most tenders: a precise functional specification, followed in annexe by a compliance chapter. One paragraph on GDPR. Another on legal archiving. Another on security.

It looks rigorous. It is exactly the opposite. It means the project will be architected without accounting for these requirements — and at the end, you will try to fit a square peg into a round hole.

The real cost of an added module

Concretely, adding compliance at the end of a project is expensive in three ways:

  • Architecture. You often have to reroute data flows to respect data minimisation, add audit layers where there was only production logic.
  • Performance. Encryption and traceability added late are rarely optimised — they weigh down the user experience.
  • Trust. The client perceives compliance as an additional cost, not a value. You start commercially behind from the outset.

“Across three audits for platforms 'made compliant after the fact', I saw the same pattern every time: security exists, but control has no grip on it.”

Luxapps Compliance team · 15 years of audits

Compliance as a design constraint

The alternative we have championed since 2011 is to treat compliance as a design constraint, in the same way as performance or usability. It is factored in from the start:

  1. Minimal data model. Collect only what is strictly necessary. If you don't hold the data, you don't have to secure it or declare it. GDPR starts here.
  2. Native logging. Every sensitive action is natively traceable, not in a side table. The audit is a view, not an export.
  3. Retention policy in the schema. The legal retention period (for example 10 years for Luxembourg payroll) is encoded in the data, not in a procedure.
  4. Reversibility. We guarantee full export, at any time, from the contract. Not in an amendment.

Convincing internally

The hardest part is not technical, it is political. When a product director has twenty functional topics to prioritise, compliance comes last. You therefore need to show them, with figures in hand, what a catch-up costs: a factor of 4 on budget, a factor of 6 on timeline. A simple but powerful argument.

You also need a sponsor at executive committee level: not a CISO or DPO alone, but a genuine management decision. Without that, the first trade-off sacrifices compliance.

Our choice, and what it means

Luxapps made this choice from the very beginning. It sometimes costs us: we turn down projects, we spend more time in the discovery phase. But we gain in client relationship quality: audits are quick, certifications hold, incidents are absorbed without drama.

It is also why we built the partnership with Luxgap: when a client needs to bring their organisation into compliance, we have the ecosystem to do it — but we know it is not our core business. Each to their own, together.

Understand our approach Discuss it with Sophie →