Automated EU GDPR compliance
with EUgrc

iTree Group and VORAS Consulting are proud to offer a fully automated
EU General Data Protection Regulation Compliance Suite.



26 March 2018

Version 1.2 Released

We're happy to announce release of Version 1.2 of the EUgrc GDPR Compliance Suite. This version brings our users a fully updated user interface, an improved risk dashboard, easier navigation and many other front and back-end improvements. This update is delivered free of charge to existing users as part of our commitment to giving you the best product possible.


23 March 2018

Value-added reseller training workshop
3 April 2018

To support our partners in the Baltic States, we're running a training workshop for our value-added resellers and resellers, in cooperation with our distributor TD Baltic. This event will take place on 3rd April 2018 in Vilnius and will cover data privacy techniques, the GDPR and our product's functionality.  For more information, please contact us at

EUgrc GDPR Compliance Suite Main Features


Manage your Personal Data Sets

Inventory all of your data sets containing Personally Identifiable Information, match them to Supporting Assets and Actors, ensure GDPR compliance with appropriate controls. All in a wizard-based step-by-step system.

You'll be able to quickly log not only your data, but also the business purpose and legal basis for processing, and be sure that you're in compliance with the requirements of the GDPR. 


Manage Actors and Assets

Easily inventory all Data Controllers, Data Processors, Data Providers and Data Recipients. Once entered into the system, these actors can be clearly mapped to the data sets they handle. 

You use software, hardware, networks, people, paper and processes to handle your data sets. Inventory it all. Match it with data sets. And, ensure that proper controls are in place. 

Control profiles are pre-loaded to help you in this process. Just answer a few questions, check the pre-loaded data and you'll have enough information about your assets for the EUgrc COMPLai engine to do an automated Risk Analysis.


Manage Risk 

The EUgrc COMPLai engine automatically conducts privacy impact and risk assessments. You choose your risk threshold, the system automatically recommends which controls need to be implemented to get those risks under control.

One click generates an Implementation plan, which can be exported into your task management system.

COMPLai Engine

The EUgrc COMPLai  Engine is an expert system based on hundreds of live consulting projects and loaded with the requirements of the
- ISO/IEC 29134 Guidelines for privacy impact assessment,
- ISO/IEC 29151 Information technology - Security techniques - Code of practice for personally identifiable information protection,
- and the ISO/IEC 27000 series Information security management systems.

This self-learning expert system is constantly updated with the latest security techniques, risks and threats and its advanced algorithms deliver the same level of service you would receive from hiring a team of experienced data privacy and information security experts.


All data is secured through state of the art firewalls, encryption both at the connection and database levels, hosted in a secure and insured Tier III data centre with redundant servers.

Our data layer leverages the security and stability of the world leader in database technologies - Oracle® Database 12c.

Up to Date

The COMPLai  Engine learns.  New privacy and security risks, threats, standards and approaches are constantly loaded into its algorithms to ensure our system "knows more" than the average information security and data privacy consultant.


  • Our solution currently advises you on the EU GDPR.  Future releases will fully automate ISO/IEC 27000 series compliance with a certification guarantee.

Managing Personal Data Sets

Your organisation collects, uses and transfers sets of personally identifiable information (PII).

For each of these data sets, the GDPR requires not only a clear definition of the data, but also a clear legal basis for the processing of that information, a documented business purpose, information about the data subjects, identification of controls, mapping of the data set to specific actors, assignment of a data protection officer and more.


Making it Easier

Our COMPLai Engine comes pre-loaded with templates for the most common personally identifiable information data sets used in e-commerce, government, health care, services, industry and other organisations.

These pre-loaded profiles include not only typical descriptions of the data set itself, but also suggestions on the business uses, legal basis according to the GDPR and controls applied to the data set.

This saves you time in cataloging your PIIs.


Keeping it Safe

Each PII profile helps you identify if the data contained in that data set is considered highly sensitive under the new regulation.

Questions guide you in identifying if you're in compliance with the requirements of the regulation and if you've applied appropriate controls.


Impact Assessment

The COMPLai  Engine's expert algorithms work behind the scenes to conduct a privacy impact assessment for your data sets.  This is combined with information about Assets and Actors to generate a Risk Assessment for each data set.


Bridge the Gaps

After the impact and risk assessment and your informed choice about which risks to treat or accept, you'll get a clear and concise implementation plan.

As you progress with implementing missing controls and dealing with compliance issues, you'll see the risk levels for your PIIs decrease on your dashboard.


Managing Actors and Assets


 Register all Actors

EUgrc allows you to register all Data Controllers, Data Processors, Data Providers and Data Recipients in one place.

Once registered, you can easily map those actors to the specific personally identifiable data sets they work with.

Wizards and questions help you ensure that all appropriate controls are in place to keep your data safe, regardless of which actor is using it.


Register all Assets

Every organisation uses different assets in handling personal data.  Keeping this inventory up to date and making sure that all appropriate controls are in place for each of those assets is challenging.

EUgrc makes this easier.  

Our COMPLai Engine comes pre-loaded with asset profiles, showing the controls that organisations typically use.  Just review the pre-loaded information, make needed edits and you're ready to go!


Manage Relationships

EUgrc makes matching your Actors and Assets to specific personal data sets easier.  

This means you won't have to keep separate notes about who does what with which data using which asset.


Managing Risk

EUgrc lets you understand risks to the security and privacy of your data and make informed choices about which risks you'll treat, and those that you choose to accept.

Our COMPLai Engine is your personal data privacy and information security consultant - available to you online 24 hours a day.


You choose your risk threshold

You decide what level of risks to review and which types of risks to automatically accept.

This saves you time and allows you to concentrate on taking steps which will have the greatest impact on ensuring your data privacy and security.

You can adjust your risk threshold at any time and see that decision's impact on your Risk Assessment.


Make informed choices

Our automated risk assessment gives you a clear understanding of the risks and threats associated with specific assets and personal data sets.  This Assessment includes a Privacy Impact Assessment score for each PII.

Each risk is assigned a risk level, based on real-world experience and the requirements of relevant ISO/IEC standards.

Easily understandable screens allow you to make informed choices about the risks you need to treat, and those that you choose to accept.


Make the change happen

The system automatically generates an implementation plan for missing controls and resolving compliance issues.

Assign due dates and tasks to members of your team.

Export the plan to your organisation's task management system or PDF.


See your progress

Progress is tracked on the Implementation Plan.  

As you move forward, you can see changes to your risk levels both on your dashboard and in the detailed screens of your Risk Assessment.

EUgrc Roadmap

Our product is evolving to serve you better.  Here are a few things we have in the works:


EUgrc is currently available in English, Lithuanian and French.

The following language packs will be available in 2018:

German (DE) ,German (CH)

Support for iOS and Android tablets

Release 1.2.1., due out in early April, adds support for Android and iOS tablets.  This improvement is based on requests from our users in the UK and USA and is part of our commitment to listening to our users and acting on their suggestions.  

ISO 27000 series Compliance Engine

Our next big release will offer automated ISO 27000 series compliance with a certification guarantee.

This service pack will be available as a separate subscription.

III Q 2018

EU GDPR enforcement starts in


  • per month, billed yearly for the first year. Applicable VAT not included.
  • 1 user and 1 location
  • 6 Personal Data Sets
  • 6 Actors
  • Document Generation Not Included


  • per month, billed yearly for the first year. Applicable VAT not included.
  • 1 user and 1 location
  • Unlimited Personal Data Sets
  • Unlimited Actors
  • Automated Compliance Document Generation
  • 2 hours Online On-Boarding 


Ask for Quote
  • Unlimited Users and Unlimited Locations (useful for multi-site or companies with subsidiaries)
  • Unlimited Personal Data Sets
  • Unlimited Actors
  • Automatic Compliance Document Generation
  • Bundled consulting services either on-site at your location or remotely.
  • Pricing depends on number of users & locations and any bundled services you choose to include.

Free Trial

  • Please scroll down or click the button below.

Free Limited Time Trial

If you wish to try our product, you are welcome to send us an email to by clicking the button below.   

We will create a user for you on our DEMO environment that will be valid for one hour from the time of first login, allowing you to navigate the system and try its functions.  

When requesting access, please let us know when you plan on using the DEMO environment. If you have any questions, we'll be happy to answer them for you.

During the free trial, please do not enter any real information in the system.  Anything you do enter will be automatically deleted once your one hour access window ends.

Generation of compliance documentation is disabled in the trial version.

About EUgrc

EUgrc is brought to you by a consortium of iTree Group and VORAS Consulting.


VORAS Consulting

VORAS Consulting works with organisations worldwide in ensuring information security, compliance, data privacy and prevention of Cyber Attacks.

Over 100 successful projects delivered in the EU, United Kingdom and the United States of America attest to our experience.

The VORAS team's experience and knowledge is attested to by numerous CISSP, ISSMP, CISM, CISA, CGEIT, CRISC, PMP, OSCP, CEH and LPT certifications.

Our information security management system is certified by Bureau Veritas as compliant with ISO/IEC 27001 and our IT Service Management System is certified as compliant with ISO/IEC 20000, as well.

VORAS Consulting, Ltd.
Juozo Balcikonio 9
LT-08247 Vilnius LITHUANIA

LT: +370 5 2071 002
UK: +44 20 3582 4068
USA: +1 312 205 6431 


iTree Group

The iTree Group family of companies deliver enterprise technology solutions for the insurance, financial services, utilities, energy, oil & gas, and, the public sector.

Solutions include data security, data privacy, Oracle ERP and core P&C insurance system implementation, custom development on Oracle DB and Java, system support and maintenance, and, productivity engineering.

iTree is a Platinum level Worldwide Oracle partner with 16 Oracle-awarded specialisations and we serve our customers through a wide network of offices.

iTree Lietuva, JSC
Konstitucijos Ave. 7
Europa Business Centre, 25th Floor
LT-09308 Vilnius LITHUANIA

LT: +370 52 487 506

Sales Channels

The EUgrc GDPR Compliance Suite is available directly through this website, on the Oracle Cloud Marketplace, or through one of our resellers, value added resellers or distributors.


If you wish to become a reseller or value-added reseller in the Baltic States, please contact our exclusive distributor TD Baltic.

TD Baltic AS
Paldiski mnt 29, Tallinn, 10612, Estonia
+372 6712900

TD Baltic Latvia SIA
TD Baltic Latvia, Duntes iela 23a, Riga, LV-1005, Latvia
+371 7 303050

TD Baltic UAB
Šeimyniškių g. 21, Vilnius, LT-09236, Lithuania
+370 52780610


Some of our resellers in other countries include:

iTree Poland

iTree Sweden representative office

iTree Norway representative office

VORAS Consulting Ltd.
+44 20 3582 4068

VORAS Consulting Ltd.
+1 312 205 6431

Become a Reseller or
Value Added Reseller

If you wish to become our reseller or value-added reseller outside of the Baltic States, please contact us.

Value added resellers are typically information security or data privacy consulting organisations who use our products to provide services to their customers.

Special pricing levels, on-boarding support, marketing materials and local service packages are available.

Contact us

Oracle Cloud Marketplace

The EUgrc GDPR Compliance Suite is available for direct purchase through the
Oracle Cloud Marketplace
for all Oracle software and hardware users.

You can access the Oracle Cloud Marketplace by clicking here:

Oracle Cloud Marketplace

Contact Us

Send us an email to or use the contact form below.  We'll be happy to give you more information or a quote.

Compatibility and System Requirements

EUgrc GDPR Compliance Suite is a Software-as-a-Service application. Access to the software is via our cloud servers and requires no local installation of software.

You must use a currently supported version of Microsoft® Windows®, MacOS® or Linux.   While it is possible to access EUgrc GDPR Compliance Suite with mobile devices, screens are optimised for full screen use on desktop and notebook computers.  A tablet and smartphone optimised version may be released at some point in the future.

Please note that no versions of Microsoft® Internet Explorer are supported by EUgrc.

We recommend using current versions of Google Chrome™, Safari™ or Firefox® as your web browser.

If you choose to use two factor authentication with Google Authenticator to protect your account, you'll need a mobile phone with a supported version of Android or iOS.

EUgrc GDPR Compliance Suite is also available on the Oracle Cloud Marketplace and is Oracle Database Cloud, Oracle Cloud Infrastructure, and Oracle Compute Classic Cloud Ready.


iTree Group and the iTree logo is a registered trademark of iTree Group JSC

EUgrc and EUgrc logo are registered trademarks of iTree Group on behalf of the consortium of iTree Group and VORAS consulting Ltd.

Microsoft®, Windows®, Windows NT®, Windows Server® and Windows VistaTM are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Apple®, Macintosh®, Mac OS®, SafariTM, iOS, and ColorSync® are either registered trademarks or trademarks of Apple Computer, Inc. in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Google, Android and Google Chrome are registered trademarks of Google.

Firefox is a registered trademark of the Mozilla Foundation.

Other trademarks and registered trademarks are the property of their respective owners.

EUgrc Privacy Policy

About this Policy
This text explains how and why we collect information, the types of information collected and how we use and share that information. This text also explains how we process and safeguard the information you choose to place in our software-as-a-service product(s). In this text we also tell you about your choices in terms of the use of your personal information and how you can access, update and request deletion of that personal information. From time to time we may update this policy. If we do, you’ll be able to tell by checking the date at the top of this policy. Also, in some cases, you may receive an email notification that the privacy policy has been updated.

This policy applies to information we obtain through your use of our public website(s) or when you use our software-as-a-service product(s). This policy does not apply to any third party products or services, which may or may not be linked to from our website(s) or software-as-a-service product(s). We’ll always let you know when a link will re-direct you to a third party product or service and you should always be sure to read the privacy policy provided by that third party.

Minimum Requirements for Users
Our websites and Software-as-a-Service product(s) are intended to be used only by persons of legal majority age. No use by children or persons under 18 years of age is allowed. If we become aware that a person under the age of majority is using our Software-as-a-Service product(s), we will take all reasonable steps to revoke access and safely delete any personal data that may have been entered by that person.

When you purchase (subscribe) to use our software-as-a-service product(s) or choose to enter your personal information into a contact form on our website(s), you consent to us collecting, transferring, processing, storing, disclosing and doing other things with your data, as described below.  If you disagree with any part of this privacy policy, you’ll have to stop accessing our public website(s) and/or using our software-as-a-service product(s) or contact us for more information.

Data: all of the various forms of information collected by us as described in this policy.
Content: anything that you enter into, upload, submit, post, transmit, store or otherwise input into our website(s) or software-as-a-service product(s).
Personal data:
all of the information that can be used to identify you or your organization. Examples of this include your name, contact information and any other data defined as “personal” under REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Software-as-a-service product(s): software that we host on servers owned or controlled by us. All of these product(s) display a link to this policy in the footer of all screens.
Website(s): any public website(s) we maintain, own or control. All of these website(s) will also have a link to this policy. If there is a link to another policy on that website(s), then the linked policy will supersede this one.

Data you provide to us
We collect and process the following data:
Personal Data
We collect information about you and your organization needed to set up account(s) on our software-as-a-service product(s). This can and usually does include:
- Information about your name(s), your organisation’s name(s)
- Contact details, including user names, email addresses, physical addresses, billing addresses, telephone numbers and instant messaging contacts, job titles
- Financial information, such as payment service provider account numbers, bank details, PayPal account details, credit card details or information about other forms of payment
- Any other or optional information you choose to fill out in your profile

Depending on your company or organisation’s specifics, you may provide this information to us yourself, or it may be provided by someone else in your organisation when your account is set up. We have no control over who in your organisation provides us with this data, when your organisation enters into an agreement with us to use (purchase or subscribe to) our software-as-a-service product(s).
If you did not provide us with your data yourself, but that data was provided to us by your organisation, you’ll need to work through internal processes at your organisation to have this data removed from our systems.

If you provide us with any data about another natural person or legal entity, you must be sure that you have a legitimate business purpose and legal authority to provide us with that data.

We use the word “content” to mean anything you yourself enter into or upload into or generate in our Software-as-a-Service product(s). If you so choose, this content may contain personal data about yourself or your partners or your customers or third parties. You yourself are responsible for making sure that you have a legitimate business purpose and legal basis for processing that data. We take no responsibility for any content that you generate or enter or upload into our Software-as-a-Service product(s).

Analytics Data
We do not collect analytics data from your use of our Software-as-a-Service Products. However, analytics data about the use of our public websites are collected and we use Google Analytics. You can review Google’s Privacy and other policies on their website and you can also find information about how to opt-out of Google Analytics on their website, too.

Our Software-as-a-Service product(s) do not use cookies. Our public website(s) may use cookies for Google Analytics as described above.

Just like any other Software-as-a-Service provider or webmaster, we collect certain types of data to make sure that our websites and product(s) are working properly and are being accessed in a legitimate and legal manner. This data could include things like:
- The IP addresses our website(s) and product(s) are accessed from;
- Information about the type and version of web browser you are using;
- Technical information like the type of operating system, device (including associated ID numbers and configuration information, if applicable), your local language and country locale settings, a list of URLs that you accessed;
- Usernames and passwords that you enter, search criteria that you enter in our website(s) and product(s);
- Usage data, for example, about how much server resources are associated with a particular user session, to allow us to better tune our servers and associated resources;
- Error messages and warnings may include some elements of your Content.

Data collected from third parties
We do not collect or use data from third parties in our Software-as-a-Service product(s). Our website(s) may receive information from social networks and other providers like Facebook, LinkedIn, Google, if you use those services to log into non-public parts of the website. If so, there will be additional information in that particular website’s specific privacy policy. We are not responsible for the privacy settings of these third party services. You should check their privacy policies and your privacy settings on that particular service provider’s website.

Data Use
We use the data we collect (including personal data as needed) for these reasons:
- Processing your subscriptions and purchases of our Software-as-a-Service product(s) and handling related financial and billing processes;
- Operating, maintaining and improving our website(s) and Software-as-a-Service product(s);
- Processing and granting your requests for access to our website(s) and Software-as-a-Service product(s) and allowing you to use them, enter, upload, and generate your Content;
- Sending and receiving messages needed for the operation of our website(s) and Software-as-a-Service product(s), including things like notifying you about changes in your account(s) or security matters;
With your specific consent: sending promotional messages about new or improved services;
- Detection, prevention, investigation and remediation of security threats, fraud or other illegal activities; and
- For other reasons for which we ask your specific consent.

Data disclosure and sharing
We do not share your personal data or any of your content with third parties, nor do we sell that data or content to anyone.

Multi-User Accounts
If you have a multi-user account, some of the personal data and content that you enter into our Software-as-a-Service product(s) may be shared with your organisation’s system administrator(s) or other person(s) designated by your employer when that employer purchases (subscribes to) our Software-as-a-Service product(s). You should work together with the responsible persons in your organisation to find out more about how they handle that data and your organisation’s privacy policy. We are not responsible for internal practices in your organisation and that kind of thing is outside the scope of this policy.
Law enforcement requests and related things to protect you and us

In the course of actions by or an investigation by a competent legal authority, where we believe that data disclosure (including Personal Data) is needed to comply with laws or requests by a competent government authority, or to protect the security and integrity of our product(s), or to protect our customers and us from harm, we will disclose data as legally permissible.

Our Partners and Service Providers
Third parties provide some technical infrastructure, expertise, and services required to develop, improve, and operate our website(s) and Software-as-a-Service product(s). These third parties may have access to your personal data and content. All third parties are contractually bound to adhere to the principles of this Privacy Policy.

Data Sharing with your consent
We may share and transfer your personal data and content with others for any other purpose that you give your specific consent to on a case-by-case basis.

Changes of Ownership
Should our business or a specific website or specific Software-as-a-Service product be sold to another party or ownership of that website or product is transferred to another party for any other reason, we will inform you of that change in writing and about your choices regarding your content and personal data in that situation.

Data Security and Geolocation
Cross Border Transfers
We host our data with service providers solely within the European Union. All servers on which your personal data and content is stored are kept secure both by us and those service providers. If you are accessing our website(s) or Software-as-a-Service product(s) from within the European Union, no data is transferred outside of the EU. If you are accessing our website(s) or product(s) from outside the EU, the data you view, enter, upload, generate or otherwise access will be transferred from your location to the European Union and from the European Union to your location. You are responsible for obeying any local laws and regulations relating to cross-border data transfer, if applicable.
We take all reasonable steps to make sure that our systems and your data and content is safe, but no systems are 100% safe from hacking.
You may have specific obligations to your partners and customers and third parties in terms of the specific security measures taken to protect their data, which may form part of your Content in our Software-as-a-Service products. We are not responsible nor guarantee that the security measures taken to protect your Content will meet the requirements placed upon you by any other party.
In the event of a data breach, we will inform you in writing in accordance with the provisions of European Union and local laws.
All data transfers over the internet between the device you use to access our website(s) or Software-as-a-Service product(s) are encrypted using SSL (HTTPS).
Data Retention
We retain data and content entered into our Software-as-a-Service product(s) for as long as you have an active subscription and as needed to comply with our legal obligations. Encrypted backup data may be maintained for a period of 90 days after termination of your account.

If you’ve subscribed to receive mailings or newsletters from us via our website(s), you can choose to opt out by simply clicking the UNSUBSCRIBE link within those emails. You will be unsubscribed right away or maximum within 2 business days from the day we receive your request.

If you’ve entered personal data or Content into or Software-as-a-Service products, you may access, edit, or remove that personal data in your account profile. If you wish to completely delete your data, you may contact us at the email indicated in our Terms and Conditions for Software-as-a-Service product(s) and we will respond to your request within 20 days.
If your account is managed by your organisation or your employer, you must contact them regarding the removal of your account and associated personal data and content.

Contact Us
Address queries to:
VORAS Consulting Ltd.
Juozo Balcikonio 9
LT08247 Vilnius, Lithuania
LT: +370 5 2071 002
UK: +44 20 3582 4068
USA: +1 312 205 6431