The regulatory basics, handled.
Swiss nLPD, GDPR, accessibility, cookies, SEO and Core Web Vitals. Done once, properly, and documented well enough that your counsel can read it without picking up the phone.
A site you can defend in front of your DPO, your auditors and a regulator — shipped to the same standard as the rest of the brand.
Compliance is design, just with paperwork.
Most studios bolt a cookie banner and a privacy template on at the end and call it done. Most law firms send you a 30-page memo and leave the implementation to your overstretched dev team. Estorya sits in between: we ship the regulatory layer the way we ship the rest of the site — written, designed, built, tested, documented.
The result is a site that holds up to scrutiny without slowing the brand down. We won't replace your counsel; we will make their job a single review pass instead of months of back-and-forth on what you actually shipped.
The Compliance pillar, in detail.
Each can run standalone or bundled. Most clients take privacy + cookies + accessibility together as a single audit-and-fix engagement.
- 01
Privacy — Swiss nLPD + GDPR
Notices, records and processes that match what the site actually does — not a template lifted from another business.
We map every data flow on the site and the back-office, write a privacy notice in plain language that matches reality, and produce a register of processing activities (ROPA / RAT) ready for your counsel to sign off. Where you operate cross-border we document the transfer mechanism; where you collect sensitive data we add the relevant DPIA-lite.
If you don't have a DPO yet we'll tell you whether you need one, what the role looks like, and which controls remove the obligation. The deliverable is something a regulator can read in twenty minutes — not a 60-page slide deck nobody opens.
- Data-flow map (site + back-office)
- Plain-language privacy notice (EN + FR)
- Register of processing (ROPA / RAT)
- Subject-access + erasure runbook
- Cross-border transfer documentation
2 – 4 weeks · privacy lead + senior engineer
- 02
Accessibility — WCAG 2.2 AA
An audit, a fix list, and an accessibility statement people can actually live with.
We audit the site against WCAG 2.2 AA with a real screen reader, a real keyboard, and an automated checker — all three. We give you a prioritised fix list (what's a legal risk, what's a quick win, what's nice-to-have), then we ship the fixes inside the design system so they hold up after the next redesign.
You walk away with an accessibility statement that's honest about what's covered and a small ongoing playbook: what every new page or component needs to clear before it ships. We treat this as a design quality problem first, a legal exposure problem second.
- WCAG 2.2 AA audit (manual + automated)
- Prioritised remediation plan
- Component-level fixes inside the design system
- Public accessibility statement (EN + FR)
- Authoring + QA playbook for new pages
3 – 6 weeks · senior designer + senior engineer
- 03
Cookies + consent management
A consent banner that's honest, scoped to what you actually use, and stored where you can prove it.
We replace the generic banner with a consent layer designed to your brand, scoped to the cookies and SDKs you actually load, and recording proof of consent so you can answer the question "who consented to what, when?" months later. The cookie policy is written, not generated, and stays in sync with the banner.
Where the law tightens — granular categories, no-tracking-before-consent, geo-aware behaviour for Swiss vs. EU vs. UK visitors — we wire it up. Where it doesn't apply we keep the UX out of the way of conversion.
- Custom consent banner + preferences UI
- Cookie policy (EN + FR)
- Audit of currently loaded scripts + SDKs
- Consent log + proof-of-consent storage
- Geo-aware variant (CH / EU / UK / US)
1 – 3 weeks · senior engineer + designer
- 04
SEO baseline + Core Web Vitals
The technical hygiene Google rewards: clean markup, structured data, performance budget, no broken meta.
Not content marketing. The technical layer underneath — semantic HTML, clean canonical and hreflang for bilingual sites, schema.org markup where it earns rich results, sitemaps and robots that match reality, image and font budgets that keep Lighthouse green. We baseline what's there, fix the breakage, and put a budget in place so it stays fixed.
On bilingual sites this matters more than people think — most SEO problems we inherit are hreflang and canonical mistakes the studio shipped without realising. Two days of careful work usually moves the needle further than a quarter of content.
- Technical SEO audit + fix list
- Hreflang + canonical map (EN + FR)
- Schema.org markup where it pays
- Sitemap + robots reset
- Performance budget + Core Web Vitals baseline
1 – 3 weeks · senior engineer · runs alongside any build
- 05
Security baseline + incident readiness
The boring layer: HTTPS done right, security headers, dependency hygiene, a one-page incident plan.
We harden the deploy: HSTS, CSP scoped to what the site actually loads, X-Frame, Referrer-Policy, secret rotation runbook, dependency-update cadence, and a backup + restore drill so we know it actually works. Nothing exotic — just the controls a Tier-2 auditor expects to find.
On the people side we leave you with a one-page incident plan: who calls who, what gets shut down, what's the legal clock for notification under nLPD and GDPR, where the runbook lives. Most clients never use it. The ones who do are very glad it existed.
- Security headers (CSP, HSTS, etc.) tuned to your stack
- Dependency-update + secret-rotation cadence
- Backup + restore drill
- One-page incident response plan
- Audit-ready summary for procurement
1 – 2 weeks · senior engineer
Four phases. Audit first, fix once, document well.
- Phase 01
Audit
1 – 2 weeksWe crawl the site and the supporting tools, interview whoever owns data, and produce a written gap report. What's broken, what's missing, what's a risk vs. a nice-to-have, and how each item ranks under nLPD + GDPR + WCAG.
- Phase 02
Remediate
2 – 6 weeksWe fix what's high-risk first and ship inside the existing design system so changes survive the next redesign. Privacy notices, consent layer, accessibility fixes, technical SEO and security headers all land in the same release window.
- Phase 03
Document
1 – 2 weeksWe leave a paper trail your counsel and your CTO can both read: ROPA, accessibility statement, cookie policy, security baseline, incident plan, authoring playbook. Plain language, kept in the repo, versioned with the site.
- Phase 04
Maintain
Ongoing (optional)Quarterly check-in: re-run the accessibility audit, review the cookie inventory, refresh the dependency manifest, top up the privacy notice if processing changed. Cheap insurance against drift.
What clients usually ask.
- Are you a law firm?
- No. We work alongside your counsel — Swiss or EU — and produce documentation in a form they can sign off on. Where you don't have counsel yet, we'll point you at firms we've worked well with.
- Will accessibility work hurt the design?
- Almost always the opposite. The constraints WCAG imposes — clear hierarchy, real focus states, generous spacing, honest contrast — read as good design to sighted users too. We ship accessibility inside the design system, not on top of it.
- What about the EU AI Act and the new Swiss data revisions?
- In scope. We map the obligations against what your product actually does, mark which controls you already have, and build the missing ones. Where the regulation is still moving (AI Act is the obvious one) we say so explicitly and re-check on a quarterly cadence.
- Can you do a one-shot audit without the build?
- Yes — most clients start there. Two weeks, fixed price, written report. You can run the fixes in-house from the report, or come back to us to ship them. We won't push you onto a retainer.
- Is there an ongoing retainer for this?
- Yes, optional. Quarterly compliance check-in, monthly dependency + accessibility sanity pass, on-call for the next regulator question. Sized to the surface area of your product, not a bundle of hours.
Book a compliance audit.
Two weeks, fixed price, written report. You leave with a prioritised fix list and a clear view of where you stand — whether or not we then ship the fixes.