Done-for-you offer · Fractional CMO with AI Swarm · adapter 4-skill bundle · adapter agent
Per-location custom system adapters for multi-location retail, multi-unit franchise, multi-location service brand, multi-location healthcare, DTC ecommerce, and PE-sponsored portfolio operators — Connect + Normalize + Reconcile + Attest 4-skill bundle on the adapter agent, under a 5-anchor compliance overlay anchored on PCI DSS v4.0 (effective March 31, 2025) + tokenization + EMV when POS-and-payments, per-vendor SaaS DPA + sub- processor + international-transfer + data-residency + exit/transition, SOC 2 Type II + ISO 27001 + 27017 + 27018 + 27701 + FedRAMP + HITRUST, CCPA Sensitive + GDPR + HIPAA + GLBA + FCRA + state-comprehensive- privacy when per-system adapter touches regulated data, and NIST AI RMF + EU AI Act Article 50 + per-vendor LLM zero-retention
You connect per-location operational systems (POS, payments, inventory, ERP, scheduling, CRM, field- service, per-vertical legacy) to operator marketing swarm + warehouse + CDP. PCI DSS v4.0 (effective March 31, 2025) + PA-DSS + PCI 3DS + per-merchant tokenization (Square + Stripe + Adyen + Worldpay + Fiserv) + per- vendor card-data sub-processor + per-card-network EMV (Visa + Mastercard + American Express + Discover + JCB + UnionPay) apply when POS-and-payments adapter touches cardholder data. Per-vendor SaaS DPA + per-vendor sub- processor under GDPR Article 28 + per-vendor international-transfer (EU Standard Contractual Clauses + UK IDTA + Data Privacy Framework) + per-vendor confidentiality + per-vendor reverse-engineering prohibition + per-vendor data-residency + per-vendor data-portability + per-vendor exit/transition apply. SOC 2 Type II + ISO 27001 information security + ISO 27017 cloud-security + ISO 27018 cloud-PII + ISO 27701 privacy + FedRAMP when government-data + HITRUST when healthcare apply. CCPA Section 1798.140(ae) + CPRA Sensitive Personal Information Section 1798.121 + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive- privacy + GDPR + UK GDPR + HIPAA + HITECH + GLBA Safeguards + FCRA + COPPA + AADC apply when per-system adapter touches regulated data. NIST AI RMF + ISO 42001 + EU AI Act (Regulation 2024/1689) Article 13 + Article 14 + Article 50 + per-vendor LLM zero-retention apply when AI-normalized. The iPaaS, ETL, reverse-ETL, CDC, per-system, ERP, CRM, and MDM vendors below ship strong primitives. The orchestration above them is operator- side architecture. You keep all subscriptions, posture libraries, registers, and audit trail. You keep the ability to in-house at any time.
Published October 6, 2026
The real ecosystem this sits above
iPaaS + ETL + reverse-ETL + CDC
iPaaS: Workato, Tray.io, Boomi, MuleSoft, Celigo, Zapier, n8n. ETL: Fivetran, Stitch, Airbyte, Hevo, Matillion, Estuary Flow, Singer. Reverse-ETL: Hightouch, Census, Polytomic, RudderStack Reverse- ETL. CDC: Debezium, Maxwell, AWS DMS, Striim, Qlik Replicate, Oracle GoldenGate. Each ships strong primitives. Per-vendor SaaS DPA + sub-processor + international-transfer + data-residency + exit/ transition register above them is operator-side architecture.
POS + ERP + CRM + field-service + MDM
POS: Square, Toast, Lightspeed, NCR Aloha, Shopify POS, Clover, Revel, Oracle MICROS. ERP + inventory: Manhattan, Blue Yonder, Oracle NetSuite, SAP S/4HANA, Microsoft Dynamics 365, Microsoft Business Central. CRM + field-service: ServiceTitan, Jobber, Housecall Pro, Salesforce, HubSpot, Microsoft Dynamics CRM. MDM: Profisee, Reltio, Tibco EBX, Informatica MDM, Stibo STEP MDM. Each ships strong primitives. PCI DSS v4.0 + tokenization + per-card-network EMV + per-system data-classification + per-class handling + HIPAA + GLBA + FCRA + state-comprehensive-privacy posture above them is operator-side architecture.
Policy-as-code + WORM + legal research
Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Legal: Westlaw, Lexis+, Bloomberg Law, Practical Law. Each ships strong primitives. The 5-anchor compliance gate is operator-side architecture.
Frequently asked
What does per-location custom system adapters deliver, and how does the 4-skill bundle decompose?
An orchestration layer above the operator iPaaS + ETL + reverse-ETL + CDC + per-system custom-adapter + ERP + CRM + master-data-management + policy-as-code + WORM-storage stack that connects per-location operational systems (POS + payments + inventory + ERP + scheduling + CRM + field-service + per-vertical legacy) to operator marketing swarm + warehouse + CDP under operator-counsel-and-CISO-and-privacy-officer-and-engineering-team-and-AI-governance-team-approved PCI DSS + per-vendor SaaS DPA + SOC 2 + ISO + FedRAMP + HITRUST + CCPA + GDPR + HIPAA + GLBA + FCRA + NIST AI RMF + EU AI Act Article 50 + per-vendor LLM zero-retention gates. Skill 1 — Connect: connect to per-location systems through operator iPaaS (Workato + Tray.io + Boomi + MuleSoft + Celigo + Zapier + n8n — operator chooses) + ETL (Fivetran + Stitch + Airbyte + Hevo + Matillion + Estuary Flow + Singer — operator chooses) + change data capture (Debezium + Maxwell + AWS DMS + Striim + Qlik Replicate + Oracle GoldenGate — operator chooses). Per-system endpoints include POS (Square + Toast + Lightspeed + NCR Aloha + Shopify POS + Clover + Revel + Oracle MICROS POS — operator chooses), ERP + inventory (Manhattan + Blue Yonder + Oracle NetSuite + SAP S/4HANA + Microsoft Dynamics 365 + Microsoft Business Central — operator chooses), CRM + field-service (ServiceTitan + Jobber + Housecall Pro + Salesforce + HubSpot + Microsoft Dynamics CRM — operator chooses). Connect respects operator-counsel-and-CISO-approved per-vendor SaaS DPA + per-vendor sub-processor + per-vendor international-transfer (EU Standard Contractual Clauses + UK IDTA + Data Privacy Framework) + per-vendor confidentiality + per-vendor reverse-engineering prohibition + per-vendor data-residency + per-vendor data-portability + per-vendor exit/transition + per-vendor SOC 2 Type II + ISO 27001 + ISO 27017 + ISO 27018 + ISO 27701 + FedRAMP when government-data + HITRUST when healthcare. Skill 2 — Normalize: normalize per-system schema to operator master-data-management (Profisee + Reltio + Tibco EBX + Informatica MDM + Stibo STEP MDM — operator chooses) under operator-engineering-team-and-counsel-approved per-system entity-resolution + per-system field-mapping + per-system master-record golden-record. Normalize references operator-counsel-approved per-system data-classification (PCI Cardholder Data + PHI when healthcare + Sensitive Personal Information per CCPA Section 1798.121 + GLBA non-public personal information + FCRA consumer report data) so each field gets per-class handling at normalize-time. Skill 3 — Reconcile: reconcile per-system master-record against per-location source systems via reverse-ETL (Hightouch + Census + Polytomic + RudderStack Reverse-ETL — operator chooses) — change to master-record propagates back to source-of-truth systems under operator-counsel-approved write-back policy. Reconcile enforces PCI DSS v4.0 (effective March 31, 2025) + PA-DSS + PCI 3DS + per-merchant tokenization + per-vendor card-data sub-processor + per-card-network EMV when POS-and-payments adapter touches cardholder data. Skill 4 — Attest: emit per-system per-record per-field attestation (per-vendor SaaS DPA + per-vendor sub-processor + per-vendor international-transfer + per-vendor data-residency + per-vendor data-portability + per-vendor exit/transition + per-vendor SOC 2 + per-vendor ISO + per-vendor FedRAMP + per-vendor HITRUST + per-system data-classification + per-class handling + PCI DSS v4.0 compliance when POS-and-payments + HIPAA + HITECH + GLBA Safeguards + FCRA + CCPA + GDPR + state-comprehensive-privacy compliance + EU AI Act Article 50 marking when AI-normalized + per-vendor LLM zero-retention + counsel-policy-version + CISO-policy-version + engineering-team-policy-version) to the operator WORM audit trail.
Where does single-vendor iPaaS or ETL tooling stop compounding for per-location custom system adapters at multi-location-retail scale?
Single-vendor iPaaS is solved. Workato + Tray.io + Boomi + MuleSoft + Celigo + Zapier + n8n ship strong managed iPaaS. Single-vendor ETL is solved. Fivetran + Stitch + Airbyte + Hevo + Matillion + Estuary Flow + Singer ship strong managed ETL. Reverse-ETL: Hightouch + Census + Polytomic + RudderStack Reverse-ETL. CDC: Debezium + Maxwell + AWS DMS + Striim + Qlik Replicate + Oracle GoldenGate. POS: Square + Toast + Lightspeed + NCR Aloha + Shopify POS + Clover + Revel + Oracle MICROS. ERP + inventory: Manhattan + Blue Yonder + Oracle NetSuite + SAP S/4HANA + Microsoft Dynamics 365 + Microsoft Business Central. CRM + field-service: ServiceTitan + Jobber + Housecall Pro + Salesforce + HubSpot + Microsoft Dynamics CRM. MDM: Profisee + Reltio + Tibco EBX + Informatica MDM + Stibo STEP MDM. The compound case the adapter agent has to handle is the one where (a) operator runs 50-1,500 locations × per-system (POS + payments + inventory + ERP + scheduling + CRM + field-service + per-vertical legacy) × per-vendor SaaS contract, (b) PCI DSS v4.0 (effective March 31, 2025) + PA-DSS + PCI 3DS + per-merchant tokenization + per-vendor card-data sub-processor + per-card-network EMV apply when POS-and-payments adapter touches cardholder data, (c) per-vendor SaaS DPA + per-vendor sub-processor under GDPR Article 28 + per-vendor international-transfer (EU Standard Contractual Clauses + UK IDTA + Data Privacy Framework) + per-vendor confidentiality + per-vendor reverse-engineering prohibition + per-vendor data-residency + per-vendor data-portability + per-vendor exit/transition apply, (d) SOC 2 Type II + ISO 27001 + ISO 27017 + ISO 27018 + ISO 27701 + FedRAMP when government-data + HITRUST when healthcare apply, (e) CCPA Section 1798.140(ae) + CPRA Sensitive Personal Information Section 1798.121 + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive-privacy + GDPR + UK GDPR + HIPAA + HITECH + GLBA Safeguards + FCRA + COPPA + AADC apply when per-system adapter touches regulated data, (f) NIST AI RMF + ISO 42001 + EU AI Act (Regulation 2024/1689) Article 13 + Article 14 + Article 26 + Article 50 + per-vendor LLM zero-retention apply when AI normalizes per-system fields. Without an orchestration layer above the vendors, per-vendor SaaS DPA + per-vendor sub-processor + per-vendor international-transfer posture fragments, per-system data-classification fragments under PCI + PHI + Sensitive Personal Information + GLBA + FCRA, PCI DSS v4.0 compliance when POS-and-payments fragments, HIPAA + HITECH + GLBA Safeguards + FCRA posture fragments when per-system adapter touches regulated data, EU AI Act Article 50 marking fragments when AI-normalized, per-vendor LLM zero-retention fragments. The orchestration above the vendors is what holds the cross-system + cross-vendor + cross-class invariants.
How does Skill 1 Connect handle PCI DSS v4.0 + per-merchant tokenization + per-vendor card-data sub-processor when POS-and-payments adapter touches cardholder data?
PCI posture is operator-counsel-and-CISO-approved per-system. PCI DSS v4.0 (effective March 31, 2025) requires operator to maintain documented cardholder data environment scope; per-merchant tokenization (Square + Stripe + Adyen + Worldpay + Fiserv tokenization) shrinks the cardholder-data-environment by replacing PAN with non-sensitive tokens at the operator boundary. PA-DSS (payment-application validation) and PCI 3DS apply per-application and per-3DS-flow. Per-vendor card-data sub-processor (each iPaaS + ETL + CDC + reverse-ETL vendor that touches tokens or cardholder data must be operator-counsel-and-CISO-approved as a PCI-validated sub-processor). Per-card-network EMV (Visa + Mastercard + American Express + Discover + JCB + UnionPay) governs in-store payment-acceptance posture. Connect refuses to attach to POS endpoints (Square + Toast + Lightspeed + NCR Aloha + Shopify POS + Clover + Revel + Oracle MICROS) that route unmasked cardholder data through the iPaaS or ETL path unless every downstream vendor in the data-path is operator-counsel-and-CISO-approved as PCI-validated sub-processor. Per-system PCI DSS v4.0 attestation writes to WORM audit trail with rule-citation evidence + per-merchant-tokenization-status + per-vendor-PCI-sub-processor-status + per-card-network-EMV-status + counsel-policy-version + CISO-policy-version.
What compliance does the orchestration enforce, and how does it map to PCI DSS v4.0 + per-vendor SaaS DPA + SOC 2 + ISO + HIPAA + CCPA + NIST AI RMF + EU AI Act Article 50?
Five anchors. Anchor 1 — PCI DSS v4.0 + PA-DSS + PCI 3DS + tokenization + EMV when POS-and-payments. PCI DSS v4.0 (effective March 31, 2025) + PA-DSS + PCI 3DS + per-merchant tokenization (Square + Stripe + Adyen + Worldpay + Fiserv) + per-vendor card-data sub-processor + per-card-network EMV (Visa + Mastercard + American Express + Discover + JCB + UnionPay). Anchor 2 — Per-vendor SaaS DPA + sub-processor + international-transfer + confidentiality + reverse-engineering + data-residency + portability + exit/transition. Per-vendor SaaS DPA + per-vendor sub-processor under GDPR Article 28 + per-vendor international-transfer (EU Standard Contractual Clauses + UK IDTA + Data Privacy Framework) + per-vendor confidentiality + per-vendor reverse-engineering prohibition + per-vendor data-residency + per-vendor data-portability + per-vendor exit/transition. Anchor 3 — SOC 2 Type II + ISO 27001 + ISO 27017 + ISO 27018 + ISO 27701 + FedRAMP + HITRUST. SOC 2 Type II + ISO 27001 information security + ISO 27017 cloud-security + ISO 27018 cloud-PII + ISO 27701 privacy + FedRAMP when government-data adapter + HITRUST when healthcare adapter. Anchor 4 — CCPA Sensitive + MHMDA + Colorado Sensitive + GDPR + per-state-comprehensive-privacy + HIPAA + HITECH + GLBA + FCRA + COPPA + AADC when per-system adapter touches regulated data. CCPA Section 1798.140(ae) + CPRA Sensitive Personal Information Section 1798.121 + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive-privacy + GDPR Articles 5 + 6 + 9 + 25 + 26 + 28 + 30 + 32 + 35 DPIA + ePrivacy + UK GDPR + per-state-comprehensive-privacy + HIPAA + HITECH + GLBA Safeguards + FCRA + COPPA + AADC when per-system adapter touches regulated data. Anchor 5 — NIST AI RMF + ISO 42001 + EU AI Act Article 50 + per-vendor LLM zero-retention. NIST AI RMF (NIST AI 100-1) + ISO/IEC 42001 Clause 8 + EU AI Act (Regulation 2024/1689) Article 13 + Article 14 + Article 26 + Article 50 generative-content marking when AI-normalized + per-vendor LLM zero-retention attestation chain (OpenAI Enterprise + Anthropic + Google Vertex + Azure OpenAI + AWS Bedrock zero-retention). Broader gate enforced via policy-as-code. WORM audit trail with per-statute retention per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment (2-3 weeks): audits the operator current per-location custom system adapter posture; gap-pack identifies which per-system adapters lack per-vendor SaaS DPA + sub-processor + international-transfer + confidentiality + reverse-engineering + data-residency + portability + exit/transition posture, which lacks SOC 2 Type II + ISO 27001 + 27017 + 27018 + 27701 + FedRAMP + HITRUST attestation, which lacks PCI DSS v4.0 + per-merchant tokenization + per-vendor card-data sub-processor + EMV posture when POS-and-payments, which lacks per-system data-classification + per-class handling under PCI + PHI + Sensitive Personal Information + GLBA + FCRA, which lacks HIPAA + HITECH + GLBA Safeguards + FCRA + state-comprehensive-privacy posture when per-system adapter touches regulated data, whether NIST AI RMF + ISO 42001 + EU AI Act Article 13/14/50 is wired, whether per-vendor LLM zero-retention attestation chain is maintained. Tier 2 AI Swarm Setup Sprint (4-8 weeks): builds the 4-skill bundle on the adapter agent, wires iPaaS + ETL + reverse-ETL + CDC + per-system custom-adapter + ERP + CRM + MDM + policy-as-code + WORM-storage (operator-chosen subset), configures the operator-counsel-and-CISO-and-privacy-officer-and-engineering-team-and-AI-governance-team-approved per-vendor SaaS DPA register + per-vendor sub-processor register + per-vendor international-transfer register + per-vendor data-residency register + per-vendor exit/transition register + per-vendor SOC 2 + ISO + FedRAMP + HITRUST attestation + PCI DSS v4.0 + tokenization + EMV posture when POS-and-payments + per-system data-classification register + per-class handling flow + HIPAA + HITECH + GLBA Safeguards + FCRA + state-comprehensive-privacy posture + NIST AI RMF + ISO 42001 + EU AI Act Article 13/14/50 + per-vendor LLM zero-retention attestation chain, runs 30-day shadow + canary with Normalize in audit-only before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm (6-month minimum): continues with continuous Connect + Normalize + Reconcile + Attest. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-vendor SaaS DPA + sub-processor + international-transfer posture freshness + per-vendor SOC 2 + ISO + FedRAMP + HITRUST attestation freshness + PCI DSS v4.0 + tokenization + EMV posture freshness when POS-and-payments + per-system data-classification + per-class handling posture freshness + HIPAA + HITECH + GLBA Safeguards + FCRA + state-comprehensive-privacy posture freshness + EU AI Act Article 50 marking + per-vendor LLM zero-retention attestation + WORM audit-trail completeness) measured against the operator pre-engagement baseline. Reporting carries explicit caveats sit outside Completions control + attorney-client privilege preservation.
Who owns the iPaaS + ETL + reverse-ETL + per-system adapters, the MDM, the per-vendor SaaS DPA register, and the audit trail?
Operator owns every artifact. iPaaS (Workato + Tray.io + Boomi + MuleSoft + Celigo + Zapier + n8n — operator chooses) runs under operator billing with operator-counsel-and-CISO-approved DPAs. ETL (Fivetran + Stitch + Airbyte + Hevo + Matillion + Estuary Flow + Singer — operator chooses) runs under operator billing. Reverse-ETL (Hightouch + Census + Polytomic + RudderStack Reverse-ETL — operator chooses) runs under operator billing. CDC (Debezium + Maxwell + AWS DMS + Striim + Qlik Replicate + Oracle GoldenGate — operator chooses) runs under operator cloud account. POS (Square + Toast + Lightspeed + NCR Aloha + Shopify POS + Clover + Revel + Oracle MICROS — operator chooses) runs under operator-controlled merchant accounts with per-merchant tokenization. ERP + inventory (Manhattan + Blue Yonder + Oracle NetSuite + SAP S/4HANA + Microsoft Dynamics 365 + Microsoft Business Central — operator chooses) runs under operator billing. CRM + field-service (ServiceTitan + Jobber + Housecall Pro + Salesforce + HubSpot + Microsoft Dynamics CRM — operator chooses) runs under operator billing. MDM (Profisee + Reltio + Tibco EBX + Informatica MDM + Stibo STEP MDM — operator chooses) runs under operator account. LLM provider contracts (OpenAI Enterprise + Anthropic API + Google Vertex AI + Microsoft Azure OpenAI Service + AWS Bedrock — operator chooses) run under operator account with operator-counsel-approved DPAs + zero-retention attestation. The operator-counsel-and-CISO-and-privacy-officer-and-engineering-team-and-AI-governance-team-approved per-vendor SaaS DPA register + per-vendor sub-processor register + per-vendor international-transfer register + per-vendor data-residency register + per-vendor exit/transition register + per-vendor SOC 2 + ISO + FedRAMP + HITRUST attestation + PCI DSS v4.0 + per-merchant tokenization + per-vendor card-data sub-processor + per-card-network EMV register when POS-and-payments + per-system data-classification register + per-class handling flow + HIPAA + HITECH + GLBA Safeguards + FCRA + state-comprehensive-privacy posture + NIST AI RMF + ISO 42001 + EU AI Act Article 13/14/50 + Article 50 marking flow + per-vendor LLM zero-retention attestation chain records all live in operator counsel + CISO + privacy + engineering + AI-governance repo. The Connect + Normalize + Reconcile + Attest skill code lives in operator code repo. The policy-as-code policies live in operator code repo, counsel-aligned. The WORM audit trail lives on operator-controlled cloud storage. Completions owns the orchestration knowledge and transfers it under the Tier 3 transition path (30-60 days at engagement end). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks). Hand off to Tier 2 AI Swarm Setup Sprint (4-8 weeks). Continue under Tier 3 Fractional CMO with AI Swarm ( 6-month minimum, 1-2 days/wk embedded).
Related reading
- Done-for-you walk-in + phone attribution (the adjacent offline-data integration paired with this per- location custom system adapter)
- AI agent governance (the broader governance posture this per-location custom system adapter operates within)
- Fractional CMO with AI Swarm (Tier 3 engagement that operates the per-location custom system adapter cycle)