Privacy Policy

Last updated: March 2026  ·  Toba Group LLC d/b/a TobaSec

1. Who We Are

Toba Group LLC, operating as TobaSec, is a cybersecurity and AI governance consulting firm based in Centennial, Colorado, USA. Contact: hello@tobasec.io

2. Data We Collect

When you submit our contact form, we collect your name, email, company name, and any message content — solely to respond to your inquiry. We do not collect sensitive personal data or data from children under 16.

3. Cookies

We use three categories of cookies:

You may withdraw or change consent at any time via the Cookie Preferences link in the footer.

4. Legal Basis (GDPR)

For EU/EEA visitors: (a) consent for non-essential cookies; (b) legitimate interest for responding to business inquiries; (c) legal obligation where applicable.

5. Data Retention

Contact form data is retained up to 24 months for business purposes, then securely deleted.

6. Your Rights (GDPR)

EU/EEA residents have the right to access, correct, delete, restrict, or port their data, and to withdraw consent at any time. Contact: hello@tobasec.io

7. International Transfers

Data may be processed in the United States. We apply appropriate safeguards as required by applicable law.

8. Third Parties

We use Formspree for contact form processing. We do not sell or share personal data for marketing purposes.

9. Contact & Complaints

hello@tobasec.io  ·  Toba Group LLC  ·  7173 S Havana St, Ste 600, Centennial, CO 80112, USA. EU residents may also lodge complaints with their local data protection authority.

Protocol Zero — Cybersecurity & AI Governance

Start from
zero.
Build it right.

ISO 27001 · ISO 42001 · EU AI Act · NIST AI RMF
Audit readiness and AI governance consulting for organizations that take security seriously.

Start a conversation See our services
Scroll
Centennial, Colorado
Toba Group LLC
hello@tobasec.io
What we do

Services

01
ISO 27001:2022
Audit Readiness

Advisory on the internal controls required by ISO 27001 — gap assessments, control mapping, evidence requirements, and internal audit guidance. Your team implements. We advise on exactly what needs to be in place and make sure it holds up. We are not a certification body. We get you ready for the accredited auditor who is.

Information Security
02
ISO 42001:2023
AI Management

Advisory on building a credible AI Management System — governance frameworks, risk assessments, Annex A controls guidance, and AI Impact Assessment support. Your team implements. We advise on what the standard requires and how to satisfy it. Certification is issued by accredited bodies, not us.

AI Governance
03
EU AI Act
Compliance Advisory

Navigate the world's first comprehensive AI regulation. Risk classification, obligations mapping, and technical documentation support.

Regulatory Compliance
04
NIST AI RMF
Implementation

Operationalize the NIST AI Risk Management Framework. From GOVERN to MANAGE — practical implementation tailored to your environment.

Risk Management
Why choose us

Different
by design.

You don't need a big firm and a team of generalists.
You need one expert, fully accountable, who does this and only this.

Advisory, not implementationWe advise your team on what controls are required, what evidence auditors expect, and what needs to change. Your organization owns the implementation. Certificates come from accredited bodies — we make sure you're ready for them.
Specialized focusISO 27001, ISO 42001, EU AI Act, and NIST AI RMF — not add-ons. Our entire practice.
Senior attention, alwaysYou work directly with the principal consultant. No handoffs. No surprises.
Built to act onDeliverables your team can execute — not reports that sit in a drawer.
Fixed fees, no surprisesScoped engagements with clear deliverables. Out-of-scope work requires a signed change order.
4+
Core frameworks mastered
1×
Point of contact. Always.
0%
Generic checklists. Zero.
The person behind the work

Joshua
Sitompul

Founder & Principal Consultant · TobaSec

Most consultants study frameworks. I've implemented them.

I spent years as the internal GRC person at a B2B SaaS company, building the ISO 27001 and SOC 2 Type II programs, going through the audits, and fielding security questionnaires from federal agencies, defense contractors, healthcare organizations, universities, and Fortune 500 teams who needed to trust us before signing a contract. I know what enterprise security teams look for because I've spent years answering to them.

Along the way I implemented an ISO 42001 AI Management System, led a TPRM program, and did my time in blue team work: incident response, IAM, and identity governance. CISSP. ISO 27001 Lead Auditor. ISO 42001 Lead Auditor.

TobaSec is built on that experience. You get someone who has been where you are.

Based in Centennial, Colorado. Serving clients across the United States.

ISO 27001 ISO 42001 EU AI Act NIST AI RMF NIST CSF CISSP
Joshua Sitompul — Founder of TobaSec
Let's talk

Ready to
get started?

Tell us about your organization and what you're trying to achieve. We'll schedule a no-obligation discovery call and go from there.

@
Email
hello@tobasec.io
Website
tobasec.io
📍
Location
Centennial, Colorado · Remote First

By submitting this form you consent to TobaSec processing your data to respond to your inquiry, per our .