Book Discovery
Primer: RA 10173Self-AssessmentThe VitrifAI AdvantageTRIZ EngineeringService TiersOn-DemandAI ReadinessNPC 2025-02Founder
Book Discovery Call
§ Privacy Engineering · Manila · PHNPC Advisory 2025-02 Ready

Is Data Privacy
your weakest
link?

Navigating the Philippine Data Privacy Act (RA 10173) is complex. We make it simple, operational, and future‑proof — through engineering, not paperwork.

Book a Discovery CallSee how we protect you
Penalty Ceiling
₱5M + 7 yrs
Breach SLA
72 hours
VitrifAI Retainer
₱25–40k / mo
VOIS Protocol · v1.0Systems Nominal
Privacy is not a legal checkbox.
It is an engineering discipline.
20:07:03OKData Flow Mapping · 4,218 records traced
20:07:03RBACLeast‑privilege policy applied · 12 roles
20:07:03PIAShadow IT audit queued · 3 tools flagged
20:07:03OKConsent ledger · RA 10173 §3(b) compliant
20:07:03TRIZContradiction resolved · Principle of Extraction
§ 01 — Primer
Republic Act 10173

The business owner's
guide to data privacy.

RA 10173 mandates that any business processing personal data — from employee files to customer lists — must secure that information. If you hold personal data, you are a Personal Information Controller (PIC), accountable for its safety.

Why this matters to you:

  • Criminal liability. Up to 7 yrs prison + ₱5M fines.
  • Brand reputation. One leak can destroy decades of trust.
  • Global access. International partners require compliance.
The Five Pillars of Compliance (NPC)
Pillar 01

Appoint a DPO

Assign accountability. A senior‑level officer who can speak law, ops, and IT.

Pillar 02

Privacy Impact Assessment

Health‑check your data flows. Find where information is at risk.

Pillar 03

Management Program

Document manuals, policies, and consent architecture end‑to‑end.

Pillar 04

Security Measures

Encrypt files, lock physical media, train the human firewall.

Pillar 05

Breach Readiness

72‑hour SOP drilled, NPC report template ready, customer comms drafted.

Book a Discovery CallWhat makes a good DPO
§ 02 — Stakes
What happens if you look away

Trust is your most
valuable currency.

In today's digital economy, protecting that trust is no longer optional. It's the law. Data mishandling is not a mere mistake, but a crime.

Minimum Penalty
₱500k

Administrative fines begin at half a million pesos for processing personal data without proper authority or safeguards.

Maximum Penalty
₱5M

Top‑tier fines apply for malicious disclosure or unauthorized processing of sensitive personal information at scale.

Imprisonment
7 yrs

Criminal liability attaches directly to officers and responsible persons: no corporate veil between you and the sentence.

Breach Report Window
72 h

You have three days to file a Mandatory Breach Report with the NPC. Miss the window and fines compound with Gross Negligence.

§ 03 — Self-Assessment
A 2-minute diagnostic

Are you minimally
compliant?

Data Defense · Self-Audit
Q01

Registration.Do you have a valid NPC Seal of Registration Certificate displayed in your office?

If you process data for 250+ people or handle sensitive info, this is mandatory. No certificate = immediate red flag.

Q02

Front Door.Does your website and office have a visible, up-to-date Privacy Notice?

You must tell people why you are collecting their data before they give it to you. "We just need it" is not a legal defense.

Q03

Vendor.Do you have signed Data Sharing Agreements with your payroll, cloud, or marketing providers?

If they leak your data, you go to jail unless you have this contract in place.

Q04

Employees.If an employee lost their work device today, is there a written SOP for the first 2 hours?

You have 72 hours to report a breach. Without a practiced SOP, you will miss that deadline.

Q05

Consent.Can you prove exactly when and how customers agreed to receive your marketing emails?

If you cannot produce the timestamped consent record, you are spamming illegally.

0/5Yes · 0 No · 0 Unsure
If any answer is No or Unsure

Your business is legally vulnerable under RA 10173. A Single Point of Failure — one employee, one vendor, one unpatched tool — can trigger fines from ₱500k to ₱5M.

But panic is not a strategy. A competent Data Protection Officer engineers your systems so failure becomes statistically unlikely, and legally defensible when it does happen.

Fix my compliance gapsWhat to look for in a DPO
The Litmus Test

Before you hire anyone (including us): ask them to explain "data privacy" without using legal jargon. If they can't, your staff won't understand the rules, and compliance will fail.

§ 04 — The VitrifAI Advantage
Operational rigor meets holistic expertise

Most DPOs are lawyers
who don't get the business,
or officers who don't
get the law.

You need someone who understands the whole picture.

01
Fractional Expertise

Renting executive talent is smarter than owning a junior employee.

  • 💎Senior expertise, junior cost. Output of a specialist with 13+ years, for a retainer often lower than a fresh grad's salary.
  • 🤝Zero office politics. As an external partner, we audit processes objectively. Our only loyalty is your compliance.
  • 🏢Cross-industry intelligence. Battle-tested solutions from multiple industries applied to your business.
02
Strategic Synthesis

Renting executive talent is smarter than owning a junior employee.

  • ⚖️Juris Doctor roots. We interpret RA 10173 and NPC Circulars with academic precision, not guesswork.
  • 🌏Global ops expertise. A decade of transnational enterprise operations. Efficient, audit-proof, survives staff turnover.
  • 🤖Tech-native approach. We speak the language of your engineers. Privacy by Design goes straight into your tech stack.
03
TRIZ Innovation Engine

With us, growth and safety go hand-in-hand.

  • 🧪No half-compromises. We apply TRIZ to isolate the technical contradiction and engineer it away.
  • ⚙️Pre-approved patterns. Developers get code blocks that clear privacy review instantly.
  • 📐Engineering-grade rigor. FMEA risk scoring. Root-cause analysis. Red-team stress tests.
04
Future-Proof Systems

We champion data integrity in the AI revolution.

  • 🖥️Algorithmic auditing. We assess AI tools so they don't inadvertently learn from (and leak) sensitive data.
  • 📊Clean data pipelines. Automation runs on pre-vetted datasets. Liabilities stay outside the model.
  • 🛡️NPC 2025-02 ready. Privacy Engineering Life Cycle documented, gross Negligence defense built in.
§ 05 — TRIZ Engineering
Theory of Inventive Problem Solving

Stop mitigating risk.
Eliminate it.

Most businesses believe safety and speed are a zero-sum trade. TRIZ, the Soviet-era engineering methodology used by NASA and Samsung, lets us isolate the contradiction and resolve it without compromise.

Contradiction #1

Marketing

"You need deep customer analytics to grow — but holding customer data creates massive liability."
↓ VitrifAI's TRIZ Fix ↓

Principle of Extraction

Old WayA spreadsheet that says "Juan dela Cruz bought a TV."
VitrifAIA tokenized data lake. Marketing sees "User #4261 bought a TV." Name is air-gapped. 100% utility, zero risk.
Contradiction #2

Surveillance

"You need to track assets for efficiency — but tracking employees 24/7 is a privacy violation."
↓ VitrifAI's TRIZ Fix ↓

Principle of Local Quality

Old WayTracking an employee's personal phone via an always-on app.
VitrifAIGeofenced telemetry activates only when assets cross a location boundary or during shift hours. Off-shift → off-grid.
Contradiction #3

Speed

"Your dev team needs to ship code — but the privacy office needs time to review."
↓ VitrifAI's TRIZ Fix ↓

Principle of Prior Action

Old WayDPO reviews each project from scratch. Bottlenecks everywhere.
VitrifAIDevelopers use pre-approved code blocks for login, storage, and consent. Compliance happens before the code is written.
Book a Discovery CallView our service tiers
§ 06 — Service Tiers
Retainer packages

Services that fit
your risk profile.

No hidden hourly fees. No surprise charges. Just results.

Compliance Shield

Regulatory Guardian

Monthly retainer
₱25k
  • Role. Regulatory Guardian
  • NPC Registration. Included
  • Privacy Manual. Standard Template
  • Breach Management. Incident Reporting
  • Support Channel. Email (Asynchronous)
  • Response SLA. 48 Business Hours
  • Team Sync Availability. Add-On
Ideal for

"I want to be safe."

Start with Compliance Shield
Most Chosen
Privacy Operations

Strategic Partner

Monthly retainer
₱40k
  • Role. Strategic Partner
  • NPC Registration. Included
  • Privacy Manual. Custom Engineered
  • Breach Management. Coordinated Response
  • Support Channel. Email + Video Conference
  • Response SLA. 24 Business Hours
  • Team Sync Availability. Up to 2x Monthly
Ideal for

"I want to scale."

Start with Privacy Operations
Choose Shield if…
  • You collect minimal data (employee records, simple customer lists).
  • You rarely launch new software or digital products.
  • You want a set-and-forget solution to satisfy the law.
Choose Operations if…
  • You're building an app, website, or loyalty program.
  • You share data with third-parties (including AI models) frequently.
  • Your clients ask for proof of compliance (B2B vendor).
§ 07 — On-Demand
Tactical interventions

Focused, high-impact
solutions. No retainers.
Just execution.

Tactical · Audit

Deep Scan (Gap Analysis)

Best for: Companies preparing for an NPC visit or investor due diligence.

A forensic review of your data flows, IT systems, and physical premises to identify "Regulatory Debt" before it becomes a liability.

  • Red/Amber/Green Scorecard across all data streams
  • Remediation Roadmap prioritized by TRIZ principles
  • 1-hour Executive Briefing to your Board
Quote on scopeRequest a quote
● Emergency Intake · 72h

Incident Command

Best for: Companies currently experiencing a hack, leak, or ransomware attack.

Panic is not a strategy. You have 72 hours to report to the NPC. We step in as your interim Incident Commander and manage the fallout.

  • Immediate containment strategy
  • NPC Breach Report drafted and filed on deadline
  • Customer notification templates — no unnecessary liability admissions
Priority engagementEmail Incident Command
Training

Privacy Engineering Workshop

Best for: Dev teams, HR, and marketing staff.

Most privacy trainings are boring lectures. Ours is operational. We teach teams how to build privacy into daily workflows so compliance happens automatically.

  • 3-hour interactive workshop, industry-customized
  • Data Hygiene Protocols — practical checklists
  • Certificate of Completion for NPC compliance
₱25,000 / sessionBook a workshop
Procurement

Third-Party Risk Assessment

Best for: Procurement teams buying software or hiring BPOs.

You are liable for your vendors' mistakes. Before you sign with a new payroll, cloud, or BPO provider, we audit their security so you don't inherit their risks.

  • Data Processing Agreement redlines
  • Security validation (ISO 27001, SOC 2)
  • Go/No-Go risk memo for procurement
₱15,000 / contractReview a vendor
§ 08 — AI Readiness
The AI in VitrifAI is not a gimmick

Is AI truly your
superpower — or your
single most expensive mistake?

If your employees are pasting live client data into an AI chat, you have a massive leak. If you're building custom models without a PIA, you're inviting a cease-and-desist from the NPC.

The Risk

Where AI exposure typically hides

  • Shadow AI.

    Employees pasting trade secrets into public LLMs.

  • Model Bias.

    Automated systems perpetuating discriminatory patterns.

  • Training Data Liability.

    Scraped data that violates RA 10173.

The Fix

What we engineer in response

  • Enterprise Guardrails.

    Secure, private API endpoints and "zero-retention" workflows.

  • Algorithmic Auditing.

    Technical stress-testing of training data for PII and bias.

  • Synthetic Data Generation.

    Real PII replaced with statistically identical fake data for training.

The Shield

Your audit-ready governance layer

  • AI Acceptable Use Policy.

    Clear, enforceable contracts for your staff.

  • ADMAS Compliance.

    NPC requirements for Automated Decision-Making.

  • Data Provenance Logs.

    Audit-ready trails proving ethical data sourcing.

VitrifAI specializes in the intersection of LLM deployment and RA 10173 compliance. We bridge the gap between technical AI development and the NPC's guidelines on Privacy Engineering (Advisory 2025-02).

NPC Advisory 2025-02 · Effective Aug 2025

The death of
"paper compliance."

The NPC stopped asking for privacy policies. Now, they treat privacy as an engineering question. Launch an app without documenting the Privacy Engineering Life Cycle, and you face Gross Negligence charges — worse than non-compliance.

Book a Discovery Call
The shift
01Build the app
02Hire a lawyer
03Write Terms of Service
01Run a Privacy Impact Assessment
02Architect Privacy Controls
03Then build the app
§ 09 — Founder
Who you're working with

Legal insight.
Operational grit.
Future-ready defense.

VitrifAI

Charlemagne R. Dumaya

Founder · Chief Privacy Engineer

EducationJuris Doctor, University of the Philippines (Class of 2024)
Experience13+ yrs transnational ops · AI Annotation and Governance · Creative Industry
FocusRA 10173 · NPC 2024-04 · NPC 2025-02 · TRIZ
BasedMarikina City, Philippines

I am Charlemagne Dumaya, your fractional Data Protection Officer. My goal is to bring legal insight, operational grit, and future-ready defense to your company.

My approach is built on a rare intersection of disciplines. With the academic foundation of a Juris Doctor from the top law college in the country, I interpret the nuances of the Data Privacy Act and NPC Circulars to ensure your contracts are legally sound. Most others quote the law; I set myself apart by creating workflows that help you apply it.

Drawing on over a decade of operational experience in transnational businesses, I understand the rigor required to manage data at scale from local to global. I have audited workflows for highly regulated international accounts, ensuring efficiency never compromises security.

I also understand that compliance should never paralyze growth. My experience in the creative industry means I know how to navigate lead generation and consent without killing your marketing campaigns. My background in AI data annotation lets me audit your data pipelines for privacy leaks. I know how datasets are built and labeled, and I can identify where sensitive information might be accidentally exposed to AI models, a risk traditional DPOs often overlook.

I offer what most consultants cannot: the ability to speak the languages of your legal, operations, and IT teams fluently.

Let's protect your business together

Your data
deserves
an engineer.

Book a Discovery Call privacy@vitrifai.com