● UK · EU — Regulated fintech & energy Certifications delivered: ISO 27001 · PCI DSS v4 · DORA

About

Salvador Cloud

Board-level security advisory for regulated fintech. Founded by Giovanni Salvador in 2018. UK Ltd, Companies House 11311496.

Why Salvador Cloud exists

Boards in regulated fintech are being asked to make security decisions faster than ever — about AI, about payments innovation, about ICT third-party risk. The advisors most boards have are either too generalist to be useful in a regulated payments stack, or too engineering-only to translate the answer into board language.

Salvador Cloud sits in that gap. We bring senior practitioners who have delivered the work — not just diagrammed it — and we translate it into the language a CFO or audit committee can act on the same week.

Founder & CISO

I'm Giovanni Salvador, Founder & CISO of Salvador Cloud. For the last twelve-plus years I've worked at the seam between security architecture, cloud engineering, and the boardroom. The engagements span regulated fintech, consumer finance, national energy infrastructure, digital-asset custody, e-commerce, and edutech — most of it under NDA, all of it anonymised on this site by default.

My job isn't to slow the business down. It's to make sure the trust customers place in you survives contact with the next AI rollout, the next regulator, the next incident. That means translating cyber and AI risk into decisions a board can act on — and then standing behind the engineering work that makes those decisions stick. At one recent engagement I authored roughly 80% of the security team's internal tooling myself.

12+ yrs

At the seam between architecture and the boardroom

Across regulated fintech, energy, consumer finance, and crypto custody

~£7M

FAIR-modelled risk reduced and value delivered

Across regulated-fintech and energy-market engagements

~25%

Cut in security incidents

After the first year of vCISO + DevSecOps engagements

What that looks like in practice:

  • FAIR-modelled risk quantification — turning "we might lose this" into a number on a slide
  • ISO 27001 and PCI DSS v4 programmes delivered end-to-end (scoping → controls → external audit)
  • AI/LLM security policies mapped to OWASP LLM Top 10 and the EU AI Act
  • AI security guardrails for production agent platforms
  • DORA programme design for in-scope EU operators
  • SOC build-outs that pay back in measured incident reduction

How we work

Salvador Cloud operates as a small senior team plus a curated network of associates we partner with on engagements that need depth in a specific regulator or technology. We deliberately stay small to keep every engagement led by someone who's done the work before.

We work in 8-week initial scopes, monthly retainers from there. We will tell you up front when the right answer is "you don't need us for this" — and we'll point you to who can help instead.

Our clients have included

We are bound by NDA with every client; the descriptions of work on this site are anonymised by design. The fact that these organisations have been our clients is itself permitted under each NDA; what specific work we did for whom is not.

Speaking

I speak on AI security guardrails, vCISO operating models, DORA readiness, and "what boards need to know about cloud security risk" at industry events and inside organisations. See the speaking page for upcoming and past talks.

Next step

Ready to scope an engagement?

We'll diagnose the shape of your problem in a 30-minute call. No proposals, no pitching.

Book a discovery call See speaking engagements →