Viseven — Pre-Engagement Risk Audit

High-severity flag

Medium findings

Low findings

2009

Founded (Ukraine)

Clean

Sanctions screen

Verdict

Engageable, but close one High flag before any health data is involved, and note the website-quality concern. No fatal red flags — the profile is "do normal vendor diligence", not "walk away".

The two things that matter: (1) the HIPAA / BAA liability-shift clause in their privacy policy protects them, not you — don't sign anything touching health data until it's renegotiated; (2) a content vendor has lorem ipsum placeholder and unfinished copy live on its own homepage, which is a direct signal on their quality governance. Treat ownership and revenue as unconfirmed until they hand over documents.

Company Snapshot

Founded	2009, Zhytomyr, Ukraine
EU legal anchor	Viseven Europe OÜ, Estonia (active, no insolvency or tax debt)
US entity	Viseven USA LLC, Bridgewater, New Jersey
Ownership	Founder-led; Horizon Capital (Kyiv PE, EIB-backed) minority stake Jan 2024; AVentures Capital early backer
Scale	~650–700 staff (their own figures disagree — see Website Audit); delivery across Ukraine, Poland, Estonia, India, Argentina, North America
Clients	AbbVie, Amgen, Abbott, Bayer, Lilly, Novo Nordisk
Founders	Nataliya Andreychuk (CEO), Viacheslav Vasylenko (COO), Roman Vasylenko (CTO) — all in seat since founding, no churn
Product	eWizard — modular content authoring & omnichannel platform for pharma

Risk Register (ranked)

#	Severity	Finding	Confidence
1	HIGH	HIPAA / BAA gap. Not HIPAA-certified (only the underlying AWS service is "HIPAA-eligible"). No BAA mentioned anywhere. Their privacy policy discourages PHI submission but contains a clause deeming the client to have consented to processing if PHI is sent — shifting liability onto you.	Verified
2	MED	Website quality. Live errors on their own marketing site, including lorem ipsum placeholder in five homepage service cards (see Website Audit tab). For a content vendor, this is a quality signal.	Verified
3	MED	Ukraine war operational continuity. HQ and a core dev hub remain near Kyiv (Zhytomyr, ~140km, missile range). Their own wartime blog documents staff in shelters and evacuating. Mitigated by distributed delivery and revenue tripling through the war, but real.	Verified
4	MED	No public BCP / SLA-failure documentation for the Ukraine dependency. Absence of evidence, not evidence of absence — but must be requested.	Inferred
5	MED	Opaque holding structure. Equity domicile across Estonia, Ukraine and US is unconfirmed. A Cyprus entity existed in the 2022 group with current status unknown (Cyprus is a known Russian-capital structuring jurisdiction, though no adverse link was found).	Inferred
6	MED	SOC 2 absent. Not claimed, not found. ISO 27001 substitutes for EU buyers; US pharma procurement often wants both.	Verified absence
7	MED	GDPR breach-notification procedure undefined in the privacy policy (no Article 33 72-hour process stated), despite otherwise sound GDPR posture (SCCs, EU data residency via AWS EMEA and Hetzner).	Verified
8	MED	Financials unverifiable. All private. Revenue estimates ($50m–$147m) are scraped / aggregator; the only credible signal is the investor-stated "tripled revenue since 2019".	Single-source
9	MED	No analyst recognition (Gartner / Forrester). Consistent with a mid-market vendor, but pharma buyers often use it as a maturity proxy.	Inferred
10	MED	Beneficial-owner flag. The Estonian register lists Olena Matviienko as a beneficial owner beyond the named founders; relationship unclarified.	Single-source
11	LOW	Litigation: none found across US, EU and UK courts.	Verified
12	LOW	Sanctions: clean. No OFAC, EU or UK match for the company or its principals. Russian subsidiary liquidated Oct 2022; all Russia / Belarus contracts terminated 24 Feb 2022.	Verified
13	LOW	ISO/IEC 27001 certified May 2023 (PECB, IAF-accredited), passed first surveillance audit.	Verified
14	LOW	Employee sentiment: Glassdoor 4.0/5 across 57 reviews, 79% would recommend. Recurring gripes: low pay, overtime, senior-management soft skills.	Verified
15	LOW	Client reviews / breaches: near-zero independent review coverage (one positive Clutch review, Capterra zero); no data breaches or negative press found.	Verified / Inferred

Watch-Outs Before Engaging

Close the HIPAA gap first (blocking). Demand a signed BAA and written confirmation of whether eWizard is HIPAA-certified end-to-end — not just "HIPAA-eligible" via one AWS service. If any HCP or patient data flows through their platform, this is the deal-gate.
Raise the website errors directly — their answer reveals how they handle quality control and content governance, which is exactly what you'd be buying.
Request a formal BCP covering a Ukraine delivery-centre failure, with fallback to Poland, Estonia or India.
Get the current group-structure chart; confirm the Cyprus entity is wound down or sanctions-clean and clarify Matviienko's role.
Push for SOC 2 status or a roadmap if procurement requires it.
Confirm the GDPR breach-notification process contractually (Article 33 timeline).
Ask for proof of financial health — audited accounts or a solvency letter — since everything public is estimated.
Run a full PEP and adverse-media screen on the three founders plus Matviienko via World-Check or Refinitiv. Only the free OFAC / EU / UK lists were run here.

Website Quality Check — viseven.com

The site has live errors that should not be on an enterprise pharma-facing site. Not catastrophic (navigation works, content is substantive), but careless for a company selling content expertise.

Severity	Issue
CRITICAL	Lorem ipsum placeholder ("Lorem ipsum dolor sit amet, vero ipsum ne ius") live in all five "What We Do" service cards on the homepage.
HIGH	Headcount contradicts itself — "700+ team members" on the homepage vs "650+ professionals" on About Us and Careers.
HIGH	Unfinished sentence on About Us — "…streamline workflows and accelerate" (cuts off mid-thought).
HIGH	Backtick used instead of an apostrophe in a client testimonial ("we`ve been enjoying") — a site-wide component appearing on multiple pages.
HIGH	Four service URLs return 404 — /services/, /omnichannel-services/, /omnichannel-marketing/, /professional-services/.
MED	Spelling error "Prsentations" on the Content Strategy page; "scrupulous" misused for "meticulous" in their own blog.
MED	A blog post redirects from /blog/ via HTTP (not HTTPS) — mixed-protocol redirect; dead `href="#"` links on several CTAs.
LOW	Visible honeypot field ("Please leave this field empty") on the About Us form; client-logo carousel loops the same logos to look broader; uncited performance stats (340% ROI etc.).

Why it matters: for a vendor whose core product is content quality and governance, placeholder copy and an unfinished sentence on its own homepage is the most telling soft signal in this audit. Use it as leverage and as a direct test of their QA process.

Due-Diligence Questions to Put to Viseven

Written so they can be forwarded as-is or used on a call. Ordered by what matters most.

1. Data protection & health data (close before signing)

Will you sign a Business Associate Agreement (BAA)? If not, why not?
Is eWizard HIPAA-certified end-to-end, or only "HIPAA-eligible" via the underlying AWS service (Comprehend Medical)? Be specific.
Your privacy policy contains a clause deeming the client to have consented to processing if PHI is sent. Will you remove or renegotiate that for our engagement?
What is your GDPR breach-notification process? Your policy states no Article 33 (72-hour) timeline — please confirm in writing.
Where does our data reside at rest, and which sub-processors touch it?

2. Security & certification

Please share your current ISO/IEC 27001 certificate, scope statement and latest surveillance-audit result.
Do you hold SOC 2 (Type I or II)? If not, is one on the roadmap and by when?
Can you provide a recent penetration-test summary or completed security questionnaire (SIG / CAIQ)?
What is your incident-response and client-notification process in the event of a breach?

3. Business continuity (Ukraine delivery)

Please provide your formal Business Continuity Plan covering a Ukraine delivery-centre failure.
If the Zhytomyr hub goes offline, which sites absorb the work and what is the SLA impact?
What proportion of delivery for our account would sit in Ukraine versus other hubs?
Have you had any war-related service disruptions since 2022, and how were they handled?

4. Corporate structure & ownership

Please provide a current group-structure chart (which entity contracts with us, and what sits above/below it).
A Cyprus entity appeared in your 2022 group filings — is it still active, and is it sanctions-clean?
Confirm the beneficial-ownership chain. The Estonian register identifies Olena Matviienko as a beneficial owner alongside the founders — please clarify her role.
Confirm the terms of Horizon Capital's stake and any control or change-of-control rights affecting service continuity.

5. Financial health

Please provide audited accounts for the last two years, or a solvency confirmation / banker's reference.
Confirm there are no material undisclosed liabilities, defaults, or going-concern issues.
What is current headcount, and how has it moved over the last 24 months? (Your site states both 700+ and 650+.)

6. Legal & compliance

Are there any active or threatened lawsuits, IP disputes, or client disputes?
Any regulatory enquiries or data-protection enforcement actions in any jurisdiction?
Confirm no entity or principal appears on any sanctions list and that all Russia / Belarus operations were wound down.

7. Delivery, quality & references

Please provide two or three referenceable pharma clients of comparable scope to ours.
What is your delivery model, team structure and escalation path for an account our size?
Sample SLAs and your standard remedies for missed milestones.
What content-QA and governance process do you run? (We noted live errors on your own website, including placeholder copy — how is that controlled on client work?)

Method & Confidence

This is an open-source, pre-engagement risk assessment. It draws on the company's own published materials, business registries, sanctions screens, employee- and client-review platforms, press, and a direct technical sweep of viseven.com. No non-public or privileged data was accessed.

Confidence labels

Verified — corroborated by a primary source or multiple independent sources.
Single-source — found in one place only; treat as indicative.
Inferred — reasoned from available evidence or an explicit negative finding (e.g. "no sanctions match found").
Verified absence — actively searched and not found (e.g. no SOC 2 claim).

Sources consulted

Company: viseven.com (about, eWizard, privacy policy, blog, careers, contact), wartime-operations blog, ISO 27001 announcement.
Registries: Estonian Business Register (Viseven Europe OÜ, reg. 12627365) via inforegister.ee.
Sanctions: OFAC SDN, EU consolidated list (OpenSanctions), UK OFSI.
Investors / press: Horizon Capital, Avellum, EIB, pharmaphorum.
Reviews: Glassdoor, Clutch, Capterra, G2 (listing), FinancesOnline.
Partnerships / recognition: AWS APN blog, Globee Awards 2025.

Limitations

All financials are private and unaudited — figures cited are estimates or investor-stated growth claims.
Sanctions screening used free public lists only; a full PEP / adverse-media screen (World-Check / Refinitiv) is recommended before commitment.
Corporate structure beyond the Estonian and US entities is inferred and should be confirmed with a group chart.