Protect your customers' data. Prove that you do.

Identifies every cookie — tracking, analytics, advertising. Classifies against a tracker database of 1000+ vendors and checks Secure/HttpOnly/SameSite flags. Detects cookies set before consent. Legal basis: ePrivacy Art 5(3), LEK ch. 9 §28.

Clicks 'Reject' and checks whether tracking cookies are set anyway. Detects dark patterns, pre-checked boxes and non-functional buttons. Includes zombie-cookie detection (cookies that respawn after deletion). Legal basis: EDPB Cookie Banner Taskforce 2023, GDPR Art 7.

Checks every mandatory section: legal basis, retention period, third parties, data-subject rights, DPO contact. Each gap is tied to the article it sits under. Legal basis: GDPR Art 13.

Compares what your privacy policy promises against what the site does. Catches things like 'We use no third-party cookies' while tracking still runs. Legal basis: GDPR Art 5(1)(a) transparency, Art 13 information duty.

Detects canvas, WebGL and audio fingerprinting. Catches session-replay tools that record visitor behaviour without consent. Legal basis: ePrivacy Art 5(3) device access.

Maps third-country transfers. Flags US recipients without DPF certification. Checks that adequate safeguards are in place (SCC, adequacy decisions). Legal basis: GDPR Art 44–49.

Checks security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, COOP/COEP). Analyses TLS configuration, certificate validity and cipher strength. Legal basis: GDPR Art 32, NIS2 Art 21(2)(h) cryptography policy.

Active scanning with continuously updated templates. Tests SQL injection, Cross-Site Scripting, CSRF, exposed admin panels, vulnerable JavaScript libraries. Legal basis: NIS2 Art 21(2)(e) system acquisition and vulnerability handling.

Scans open ports and exposed services. Catches admin panels reachable from the internet and subdomain-takeover risk against known cloud providers. Legal basis: GDPR Art 32(1)(b), NIS2 Art 21(2)(e) vulnerability handling and Art 21(2)(i) access control.

API keys, cloud credentials, payment-provider keys and private keys that ended up in frontend code are caught via a vendor rule library and issuer-prefix detection. Legal basis: GDPR Art 32, NIS2 Art 21(2)(e) vulnerability handling.

Contrast, alt text, form labels, keyboard navigation and ARIA attributes get reviewed automatically. You get a remediation suggestion per finding. Legal basis: European Accessibility Act (in force 28 June 2025), Discrimination Act, WCAG 2.1 AA.

Scan frequency follows your plan — monthly, weekly or change-triggered. You get a notification on new findings. Compliance status stays up to date in your dashboard. Legal basis: GDPR Art 5(2) burden of proof.

Lower-confidence findings go to a review queue and an analyst reviews them before publication. High-confidence findings have machine-checkable proof and publish directly. Confidence level (CERTAIN/FIRM/TENTATIVE) is shown on every finding.

Compliance reports with the legal basis on every finding. Executive summary for the board, detailed technical report for IT, and a DPIA-ready package your DPO can use. Each gap ties back to the GDPR, NIS2 or Swedish Cybersecurity Act article it sits under.

Certificate number (VKT-XXXX-XXXXXX) is issued after a passing scan. Trust badge embedded via JS widget or SVG. Anti-theft: badge renders only on the certified domain. Publicly verifiable via /verify/[cert-no]. Valid 90 days, automatically renewed at every passing scan. Legal basis: GDPR Art 5(2) burden of proof.

Browser recording, network log and timeline of cookie behaviour before and after consent. Downloadable zip with an integrity check so you can show the material has not been altered.