Compliance that reads your code, so it never lies about your product.
Automated, engineer-built compliance that syncs directly with your codebase.
No credit card required · 14-day free trial on paid plans · Cancel anytime
- OpenAI · gpt-4oHigh
- Anthropic · claude-3.5High
- OpenAI · text-embedding-3Limited
Built with
Lawyers draft your docs once. Engineers ship code daily.
Within a week your published privacy policy is wrong. Your DPA lists subprocessors you no longer use. Your AI usage isn't disclosed at all. Enterprise procurement sends you a 40-question security questionnaire, and you spend 10+ hours per deal answering it manually.
Stale by design
A PDF written 6 months ago can't reflect what your code did this morning.
Per-jurisdiction rules
EU AI Act, GDPR, CPRA, CO/CT/VA/TX state laws — each demands different disclosures.
No PR-aware tooling
Your scanner stops at SOC 2 controls. Nothing watches the code paths that touch user data.
How it works
From repo to published trust center in 10 minutes.
Connect your repo
Read-only GitHub OAuth. Pick the repos that matter. Five-minute interview captures legal-entity facts we can't see in code.
Attestly scans
Static analysis finds every AI SDK call, every third-party subprocessor, every personal-data field, every OSS license — with file & line citations.
Generate, you approve
Schema-locked LLM produces the five documents. You review the diff. One click publishes to your trust center.
Stay live
On every PR, we re-scan and surface drift. New subprocessor? Customers are auto-notified per Art. 28(2) of GDPR.
What it generates
Five living documents. One source of truth: your code.
Every document is regenerated from the same scan that produced the last one, so your trust center never falls behind your release.
AI Trust Center
Hosted page with AI inventory, data flows, risk class per system, and documentation to instantly satisfy enterprise security reviews.
Privacy Policy
Accurate to detected data collection. Per-jurisdiction sections appear automatically when a state law applies.
DPA + Subprocessor list
Up-to-date subprocessor list. New vendor SDK detected? Customers are emailed automatically.
OSS Attributions
Full NOTICE file generated from your dependency graph. Per-release, beautifully formatted, linkable.
SOC 2 Readiness
Translate SOC 2 work from months to minutes.
Forcing function
EU AI Act high-risk obligations apply August 2, 2027.
If you ship a SaaS product to EU customers and any feature uses AI for decisions about people — hiring, credit, biometrics, education, employment, essential services — you owe a conformity assessment, an AI system inventory, and continuous post-market monitoring.
- AI system inventory mapped to your repo
- Annex IV conformity draft, ready for legal review
- AIBOM JSON exportable for enterprise customers
- Re-runs on every PR — no PDF goes stale
{
"tenant": "acme",
"generated_at": "2026-05-06T09:14:22Z",
"ai_systems": [
{
"id": "summarizer",
"purpose": "summarize customer notes",
"model": { "provider": "openai", "name": "gpt-4o" },
"inputs": ["customer.notes", "user.email"],
"risk_class": "limited",
"source": "src/agents/summarizer.ts:42"
},
{
"id": "credit-screener",
"purpose": "pre-qualify loan applicants",
"model": { "provider": "anthropic", "name": "claude-3.5" },
"inputs": ["application.income", "application.dob"],
"risk_class": "high",
"source": "src/lending/screener.ts:118"
}
]
}Compliance copilot
An assistant that answers from your code, your docs, and the frameworks that bind you.
Press Cmd/Ctrl+J from any dashboard page. Toggle expert mode for article-by-article reasoning across eleven privacy and AI frameworks. Every turn is grounded in a per-tenant retrieval pass, redacts PII before any LLM call, and lands in the same tamper-evident audit log as the rest of Attestly.
- PII redaction — emails, phones, SSNs, cards, tokens, keys, IPs — before the LLM ever sees a prompt
- BYO-LLM end-to-end: copilot, Trust Q&A, and document generation honor your endpoint
- Mutating actions require a click and respect role gating — you can't accidentally publish
- Per-tenant monthly budgets + per-user rate limits keep the bill bounded
Cited from your code and your docs
Every claim links back to a scan finding, a published doc section, or a specific framework article. No paraphrasing, no hallucinated citations.
Eleven frameworks in expert mode
GDPR, EU AI Act, SOC 2, CCPA/CPRA, HIPAA, ISO 27001, NIST AI RMF, US state privacy laws, DORA, NIS 2, EU DSA — article-level references, on demand.
Tools, not just talk
Resolve drift, request review, export the audit log — proposed by the assistant, confirmed by you, recorded in the audit chain.
Public Trust Center Q&A
Optional widget on /trust/<you> that answers prospects from your published docs only. The questions you get back are your fastest FAQ feedback loop.
Why not Vanta, Termly, SafeBase, or FOSSA?
Each solves a slice. None reads your code, and none ships all five documents under one roof.
| Capability | Attestly | Termly / iubenda | SafeBase / Conveyor | FOSSA |
|---|---|---|---|---|
| Code-aware updates | Yes | — | — | — |
| AI Act module | Yes | — | — | — |
| Privacy + DPA + OSS + SOC 2 | All five | Privacy only | SOC 2 only | Licenses only |
| Auto subprocessor notify | Yes | — | — | — |
| Hosted trust center | Yes | — | Manual fill | — |
| Cited compliance copilot + public Trust Q&A | Yes | — | Light Q&A | — |
| Pricing | From $99/mo | From $10/mo | Enterprise | Enterprise |
100+ built-in detectors
If your code uses it, Attestly finds it.
Plus custom detectors via .attestly/detectors.json
Frequently asked questions
Can't find what you're looking for? Reach out and we'll get back to you within a business day.