About
Compliance that reads your code, so it never lies about your product.
Attestly was started by engineers who'd spent too many quarters answering security questionnaires with documents written by lawyers who had never opened the repo. We think your privacy policy should be a build artifact, not a liability waiting to drift.
Why now
EU AI Act high-risk obligations apply August 2, 2026. CPRA, state-level US laws, GDPR re-audits, and SOC 2 keep stacking. Manual compliance does not scale with monthly product changes.
What we build
A scanner that turns your repository into structured findings, document generators that output typed compliance artifacts, and a public trust center that re-publishes on every merge.
What we won't do
We won't write fictional findings. We won't put free-form LLM prose into a legal document. We won't sell what we scan. The customer code never leaves an ephemeral worker.
Our principles
The four hard rules in our codebase. Engineers can quote them from memory.
- 1Citations are not optional. Every fact published in a customer document points back to a file path and a line number.
- 2Read-only against customer code. The scanner never writes to the customer repo. GitHub OAuth scopes are read-only.
- 3Schema-locked output. Documents are generated through validated structured schemas, then rendered to deterministic Markdown.
- 4If a fact is unknown, say so. Generators emit “Customer-defined” rather than guess at jurisdictions, retention periods, or legal entities.