Attestly turns your codebase into a continuously-updated set of legal documents. These guides explain what gets detected, how documents are generated, and how to keep them honest under the EU AI Act and GDPR.
Connect a repo and ship your first trust center.
What Attestly does, who it's for, and why we built it the way we did.
Why we ask for your legal profile before scanning code.
From sign-up to a published trust center in five minutes.
What runs where: scanner, generators, hosted trust center.
How Attestly reads your code.
AST traversal, lockfile inspection, and the detector pipeline that turns code into findings.
What Attestly recognizes out of the box.
Every fact in your documents links back to a file:line at a specific commit.
Add detectors for internal services or vendor SDKs we don't ship with.
The five documents Attestly produces.
AIBOM + EU AI Act-aligned disclosures, oversight, evaluation, and incident-response.
GDPR + UK GDPR + CCPA + state-level US laws + sector overlays (HIPAA / COPPA / GLBA / FCRA).
Customer-signable DPA with full Article 28 obligations, Annex II TOMs, and live subprocessor list.
License inventory with tier classification, copyleft warnings, and reproducible output.
AICPA Trust Services control matrix, evidence index, and gap analysis (Growth and above).
Hosted, public-facing compliance pages.
Canonical /trust/{slug} on the app host; optional *.trust root when DNS is configured.
Bring your own (trust.yourcompany.com) on Growth and above.
Public JSON manifest of every AI model and subprocessor in your stack.
Logo, colors, and theme overrides for your hosted trust center.
EU AI Act, GDPR, and SOC 2 mappings.
How Attestly maps your code to Annex III risk classes.
Article 28 obligations, change notifications, and audit logs.
How Attestly artefacts line up with the AICPA Trust Services Criteria.
Generated control matrix, evidence index, and gap analysis grounded in your code.
Drift detection, approvals, and webhooks.
What to do when scans fail, drift is rejected, or findings are incorrect.
How findings roll up across repos, plan-based repo caps, and what happens when you downgrade.
Every PR is scanned. New AI vendor or new data field → blocking review.
Reviewers sign off on doc changes via email magic link.
Get notified of new versions, drift alerts, and subprocessor changes.
Append-only, tamper-evident record of every action in your tenant.
In-product assistant, framework expert mode, and the public Trust Center Q&A widget.
The in-product assistant: what it knows, how it cites, and how it stays grounded in your workspace.
Eleven compliance frameworks the copilot can cite article-by-article. What each module covers and when it triggers.
What the copilot can do, not just what it can say. Read-only lookups, mutating actions, and how confirmation works.
An optional public chatbot on /trust/<slug> that answers questions from your published documents — and tells you what prospects are asking.
PII redaction guarantees, monthly message budgets per plan, and how every assistant turn lands in the tamper-evident audit log.
BYO-LLM, white-label, and the public REST API.
Remove the 'Powered by Attestly' badge and ship the trust center fully under your brand.
Use your own API key (OpenAI or Gemini) for the copilot, Trust Q&A, and document generation.
When a drift alert is approved, open a pull request that re-renders the affected document into your repo.
Programmatic access to scans, findings, documents, and subprocessors via personal access tokens.
Issue and revoke personal access tokens; one-time secret reveal pattern.
Track new features and improvements to Attestly.
Learn more about our open-source packages.
Connect a repo, run a scan, publish a trust center. Free tier includes one project — no card required.