Attestly turns your codebase into a continuously-updated set of legal documents. These guides explain what gets detected, how documents are generated, and how to keep them honest under the EU AI Act and GDPR.
Connect a repo and ship your first trust center.
How Attestly reads your code.
AST traversal, lockfile inspection, and the detector pipeline that turns code into findings.
What Attestly recognizes out of the box.
Every fact in your documents links back to a file:line at a specific commit.
Add detectors for internal services or vendor SDKs we don't ship with.
The five documents Attestly produces.
AIBOM + EU AI Act-aligned disclosures, oversight, evaluation, and incident-response.
GDPR + UK GDPR + CCPA + state-level US laws + sector overlays (HIPAA / COPPA / GLBA / FCRA).
Customer-signable DPA with full Article 28 obligations, Annex II TOMs, and live subprocessor list.
License inventory with tier classification, copyleft warnings, and reproducible output.
AICPA Trust Services control matrix, evidence index, and gap analysis (Growth and above).
Hosted, public-facing compliance pages.
Canonical /trust/{slug} on the app host; optional *.trust root when DNS is configured.
Bring your own (trust.yourcompany.com) on Growth and above.
Public JSON manifest of every AI model and subprocessor in your stack.
Logo, colors, and theme overrides for your hosted trust center.
EU AI Act, GDPR, and SOC 2 mappings.
How Attestly maps your code to Annex III risk classes.
Article 28 obligations, change notifications, and audit logs.
How Attestly artefacts line up with the AICPA Trust Services Criteria.
Generated control matrix, evidence index, and gap analysis grounded in your code.
Drift detection, approvals, and webhooks.
Every PR is scanned. New AI vendor or new data field → blocking review.
Reviewers sign off on doc changes via email magic link.
Get notified of new versions, drift alerts, and subprocessor changes.
Append-only, tamper-evident record of every action in your tenant.
BYO-LLM, white-label, and the public REST API.
Remove the 'Powered by Attestly' badge and ship the trust center fully under your brand.
Use your own OpenAI-compatible API key for the assistant and document generation.
When a drift alert is approved, open a pull request that re-renders the affected document into your repo.
Programmatic access to scans, findings, documents, and subprocessors via personal access tokens.
Issue and revoke personal access tokens; one-time secret reveal pattern.
Connect a repo, run a scan, publish a trust center. Free tier includes one project — no card required.