Compliance Analysis

GDPR

• Pre-consent tracking detection: what fires before any user interaction (using real Chromium, not just HTML parsing)
• Cookie consent implementation: banner present, reject option available, which CMP is used
• Privacy policy vs observed third-party services: are all data processors disclosed?
• Data residency indicators: where is the server, does it match claims?
• Sub-processor disclosure gaps

SOC 2

We map every security finding to the relevant Trust Services Criteria (CC1 through CC8). This turns a security report into a SOC 2 gap analysis.

• CC6.1 (Logical Access): CORS policies, API access controls, session management
• CC6.5 (Email Protection): SPF, DKIM, DMARC enforcement
• CC6.7 (Encryption): TLS configuration, HSTS, certificate management
• CC7.1 (Monitoring): security.txt, bug bounty program, error handling
• CC8.1 (Change Management): source maps in production, debug mode, staging exposure

ISO 27001

Findings are mapped to the relevant Annex A controls, focusing on the ones that are externally verifiable.

• A.8.4 (Source code access): source maps, exposed git repos
• A.8.8 (Vulnerability management): known vulnerable JS libraries
• A.8.20 (Network security): security headers, CORS, TLS
• A.8.24 (Cryptography): cipher suites, certificate management
• A.8.25 (Secure development): SRI, CSP, secure coding indicators

Claims vs reality

If your trust page says "SOC 2 Type II certified" but your DMARC policy is set to "none" and deprecated TLS versions are still enabled, we document that gap. We don't say you're non-compliant. We say there's a discrepancy between your stated posture and your observable posture.