Core Tools
Infrastructure
Product previews
From zero to regulator-ready
See how ComplyBridge walks you through a full MiCA CASP application — from entity setup to final submission package.
See how it works →The only AI that knows your firm
Reasons across the live EU rulebook and your own policies, KYB data, UBOs, and integrations.
Explore capabilities →Code Compliance
Compliance for your codebase
Connect your GitHub or GitLab. We scan against the regulations you operate under — GDPR, DORA, MiCA, PSD2, AML/CFT — and surface gaps with the rulebook citation, not just the line number. Your code never leaves the ephemeral analysis sandbox.
Security model
Your code never leaves the sandbox.
We lead with the security model because for any serious team it IS the product. Four operational guarantees, enforced at the infrastructure layer — not a marketing claim.
Zero-access architecture
ComplyBridge staff never read your scanned source. The analysis sandbox runs scoped to a single repo at a time, results are persisted, the source isn't.
Ephemeral analysis sandbox
Code lands in an isolated sandbox per scan, gets analysed in-memory, and is destroyed at completion. Repeat scans pull fresh — nothing is kept warm.
Read-only OAuth scopes
We request the minimum read scopes that let the scanner work. No write permissions, no commit access, no PR-creation rights without an explicit opt-in.
Per-tenant encryption keys
Keys never leave your tenant. SOC 2, ISO 27001, and per-jurisdiction data-residency available for design-partner deployments.
What we actually check for.
Frameworks the regulated-finance buyer already operates under, mapped to the patterns we can detect in source. Findings carry the rulebook citation — not a generic CWE — so the engineer reading the report knows exactly what obligation is at stake.
GDPR
Personal-data flow tracing, DSAR handlers, retention-policy presence, hardcoded PII in logs, lawful-basis annotations on processing surfaces.
DORA
Incident-logging hooks, change-management evidence on production-impacting paths, deployment audit trail, ICT third-party call inventory.
MiCA / EMD2
Custody segregation patterns, omnibus-account logic, redemption-rights surfaces, fee disclosure rendering, white-paper-stated-claim consistency.
PSD2 / PSD3
Strong customer authentication implementation, SCA fallback paths, payment-data scope discipline, PSP outsourcing boundary checks.
AML / Sanctions
Transaction-monitoring hooks, sanctions-list call points, KYC trigger placement, travel-rule data completeness on transfer endpoints.
Cross-cutting
Secrets in source, dependency CVEs with regulatory implication, encryption-at-rest correctness, third-party data egress surfaces.
Findings come with confidence tiers
Trust survives when the scanner is occasionally wrong.
Compliance is rarely binary. Every finding is tagged by how confident the scanner is — so a CTO can triage in seconds and a compliance officer knows which findings need legal review.
Hard checks the scanner is certain about.
- No personal data written to application logs.
- Sanctions-list lookup present on transfer endpoints.
- SCA primitive called on payment-initiation surfaces.
Likely gaps worth review.
- Custody endpoint may need omnibus-segregation marker.
- Processing surface that could require a DPIA.
- Outsourcing call without clear contract reference.
Looks regulatory-adjacent — your call.
- This appears to be a financial calculation — confirm treasury is the source of truth.
- Logic that may need legal-team sign-off on framing.
- Pattern that resembles a regulated activity not yet in your licence scope.
From connect to cited findings in one cycle.
Same loop on every connect — repeatable, audit-trailed, and scoped tightly enough that the engineer and the compliance officer read the same report.
Connect
OAuth into your GitHub or GitLab. Read-only scopes only. We list the repos we have access to — you scope the scan further from there.
Scan
Source clones into an ephemeral sandbox. Pattern matching + LLM-grounded reasoning against the rulebook. Sandbox destroyed at completion.
Review
Findings ranked by confidence tier, cited to the regulation, linked to the file and line. Same report a compliance officer and a senior engineer can read.
Remediate
Suggested fixes — pattern-level for deterministic findings, framework-level for heuristic ones. Re-scan to verify. Audit trail on every cycle.
Code Compliance — common questions.
No. The analysis sandbox runs scoped to a single repo per scan, results are persisted, the source itself isn't. Engineering staff have read access to the scan logs (for product debugging) but not to the cloned source. Per-tenant encryption keys mean even infrastructure breach scenarios don't expose your code in plaintext.
Those tools check generic security and code-quality patterns — CWEs, OWASP categories, lint rules. Code Compliance checks against named regulatory obligations: 'this transfer endpoint is missing a TFR-aligned originator/beneficiary field' is a different finding from 'CWE-200 information exposure'. Each finding carries the rulebook citation, so an engineer doesn't need to translate from CWE-speak to compliance-speak.
Both. GitHub Cloud and Enterprise Server, GitLab SaaS and self-hosted via API integration. Bitbucket is on the roadmap.
Optimised for codebases up to ~1M LOC, single language or polyglot. Larger codebases get a custom-sizing conversation so we can right-size the sandbox infrastructure for your scan profile. Mono-repos are supported — you'll likely want to scope scans per service.
Three things, in order of how technically strict they are: (1) scanner runs in an ephemeral sandbox destroyed at scan completion — no persisted source; (2) ComplyBridge staff don't have read access to scanned source (separation enforced at the IAM layer); (3) per-tenant encryption keys mean the source is encrypted with keys our infrastructure can't unilaterally use. We don't make literal zero-knowledge cryptographic claims (no SNARKs / no formal ZK proofs) — 'zero-access' refers to the operational guarantee.
Per repo + per scan-month + per remediation-cycle, with a base platform fee. Volume discounts kick in at the team-plan tier. Full pricing in the demo — we keep it off the page because the right structure depends on your scan cadence and codebase shape.