We scan SaaS codebases against 10 custom Semgrep rules across 6 GDPR articles. Each article below maps to the specific code-level checks we run.
The foundational principles — data minimization, purpose limitation, accuracy, and integrity — that govern all lawful personal-data processing.
Requires a valid lawful basis (consent, contract, legitimate interest, etc.) before any personal data is processed.
Defines what constitutes valid consent — freely given, specific, informed, unambiguous — and that pre-ticked boxes do not count.
Data subjects can request deletion of their personal data. A SaaS without a working deletion path is a compliance defect.
When a SaaS shares user data with third-party processors (analytics, email, payments), a written Data Processing Agreement is required.
Mandates appropriate technical and organizational measures — encryption, access control, secrets management — proportional to risk.
See all 10 rules evaluated against your actual code in 3 minutes.
Try the demo scan