ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
AUDIT-GRADE EU COMPLIANCE

Compliance you can prove.
To a regulator.

Complicer audits your site the way an enforcement team would: it clicks Reject and Accept on your real banner, proves what happened with observable signals, scores 70 rules across five dimensions, and seals the evidence — SHA-256 hashed, Ed25519 signed, optional RFC 3161 timestamping.

NO CREDIT CARD·70 RULES / 5 MIN·EU-SEALED EVIDENCE
AUDIT RECORD — AUTO-DEMOEU-W1
01
Load page—
runner=eu-w1 · playwright
02
Locate consent banner—
cmp detected · candidates scored
03
Click Reject — watch for signals—
first-level reject_all
04
Click Accept — watch for signals—
accept_all · both paths required
05
Score 70 rules—
complytest engine · 5 dimensions
06
Seal evidence—
sha256 → ed25519 → rfc3161 tsa
VERDICT
VERIFIED
sha256:9af3…2c41
demo · sample data
ONE PLATFORMConsentCookiesSecurityAccessibilityRisk+ EU AI Act
03 — SEE THE DIFFERENCE

Other tools check that a banner exists. We check that "No" means no.

The same shop, audited twice. Watch what each tool actually does — and what ends up in the report.

https://example-shop.eu
We use cookies to improve your experience.Reject allAccept all
TRACKERS ON THIS PAGEanalytics.js · firingad-pixel · firingsession-rec · firing
STEP 1
Finds the banner — and identifies its real Reject button.
STEP 2
Presses Reject, exactly like a visitor would.
STEP 3
Watches every tracker. Two stop. Analytics keeps tracking.
FINDING · CRITICAL
Analytics continues after Reject — recorded with screenshots and sealed as evidence.
COMPLICER’S REPORT
Non-compliant — with proof.
Fix the tracker, re-run, and pass for real.
HOW WE PROVE IT →
REJECT + ACCEPT — BOTH CLICKED, BOTH CONFIRMED◆SHA-256 CONTENT HASH◆ED25519 SIGNATURE◆RFC 3161 TRUSTED TIMESTAMP◆70-RULE COMPLYTEST ENGINE◆GDPR · ePRIVACY · DSA · EU AI ACT◆7-YEAR EU-REGION RETENTION◆REJECT + ACCEPT — BOTH CLICKED, BOTH CONFIRMED◆SHA-256 CONTENT HASH◆ED25519 SIGNATURE◆RFC 3161 TRUSTED TIMESTAMP◆70-RULE COMPLYTEST ENGINE◆GDPR · ePRIVACY · DSA · EU AI ACT◆7-YEAR EU-REGION RETENTION◆
01 — THE FLAGSHIP TEST

"Banner exists" is a screenshot. "Banner works" is evidence.

WHAT MOST TOOLS CHECK
The banner exists.
—A banner element is present in the DOM
—A cookie policy page is linked
—A screenshot is stored
—Nothing was clicked. Nothing was proven.
Analytics may still fire after Reject. You wouldn't know.
WHAT COMPLICER VERIFIES
The banner works.
✓Reject clicked on your real, live banner
✓Accept clicked — both paths, every audit
✓Each click confirmed by an observable signal
✓Evidence hashed, signed, and timestamped
If we can't prove it, we say "cannot verify" — and name the reason.
02 — THE FOUR SIGNALS

Proof is observable, or it isn't proof.

READ THE FULL METHODOLOGY →
1
Banner disappeared

After the click, the banner is gone. The site acted on the choice instead of re-prompting.

banner_disappeared
2
Consent storage changed

A consent cookie or local-storage key was written, removed, or flipped — the choice was recorded.

consent_storage_changed
3
tcString delta

The IAB TCF consent string via __tcfapi changed — the CMP itself confirms the new state.

cmp_api_changed
4
Success message

A known confirmation appeared — "Your preferences have been saved" — in a language we recognise.

success_message
THE RULE

Verification is granted only when Reject and Accept were both clicked and each is confirmed by at least one signal. Silence is not consent. The rule is enforced in code — the same evidence always produces the same verdict.

04 — YOUR COMPLIANCE POSTURE

One grade. Five dimensions. Zero hand-waving.

Security, consent, cookies, risk and accessibility roll into a single weighted grade — with every finding traceable back to the rule, the click, and the sealed artefact behind it.

COMPLIANCE POSTURE — LIVE · ATTESTEDCHAIN 0x9af3…2c41
87.4 / 100
Grade A−▲ 3.2 · 30d
Reject + Accept verified · 4/4 signals
61%Verified22%In review11%High risk6%Critical
RULES
70
ComplyTest engine
REGULATIONS
12
GDPR · ePrivacy · DSA
EVIDENCE ITEMS
1,284
Ed25519 sealed
DPAs TRACKED
18
2 expiring in 30 days
Illustrative dashboard with sample data.
EVIDENCE PACK — AUDIT #1284PDF · 12 PAGES
COMPLIANCE AUDIT REPORT
example-shop.eu
2026-07-10 · runner eu-w1 · complytest 1.1.0
Executive summary
one page, board-ready
p. 2
Consent verification
Reject ✓ · Accept ✓ · confirmed by 4/4 signals
p. 3
Findings
1 critical · 2 high · 4 low — each with sealed evidence
p. 5
CONSENT88
SECURITY92
RISK78
COOKIES81
ACCESSIBILITY85
WEIGHTED GRADE
A−87.4 / 100
sha256:9af3…2c41ed25519 ✓ · rfc3161 ✓ · retained to 2033
Illustrative report with sample data.
THE DELIVERABLE

Every audit ends as a document you can defend.

One click exports the full audit — findings, screenshots, the signal log and the five-dimension grade — as a PDF that is hashed, signed and timestamped the moment it is generated. When a regulator, client or board asks you to prove it, you attach the file instead of scheduling a meeting.

✓Board one-pager or the full technical annex
✓SHA-256 + Ed25519 + RFC 3161 — verifiable offline, by anyone
✓Retained 7 years, in EU region — nobody can edit it, including us
GET YOUR FIRST REPORT →
05 — INDUSTRY REALITY CHECK

Compliance tools don't pass their own compliance checks.

We ran ComplyTest's 70-rule audit against four leading compliance platforms. Tested May 2026, against publicly accessible features.

Cookiebot
Consent management leader
B
75/100
“CSP uses unsafe-inline and unsafe-eval”
Deque
Accessibility tooling leader
C+
62/100
“Analytics continue after Reject”
OneTrust
Enterprise privacy platform
C+
60/100
“Still on Consent Mode v1”
Monsido
Web governance platform
C+
60/100
“No Reject button at all”
READ THE FULL ANALYSIS →Try it yourself — scan any website free, no signup.
06 — THE MISSING MIDDLE

Cookie consent is not compliance. Full GRC is overkill.

Most companies are stuck between tools that do too little and platforms that cost too much.

TOO LITTLE
Cookie banners
from €8/mo
— Consent popup only
— No audit capability
— No risk assessment
— No evidence for regulators
JUST RIGHT
Complicer
€99–799/mo
✓Automated website audits
✓AI cookie classification + deterministic guardrails
✓Risk scoring & sealed evidence chain
✓EU AI Act assessment
✓PDF reports ready for regulators
SEE PRICING →
TOO MUCH
Enterprise GRC
€10k+/yr
— 6-month implementation
— Requires a dedicated team
— Full GRC platform weight
— Overkill for most companies
07 — REGULATION (EU) 2024/1689

The EU AI Act, made answerable.

An interactive guide for non-lawyers: risk tiers, provider vs. deployer roles, the eight prohibitions, the Article 6 classification engine, the staged timeline, and every national supervisor — plus a structured assessment in your audit workspace.

OPEN THE GUIDE →RUN AN ASSESSMENT
Unacceptable — prohibited
Eight banned practices, live since Feb 2025
€35M / 7%
High-risk
Annex I & III — the full obligation set
Art. 6–29
GPAI models
Tiered duties · systemic risk ≥ 10²⁵ FLOP
Art. 51–55
Limited / minimal — transparency
Tell people it's AI; label synthetic content
Art. 50
01
Add your URL

No code changes, no SDK, no tag-manager setup. The scan starts immediately.

02
We click and verify

A Playwright EU-region runner visits every page, clicks Reject and Accept, and verifies behaviour with four independent signals.

03
Sealed evidence + grade

A 5-dimension grade, prioritised findings, and Ed25519-signed PDF evidence ready for regulators.

Run an audit in 90 seconds. See what your banner actually does.

No credit card. EU-region runner. Evidence sealed under EU jurisdiction.
Free plan: 1 website · 5 audits/month · basic evidence reports.

START FREE AUDIT →
ComplicerAUDIT GRADE

Outcome-driven GDPR compliance — banners that actually work, evidence you can show your auditor.

GDPR-ALIGNED · SHA-256 · Ed25519 · EU-W1
PRODUCT
Free scanMethodologyUse casesEU AI ActPricingDocsBlog
COMPANY
SecurityContact
LEGAL
PrivacyTermsComplaint
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161 TSA© 2026 COMPLICER