Feature
Secureless analyses what is externally observable and compares it against what your trust page, privacy policy, and security page claim. The result is a gap analysis that shows where claims and reality do not match.
You claim SOC 2 Type II on your trust page. Your DMARC policy is set to "none." You claim GDPR compliance. Google Analytics fires 1.2 seconds before your cookie consent banner renders. You claim ISO 27001. Your source maps expose 847 application files.
These are not hypotheticals. These are real findings from production scans. The compliance analysis catches the gap between what you say and what is observable.
Every tracking script that fires before your consent banner loads is recorded with timestamps. The scan captures the exact load order, showing which services set cookies and send data before any user interaction.
3 services load before consent:
0.4s google-analytics.com/ga.js
0.6s static.hotjar.com/c/hotjar.js
2.3s cookie consent banner renders
Your privacy policy lists certain data processors. Your site loads others. If a third-party service is running on your pages but not disclosed in your privacy policy, the scan flags the gap.
Privacy policy lists: Google Analytics, Stripe, Intercom
Observed but not disclosed: HotJar, Segment, Sentry
Banner present? Reject option available? Does the banner actually block tracking, or does it just look like it does? Which CMP is used (Cookiebot, OneTrust, Osano, etc.)? TCF compliance?
Every security finding is mapped to the relevant Trust Services Criteria. This turns a security report into a SOC 2 gap analysis your auditor can use.
Logical Access
CORS policies, API access controls, session management
Email Protection
SPF, DKIM, DMARC enforcement
Encryption
TLS configuration, HSTS, certificate management
Monitoring
security.txt, bug bounty program, error handling
Change Management
Source maps in production, debug mode, staging exposure
Findings mapped to Annex A controls, focusing on what is externally verifiable.
Source code access
Source maps, exposed git repos, package manifests
Vulnerability management
Known vulnerable JS libraries detected in production
Network security
Security headers, CORS, TLS configuration
Cryptography
Cipher suites, certificate management, HSTS
Secure development
SRI on external scripts, CSP, secure coding indicators
If your trust page says "SOC 2 Type II certified" but your DMARC policy is set to "none" and deprecated TLS versions are still enabled, Secureless documents that gap. It does not say you are non-compliant. It documents the discrepancy between your stated posture and your observable posture.
Compliance discrepancy detected
Claim: SOC 2 Type II (trust page, last updated Jan 2026)
Observable:
DMARC policy: none (CC6.5 gap)
Source maps accessible (CC8.1 gap)
TLS 1.0 still enabled (CC6.7 gap)
3 Trust Services Criteria gaps between claimed compliance and observable posture.
Secureless does not replace a SOC 2 examination by a CPA firm, an ISO 27001 certification audit, or legal guidance on GDPR. It is a continuous external check that identifies gaps your auditor will also find, before they do. Think of it as preparation, not certification.
The free scan detects compliance claims. The full assessment checks them against evidence.
Get your free scanCookie information
This site uses strictly-necessary cookies for authentication (Clerk) and bot protection (Cloudflare). No tracking, advertising, or analytics cookies are set, so no consent is required. Details in our privacy policy.