Back to Insights
COMPANY

How Vakteye's Compliance Scanner Works

Vakteye TeamMar 3, 20265 min read

Vakteye checks cookies, consent, security, DNS, and data transfers automatically. Each finding comes with technical evidence. A human reviewer checks the results before anything reaches your report.

What we check

A full scan covers the same ground a data protection authority would during an audit.

  • Cookie inventory and classification, checked against 400,000+ known tracker domains
  • Consent banner testing: does your reject button actually stop cookies?
  • Privacy policy analysis: does your site do what your policy promises?
  • Security headers (HSTS, CSP, X-Frame-Options, and others)
  • TLS/SSL configuration, certificate validity, and cipher strength
  • Cross-border data transfers: which third parties receive data, and where are their servers?
  • DNS security: DNSSEC, SPF, DKIM, DMARC
  • CNAME cloaking: trackers disguised as first-party domains
  • Vulnerability scanning: CVEs, misconfigurations, exposed endpoints
  • Accessibility: WCAG 2.1 AA automated testing

Each check runs independently. If one fails, the others still complete. Results are consolidated before your report is generated.

Multi-layered consent testing

Consent is where most websites fail, so we test it thoroughly.

Vakteye supports thousands of consent management platforms, from major providers like Cookiebot and OneTrust to custom-built solutions. No matter how your consent banner is implemented, we find it and test it.

The key question is not whether a reject button exists, but whether it actually works. Vakteye clicks reject, then checks whether tracking cookies actually stop. Many sites have a reject button that does nothing. We catch that.

A reject button that doesn't stop tracking is worse than no button at all. We verify that cookies actually stop after rejection, not just that a button is clickable.

Contradiction detection

Most cookie scanners stop at inventory. Vakteye also reads your privacy policy, extracts each claim, and compares it against what your site actually does.

Example: Your privacy policy says "We do not use third-party tracking cookies." The scan finds Google Analytics, Meta Pixel, and LinkedIn Insight Tag, all setting cookies before consent. Three contradictions, each a potential Article 5(1)(a) transparency violation.

This runs after all automated checks finish. Vakteye extracts claims from your policy, then each claim is checked against the technical evidence. The output is a straightforward list: what you say vs. what you do.

The confidence system

A scanner that flags everything at the same severity wastes your time. Vakteye assigns confidence based on how a finding was validated, not on how suspicious it looks.

CERTAIN: behavioral proof exists (cookie persists after reject, SQL injection time delay confirmed). FIRM: multiple corroborating signals (DNS record + known tracker domain). TENTATIVE: single pattern match (cookie name matches tracker database). UNVERIFIED: detected but could not reproduce.

A cookie that respawns after deletion is CERTAIN. A cookie name that matches a tracker database but shows no tracking behavior is TENTATIVE. The distinction matters when you're deciding what to fix first, and when you need to defend your compliance posture.

Human review

Before a finding reaches your report, a compliance analyst reviews the technical evidence, applies the relevant legal framework, and decides: genuine violation or false positive?

Reviewers regularly downgrade or dismiss findings. A cookie flagged as a tracker might be essential for login. A missing security header might be compensated by other controls. The scanner catches the signals; humans interpret them.

Continuous improvement

Every review decision improves future accuracy. When a reviewer marks a finding as a false positive, that correction is remembered. Next time a similar pattern appears, the system adjusts confidence automatically.

After thousands of reviews, the false positive rate drops measurably. Real violations get flagged with higher confidence because the system has seen similar patterns before.

  • Reviewer marks finding as false positive, stored as a correction
  • Next scan hits same pattern, confidence lowered automatically
  • Two or more confirmations required before auto-adjustment kicks in
  • Corrections apply globally, so one review improves results for all customers

What you get

The final report documents each finding with the relevant GDPR article, confidence level, and supporting evidence: screenshots, cookie recordings, HAR files, consent banner analysis.

See it in action

Run a scan on your website. Full report, evidence for every finding.

Scan your website
Previous

GDPR Compliance Checklist for Swedish Websites

Next

Sweden's Biggest Data Breaches 2025-2026: What We Can Learn

Related Articles

COMPANY5 min read

Evidence-based compliance: why screenshots and HAR files beat checklists

Regulators want proof, not promises. Vakteye's forensic evidence system produces browser session recordings, HAR files, and cookie diffs that hold up under regulatory scrutiny.

COMPANY5 min read

Continuous compliance monitoring: why one-time scans aren't enough

Websites change constantly. A clean scan today means nothing in three months. Continuous monitoring catches compliance drift before regulators do.

COMPANY4 min read

What Happens During a Vakteye Scan: A 90-Second Walkthrough

Dozens of automated checks run in parallel across your website. DNS, cookies, consent, vulnerabilities, privacy policy contradictions, all checked in under two minutes. Here is what happens.