How Vakteye's Compliance Scanner Works

Vakteye checks cookies, consent, security, DNS, and data transfers automatically. Each finding comes with technical evidence. A human reviewer checks the results before anything reaches your report.

What we check

A full scan covers the same ground a data protection authority would during an audit.

• Cookie inventory and classification, checked against 400,000+ known tracker domains
• Consent banner testing: does your reject button actually stop cookies?
• Privacy policy analysis: does your site do what your policy promises?
• Security headers (HSTS, CSP, X-Frame-Options, and others)
• TLS/SSL configuration, certificate validity, and cipher strength
• Cross-border data transfers: which third parties receive data, and where are their servers?
• DNS security: DNSSEC, SPF, DKIM, DMARC
• CNAME cloaking: trackers disguised as first-party domains
• Vulnerability scanning: CVEs, misconfigurations, exposed endpoints
• Accessibility: WCAG 2.1 AA automated testing

Each check runs independently. If one fails, the others still complete. Results are consolidated before your report is generated.

Multi-layered consent testing

Consent is where most websites fail, so we test it thoroughly.

Vakteye supports thousands of consent management platforms, from major providers like Cookiebot and OneTrust to custom-built solutions. No matter how your consent banner is implemented, we find it and test it.

The key question is not whether a reject button exists, but whether it actually works. Vakteye clicks reject, then checks whether tracking cookies actually stop. Many sites have a reject button that does nothing. We catch that.

Contradiction detection

Most cookie scanners stop at inventory. Vakteye also reads your privacy policy, extracts each claim, and compares it against what your site actually does.

This runs after all automated checks finish. Vakteye extracts claims from your policy, then each claim is checked against the technical evidence. The output is a straightforward list: what you say vs. what you do.

The confidence system

A scanner that flags everything at the same severity wastes your time. Vakteye assigns confidence based on how a finding was validated, not on how suspicious it looks.

CERTAIN: behavioral proof exists (cookie persists after reject, SQL injection time delay confirmed). FIRM: multiple corroborating signals (DNS record + known tracker domain). TENTATIVE: single pattern match (cookie name matches tracker database). UNVERIFIED: detected but could not reproduce.

A cookie that respawns after deletion is CERTAIN. A cookie name that matches a tracker database but shows no tracking behavior is TENTATIVE. The distinction matters when you're deciding what to fix first, and when you need to defend your compliance posture.

Human review

Before a finding reaches your report, a compliance analyst reviews the technical evidence, applies the relevant legal framework, and decides: genuine violation or false positive?

Reviewers regularly downgrade or dismiss findings. A cookie flagged as a tracker might be essential for login. A missing security header might be compensated by other controls. The scanner catches the signals; humans interpret them.

Continuous improvement

Every review decision improves future accuracy. When a reviewer marks a finding as a false positive, that correction is remembered. Next time a similar pattern appears, the system adjusts confidence automatically.

After thousands of reviews, the false positive rate drops measurably. Real violations get flagged with higher confidence because the system has seen similar patterns before.

• Reviewer marks finding as false positive, stored as a correction
• Next scan hits same pattern, confidence lowered automatically
• Two or more confirmations required before auto-adjustment kicks in
• Corrections apply globally, so one review improves results for all customers

What you get

The final report documents each finding with the relevant GDPR article, confidence level, and supporting evidence: screenshots, cookie recordings, HAR files, consent banner analysis.