Protect your customers' data. Prove that you do. Commercial plans for ongoing website compliance monitoring, legal evidence, and security review across the EU.
Commercial scope
Scoped for the footprint you need watched
Coverage Apex domains, subdomains, consent flows, trackers and exposed services.
Cadence Monthly, weekly or daily monitoring depending on risk and operating model.
Evidence Signed reports, finding-level proof, public verification and remediation history.
Legal basis GDPR, ePrivacy and NIS2 mapped to EU guidance and relevant local implementation. Plans
Choose the operating model, not just a package Each tier keeps the same evidence-first foundation. Scope, cadence, review depth and response model scale with the risk profile.
Monthly monitoring · core
Essentials Ongoing GDPR coverage on your site. For companies that need evidence, not a project.
Evidence Signed evidence pack
Governance Guided remediation Monthly automated scan of 1 apex domain Cookies, consent, security headers and accessibility (WCAG) Privacy policy compared against actual site behavior Data transfers outside the EU tracked and flagged Compliance report with remediation guidance Privacy Verified badge displayed on your site — publicly verifiable Email support within 24 hours When the board asks "are we GDPR-compliant?"
Book demo Most popular Weekly monitoring · deep
Professional Weekly checks plus security depth. For companies where one missed finding costs more than the year.
Evidence Signed evidence pack
Governance Guided remediation Weekly automated scan of 1 apex domain Everything in Essentials, plus deeper security and tracking analysis 11 compliance checks active: deep security and tracking analysis Hardcoded passwords and keys in your site code detected New subdomains discovered and risk-ranked NIS2 mapped to relevant EU and national implementation requirements Manual expert verification of low-confidence findings Real-time alerts on regression after remediation GDPR + NIS2 readiness, not just a paper trail
Book demo Weekly monitoring · custom
Enterprise Weekly scans, wider footprint, named compliance lead.
Evidence Signed evidence pack
Governance Named compliance lead Weekly automated monitoring for up to 5 apex domains Compliance checks active: cookies, consent, policies, security headers and accessibility Deep technical checks: forms, fingerprinting, data residency, network exposure and CNAME tracking Subdomain discovery and risk ranking for assets under your control Quarterly manual penetration test plus manual expert verification of low-confidence findings Dedicated customer success contact with 4-hour critical-finding response target Custom compliance roadmap and scan configuration support When regulator visits could come any week
Get quote No list prices. Price set by how much you need watched and for how long. Demo and quote takes 30 minutes.Why no list prices?
Enterprise readiness
Built for legal, security and procurement review Pricing is scoped because the risk surface differs by footprint, cadence, legal exposure and required assurance. The buying package is designed to be reviewed by more than one team.
DPA-ready Data processing terms, sub-processor categories and retention expectations are available during commercial review.
EU/EEA processing posture Customer scan-result processing is positioned for EU and EEA regulatory expectations.
Evidence chain Findings are backed by browser behavior, network observations, timestamps and source references.
Security review support Security teams can review scan scope, evidence handling and operational controls before activation.
Named operating model Enterprise scope can include named contacts, critical-finding SLAs and review cadence.
EU-wide legal mapping Findings are grounded in GDPR, ePrivacy, EDPB guidance, NIS2 and relevant national implementation.
What you don't get from CMP vendors
OneTrust, CookieBot and Cookiebanner.com manage consent. We check it works — the reject button gets tested for real, cookies before consent are caught and the Meta Pixel gets reviewed. Vakteye is a complement, not a replacement.
What's included
What we test The commercial tiers scale the same core evidence model: observed browser behavior, legal mapping, remediation context and repeat monitoring. Open any capability for the detailed test logic.
Consent & privacy GDPR · ePrivacy · LEK ch. 9
Cookie consent and tracker detection Identifies every cookie — tracking, analytics, advertising. Classifies against a tracker database of 1000+ vendors and checks Secure/HttpOnly/SameSite flags. Detects cookies set before consent. Legal basis: ePrivacy Art 5(3), LEK ch. 9 §28.
Reject button is actually tested Clicks 'Reject' and checks whether tracking cookies are set anyway. Detects dark patterns, pre-checked boxes and non-functional buttons. Includes zombie-cookie detection (cookies that respawn after deletion). Legal basis: EDPB Cookie Banner Taskforce 2023, GDPR Art 7.
Privacy policy against GDPR Art 13 Checks every mandatory section: legal basis, retention period, third parties, data-subject rights, DPO contact. Each gap is tied to the article it sits under. Legal basis: GDPR Art 13.
Policy vs practice — contradictions Compares what your privacy policy promises against what the site does. Catches things like 'We use no third-party cookies' while tracking still runs. Legal basis: GDPR Art 5(1)(a) transparency, Art 13 information duty.
Hidden tracking and session replay Detects canvas, WebGL and audio fingerprinting. Catches session-replay tools that record visitor behaviour without consent. Legal basis: ePrivacy Art 5(3) device access.
US transfers (Schrems II / DPF) Maps third-country transfers. Flags US recipients without DPF certification. Checks that adequate safeguards are in place (SCC, adequacy decisions). Legal basis: GDPR Art 44–49.
Security NIS2 and GDPR Art 32
Security headers and TLS configuration Checks security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, COOP/COEP). Analyses TLS configuration, certificate validity and cipher strength. Legal basis: GDPR Art 32, NIS2 Art 21(2)(h) cryptography policy.
Known vulnerabilities (CVE, SQLi, XSS) Active scanning with continuously updated templates. Tests SQL injection, Cross-Site Scripting, CSRF, exposed admin panels, vulnerable JavaScript libraries. Legal basis: NIS2 Art 21(2)(e) system acquisition and vulnerability handling.
Services exposed on the internet Scans open ports and exposed services. Catches admin panels reachable from the internet and subdomain-takeover risk against known cloud providers. Legal basis: GDPR Art 32(1)(b), NIS2 Art 21(2)(e) vulnerability handling and Art 21(2)(i) access control.
Hardcoded secrets in client-side JavaScript API keys, cloud credentials, payment-provider keys and private keys that ended up in frontend code are caught via a vendor rule library and issuer-prefix detection. Legal basis: GDPR Art 32, NIS2 Art 21(2)(e) vulnerability handling.
Accessibility per WCAG 2.1 AA Contrast, alt text, form labels, keyboard navigation and ARIA attributes get reviewed automatically. You get a remediation suggestion per finding. Mapping: European Accessibility Act obligations where applicable, national accessibility law, and WCAG 2.1 AA as a practical testing baseline.
Evidence and reporting GDPR Art 5(2) burden of proof
Continuous monitoring, not one-off audit Scan frequency follows your plan — monthly, weekly or change-triggered. You get a notification on new findings. Compliance status stays up to date in your dashboard. Legal basis: GDPR Art 5(2) burden of proof.
Human verification of every finding Lower-confidence findings go to a review queue and an analyst reviews them before publication. High-confidence findings have machine-checkable proof and publish directly. Confidence level (CERTAIN/FIRM/TENTATIVE) is shown on every finding.
Reports for board, IT and DPIA evidence Compliance reports with the legal basis on every finding. Executive summary for the board, detailed technical report for IT, and a DPIA-ready package your DPO can use. Each gap ties back to GDPR, ePrivacy, NIS2 or relevant national implementation.
Privacy Verified badge with public verification A VKT record number (VKT-XXXX-XXXXXX) is issued after a passing scan. Trust badge embedded via JS widget or SVG. Anti-theft: badge renders only on the verified monitored domain. Publicly verifiable via /verify/[record-no]. Valid 90 days, automatically renewed at every passing scan. Maps to GDPR Art. 5(2) accountability evidence.
Forensic evidence package Browser recording, network log and timeline of cookie behaviour before and after consent. Downloadable zip with an integrity check so you can show the material has not been altered.
Buying process
From scope review to evidence pack A serious buying path without turning the first call into a sales deck.
Scope review We map domains, monitoring cadence, legal exposure and the teams that need the evidence.
Live evidence scan We scan live pages during the call and show what the browser actually sends.
Quote and DPA You receive a scoped plan, commercial proposal and procurement material.
Activation Domain verification, first production scan, evidence pack and verified badge.
Ready when you are. We scan your site live during the call. You leave with a risk report and a quote. No list prices, no sales pitch.
Vakteye holds VKT-2026-000001 . Verify it live.
Book demo VAKTEYE Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.
PRODUCT COMPANY LEGAL Contact © 2026 Vakteye AB. All rights reserved.