Compliance you can defend to a regulator.
A compliance claim is only worth what its honesty can survive. Assay's model is built on the one truth most compliance tools won't say out loud: a tool can disprove a control, but it can never prove conformance. So we measure what can be measured, gate what we caught failing, and leave the declaration where the law puts it — with a named person. We measure; you declare; we never certify.
The honest truth most compliance tools won't tell you.
Disprove, never prove
A fired check is a real failure — a live CVE, a leaked secret, a missing label. But no automated pass proves the absence of all failures. A clean result is necessary, not sufficient.
Most regimes are organizational
NIS2, DORA, GDPR and their peers regulate the organization — governance, incident handling, resilience. Tooling touches only a slice; the rest is judgement and process.
No tool is accepted as proof
Under none of these laws is a scanner's badge accepted as proof of conformance — none. Anyone selling a "compliant" stamp from a crawl is selling snake oil.
The integrity keystone.
We won't let you pass what we caught failing.
A caught failure pre-sets the control to Fail and locks it. Marking it Pass requires a written justification, reproduced in full in an Integrity section of the artifact. A thermometer you can hide readings from is rigged; this one can't be.
Who stands behind each claim is always visible.
Every verdict states how it was reached: tool-verified · evidence-assisted · AI-drafted-and-reviewed · human attestation — so a buyer, an auditor or a competent authority sees which claims a machine stands behind and which a person does.
Declare it honestly — and make it stick.
We measure; you declare; we never certify.