For buyers of bespoke software
You can't read the code. Now you don't have to trust blindly.
You commission software you can't inspect, from a supplier whose incentives aren't yours. Assay gives you an independent, reproducible measurement — criteria in the tender, verification at delivery, ongoing oversight through the maintenance term — from a measurer with no stake in the outcome.
The buyer owns the subscription. Who pays for the thermometer decides whether the stamp means anything.
What you get, phase by phase
Measurement at every milestone.
In the tender
A bar bidders commit to
Measurable criteria in the RFP — every bidder graded by the same ruler. A bidder's hesitation to accept the clause is also information.
During delivery
A trend, not a surprise
Scheduled scans converging on the agreed thresholds — a falling trend is a conversation in week 6, not a dispute at acceptance.
In hypercare
Watched daily
A daily security watch and regression flags — new CVEs, leaked secrets, score drops — plus a changelog per scan.
After hypercare
Oversight for years
Quarterly readings through the maintenance term: trend lines, the changelog, a CycloneDX SBOM and CWE-tagged findings on file.
The risk that isn't in the code
What you inherit when the people leave.
Assay reads the supplier's git history into two deterministic figures inside the CAI.
Off-boarding risk
Which modules depend on one person — whose exit orphans the most significant code you'd be left owning.
Knowledge freshness
The code everyone who understood it has gone quiet on — where your supplier can no longer safely make the change you'll ask for.
SAMPLE · ANNEX D — CODE-QUALITY REQUIREMENTS
The annex you put in the RFP
- CAI at acceptance — ≥ 80
- Security & compliance lens — ≥ 75 · zero critical CVEs
- Measured by — independent scan · rubric frozen at award
Illustrative, not legal advice. The full sample lives on the tender & delivery verification report.
Regulatory oversight
Demonstrate ICT-supplier oversight for DORA & NIS2.
The audit is the artifact
Scheduled scans are the compliance evidence.
DORA and NIS2 expect demonstrated, ongoing oversight of ICT suppliers. A standing, independent, reproducible measurement — dated, signed, on file — is that demonstration.
Structural rule
The buyer owns the subscription.
Never the supplier. The generated contract language states it explicitly — because who pays for the thermometer decides whether the stamp means anything.
Independent — and you don't have to trust us
Structural independence, and an open method you can check.
Never a delivering party
We never develop or consult on a codebase we also score — never on both ends of one contract.
No success fees
Revenue is the engagement, identical whether a delivery passes or fails. We're paid to measure, never to make the number move.
Identical rubric, whoever pays
The report doesn't know who holds the subscription — and you can verify any number against the open standard yourself.
Stop trusting blindly. Measure instead.
Talk to usBook a demoSales-led · priced per engagement · the evidence copy a supplier shares is free.