Skip to content
For buyers of bespoke software

You can't read the code. Now you don't have to trust blindly.

You commission software you can't inspect, from a supplier whose incentives aren't yours. Assay gives you an independent, reproducible measurement — criteria in the tender, verification at delivery, ongoing oversight through the maintenance term — from a measurer with no stake in the outcome.

The buyer owns the subscription. Who pays for the thermometer decides whether the stamp means anything.

What you get, phase by phase

Measurement at every milestone.

In the tender

A bar bidders commit to

Measurable criteria in the RFP — every bidder graded by the same ruler. A bidder's hesitation to accept the clause is also information.

During delivery

A trend, not a surprise

Scheduled scans converging on the agreed thresholds — a falling trend is a conversation in week 6, not a dispute at acceptance.

In hypercare

Watched daily

A daily security watch and regression flags — new CVEs, leaked secrets, score drops — plus a changelog per scan.

After hypercare

Oversight for years

Quarterly readings through the maintenance term: trend lines, the changelog, a CycloneDX SBOM and CWE-tagged findings on file.

The risk that isn't in the code

What you inherit when the people leave.

Assay reads the supplier's git history into two deterministic figures inside the CAI.

Off-boarding risk

Which modules depend on one person — whose exit orphans the most significant code you'd be left owning.

Knowledge freshness

The code everyone who understood it has gone quiet on — where your supplier can no longer safely make the change you'll ask for.

SAMPLE · ANNEX D — CODE-QUALITY REQUIREMENTS

The annex you put in the RFP

CAI at acceptance≥ 80
Security & compliance lens≥ 75 · zero critical CVEs
Measured byindependent scan · rubric frozen at award

Illustrative, not legal advice. The full sample lives on the tender & delivery verification report.

Regulatory oversight

Demonstrate ICT-supplier oversight for DORA & NIS2.

The audit is the artifact

Scheduled scans are the compliance evidence.

DORA and NIS2 expect demonstrated, ongoing oversight of ICT suppliers. A standing, independent, reproducible measurement — dated, signed, on file — is that demonstration.

Structural rule

The buyer owns the subscription.

Never the supplier. The generated contract language states it explicitly — because who pays for the thermometer decides whether the stamp means anything.

Independent — and you don't have to trust us

Structural independence, and an open method you can check.

Never a delivering party

We never develop or consult on a codebase we also score — never on both ends of one contract.

No success fees

Revenue is the engagement, identical whether a delivery passes or fails. We're paid to measure, never to make the number move.

Identical rubric, whoever pays

The report doesn't know who holds the subscription — and you can verify any number against the open standard yourself.

Verify a survey →

Stop trusting blindly. Measure instead.

Sales-led · priced per engagement · the evidence copy a supplier shares is free.