You can't read the code. Now you don't have to trust blindly.
You commission software you can't inspect, from a supplier whose incentives aren't yours. Assay gives you an independent, reproducible measurement — criteria in the tender, verification at delivery, ongoing oversight through the maintenance term — from a measurer with no stake in the outcome.
The buyer owns the subscription. Who pays for the thermometer decides whether the stamp means anything.
Measurement at every milestone.
A bar bidders commit to
Measurable criteria in the RFP — every bidder graded by the same ruler. A bidder's hesitation to accept the clause is also information.
A trend, not a surprise
Scheduled scans converging on the agreed thresholds — a falling trend is a conversation in week 6, not a dispute at acceptance.
Watched daily
A daily security watch and regression flags — new CVEs, leaked secrets, score drops — plus a changelog per scan.
Oversight for years
Quarterly readings through the maintenance term: trend lines, the changelog, a CycloneDX SBOM and CWE-tagged findings on file.
What you inherit when the people leave.
Assay reads the supplier's git history into two deterministic figures inside the CAI.
Off-boarding risk
Which modules depend on one person — whose exit orphans the most significant code you'd be left owning.
Knowledge freshness
The code everyone who understood it has gone quiet on — where your supplier can no longer safely make the change you'll ask for.
The annex you put in the RFP
Illustrative, not legal advice. The full sample lives on the tender & delivery verification report.
Demonstrate ICT-supplier oversight for DORA & NIS2.
Scheduled scans are the compliance evidence.
DORA and NIS2 expect demonstrated, ongoing oversight of ICT suppliers. A standing, independent, reproducible measurement — dated, signed, on file — is that demonstration.
The buyer owns the subscription.
Never the supplier. The generated contract language states it explicitly — because who pays for the thermometer decides whether the stamp means anything.
Structural independence, and an open method you can check.
Never a delivering party
We never develop or consult on a codebase we also score — never on both ends of one contract.
No success fees
Revenue is the engagement, identical whether a delivery passes or fails. We're paid to measure, never to make the number move.
Identical rubric, whoever pays
The report doesn't know who holds the subscription — and you can verify any number against the open standard yourself.
Verify a survey →Stop trusting blindly. Measure instead.
Sales-led · priced per engagement · the evidence copy a supplier shares is free.