WeScan checks your codebase for AI compliance gaps and generates the docs you need to close enterprise deals.
Free to try · 60 second scan · No credit card
Detects usage across
How it works
No consultants. No legal bills. No 50-page questionnaires.
Paste a public GitHub URL, connect a private repo with your access token, or upload a ZIP under 4 MB. No agent to install, no credentials stored.
See every model in use, which ones handle customer data, which regulations are breached, and exactly how to fix each issue.
One click generates an AI Usage Policy, DPA Checklist, and Data Flow Map — built from your actual scan results, ready to share.
What we find
These are the most common findings — and the ones that stall procurement reviews.
Customer emails, names, and IDs flowing into a model without a signed Data Processing Agreement. GDPR Article 28 violation.
Conversation logs stored indefinitely. CCPA gives customers the right to deletion — you need a documented process to honour it.
Every model call needs a structured log entry for SOC 2 CC7.2. Without it you cannot demonstrate what ran or when.
Sending customer documents to a model requires explicit consent clauses in your Terms of Service.
Any team member can query any customer's data. SOC 2 CC6.3 requires role-based access scoped to the requesting user.
Calling gpt-4 instead of a dated version means your output can change silently when the provider updates the model.
Security & Privacy
You provide a GitHub URL. We clone your repository temporarily inside a serverless function, run the scan entirely in memory, then explicitly delete the cloned files immediately after — with a try/finally block that guarantees deletion even if the scan fails. Your source code never touches a database.
Only scan findings — severity levels, file paths, issue types, and regulation references. Never your source code, never your git history, never your secrets.
Every table in our database has Row Level Security enforced at the database level. It's mathematically impossible for one user to read another user's scan results — not just a policy, enforced by Postgres itself.
Yes. You can provide a GitHub Personal Access Token for private repos. It is used only for the clone request and is never logged or stored anywhere.
Yes. Rate limiting is enforced server-side — 5 scans per user per hour, 3 policy generations per hour. This protects both your data and our infrastructure.
Only you. We maintain a full audit log of every scan and policy generation tied to your account. No third party, no Anthropic, no one else has access.
The Anthropic Claude API. Only your scan findings are sent — never your source code. Anthropic's enterprise privacy terms apply.
Scan findings are retained for 90 days then automatically deleted. You can request immediate deletion by contacting us.
Pricing
Vanta costs £40,000 and assumes a dedicated security team. A compliance lawyer charges £300/hour. WeScan starts free.
Try it out
For founders getting compliance-ready
Everything you need to close the enterprise deal
FAQ
No. Your code is scanned in memory and immediately discarded. We never persist source files to disk or any database — only the findings (file paths, line numbers, issue descriptions) are stored.
Scan findings are automatically deleted after 90 days. You can export your compliance documents at any time before then.
No. Your token is used only to download the repository zip during the scan request and is never written to logs or our database.
Each finding is mapped to the relevant regulation — GDPR Article 28, CCPA, SOC 2 CC6, and common AI-specific requirements. The generated policy documents reference the exact regulations that apply to your stack.
Yes. Cancel any time from your Stripe billing portal — no questions asked. Your plan stays active until the end of the billing period.
Free scan. 60 seconds. No credit card.