Acompli CodeScan

Turn live codebases into reviewable privacy and AI-governance evidence

Acompli helps organisations convert technical reality into governed compliance outputs. CodeScan examines live repositories for evidence of personal-data handling, third-party dependencies, transfer indicators, and AI-related components, then routes those findings into a reviewable workflow that supports assessments, risk records, data mapping, and downstream governance follow-up.

Technical evidence. Human review. Governed outputs.

00Connect01Scope02Detect03Review04Record05Activate

Get started Book a walkthrough

View Brochure

Overview

From live codebase to reviewable governance evidence

CodeScan is designed for organisations that need more than a technical scan report. It helps teams examine live repositories for evidence of personal-data handling, vendor and transfer signals, and AI-related components, then routes those findings into a governed review process that supports the wider privacy and AI-governance operating model.

StartConnect

Connect technical evidence without breaking governance boundaries

CodeScan is built to inspect repository content in a controlled and reviewable way. The objective is to establish technical context, understand what the system is doing, and bring that evidence into the compliance workflow without turning the exercise into an unmanaged copy of the engineering estate.

The first step is to connect real technical evidence to the governance process, so review starts from what the codebase is doing in practice rather than from narrative descriptions alone.

Repository context

Files, structure, dependencies, and implementation signals are used to establish technical context.

Implementation signals

The codebase is examined as it exists in practice, helping reviewers assess actual implementation.

Connected workflow

Technical context sits alongside the wider governance workflow rather than being separated from privacy review.

01Scope

Define the right governance scope before findings are produced

A useful scan starts with scope. CodeScan can be framed around the governance question that matters: visibility over personal-data processing, vendor and transfer signals, AI-related components, or a combination of these.

The scan should be driven by governance purpose, not just technical curiosity. A review point before execution helps ensure the work supports the business question rather than producing noise.

Scope

Privacy reviewFocus on personal-data handling, processors, transfers, and wider privacy relevance.

AI-governance reviewFocus on AI-related components, model integrations, and follow-up that may be needed.

Pre-execution reviewAlign the scan to the repository context and compliance objective before results are produced.

02Detect

Detect personal-data handling, vendors, transfer signals, and AI components from the codebase itself

CodeScan should be presented as a multi-surface evidence workflow rather than a basic keyword scan. It can analyse source code together with surrounding technical signals such as dependencies, schemas, configuration, and implementation patterns.

The strongest story is not scanning text. It is detecting compliance-relevant evidence across the technical estate in a form that is more useful for DPO, legal, security, and engineering teams.

CodeScan - Evidence signals

Personal-data handling signals across code and schema layersPrivacy

Third-party tools and SDK usage that may indicate processor relationshipsVendor

Transfer-relevant implementation signals that may need follow-upTransfer

AI-related components and model integrations for governance reviewAI

Cross-surface context from dependencies, config, and implementation patternsContext

Multi-surface ->Detect compliance-relevant evidence across the technical estate, not just isolated text matches.

03Review

Review findings with provenance that privacy and engineering teams can inspect

Findings should not appear as unsupported alerts. They should arrive with provenance that allows reviewers to understand what was found, where it was found, and why it matters.

Evidence becomes useful when people can inspect it, challenge it, and approve it with confidence. Human reviewers can confirm, reject, annotate, and refine findings before anything is treated as an official output.

Inspectable provenance

Findings are reviewed against the underlying repository evidence and surrounding technical context.

Human decisions

Reviewers can confirm, reject, annotate, and refine findings before they become official outputs.

Shared review workflow

The review layer supports collaboration between privacy, legal, security, and engineering stakeholders.

Principle ->Discover from code, decide with people, and preserve the reasoning behind every approval.

04Record

Turn approved technical evidence into durable governance records

The real value emerges when approved findings are no longer trapped in a scan report. Once reviewed, technical evidence can support the organisation's wider operating record across assessments, risk, records, data mapping, and related documentation.

A strong compliance workflow does not end with findings. It creates an accountable record that different audiences can use without losing the link back to reviewed technical evidence.

Data Mapping

Support connected records

Approved findings can support documentation of systems, suppliers, processing context, and broader data-mapping work.

Risk & review

Curate evidence for different reviewers

Technical evidence can be shaped into outputs suitable for operational teams, privacy reviewers, and governance stakeholders.

Leadership

Preserve a durable record

The point is not only to generate a report, but to preserve reviewed evidence in a usable governance record.

Connected platform

Feed the wider operating model

Approved work products feed connected compliance records rather than sitting in isolation from the rest of the platform.

05Activate

Use approved findings to trigger downstream privacy and AI-governance action

CodeScan should end with action. Once evidence has been reviewed, it can support the next stage of governance work instead of forcing teams to start again from a blank page.

The objective is not merely to detect issues. It is to turn technical evidence into governed action, while later scans can revisit changes in the codebase and preserve earlier review history.

Activate

DPIA

AI Review

Records

History

Outcome ->Reviewed evidence can support follow-up action now and remain useful as the codebase changes over time.

Connected platform

Governed evidence from the code itself

CodeScan is best understood as part of Acompli's wider governance platform. It helps organisations inspect live technical evidence, review findings with human oversight, and carry approved outputs into the broader compliance workflow.

Technical evidence connected to governance workflows

Repository findings do not sit in isolation. They support the wider operating model across reviews, records, and follow-up work.

Privacy and AI-governance review in one operating model

The same technical evidence can support privacy review, AI-governance review, or both together without splitting the workflow apart.

Human-reviewed findings with inspectable provenance

Findings become credible when teams can inspect the evidence, challenge the interpretation, and approve outputs with confidence.

Approved outputs that feed records, assessments, and follow-up action

Once reviewed, technical evidence can support records, assessments, downstream action, and later rescans without starting from zero.

From live codebase to reviewable governance evidence

Inspect live technical evidence, review findings with human oversight, and carry approved outputs into assessments, risk review, data mapping, and AI-governance work. CodeScan belongs inside the wider Acompli platform story, not beside it.

Get started →Book a walkthrough

Frequently Asked Questions

Is CodeScan a standalone scanner?

No. CodeScan is best understood as part of Acompli's connected governance platform. The point is not to produce an isolated scan report, but to bring technical evidence into a workflow where privacy, legal, security, and engineering teams can review it, preserve it with provenance, and use approved outputs in wider governance work.

What is decided before findings are produced?

What kinds of evidence can CodeScan surface?

How are findings reviewed?

How does this support privacy and AI-governance together?

What happens after a finding is approved?

Can later scans preserve the earlier review history?