AuditCoreAuditCore
GDPR Article 32

GDPR Article 32 evidence
without the consultant invoice.

Article 32 demands 'appropriate technical and organizational measures' — vague on purpose, so regulators can argue you didn't do enough after a breach. AuditCore produces the technical evidence: encryption in transit, regular testing of effectiveness, breach-readiness signals. Pair with a DPO for the org half.

TL;DR

GDPR doesn't list specific technical controls — it requires controls 'appropriate to the risk'. In practice, regulators (CNIL, ICO, Garante) expect: TLS everywhere, security headers, no SQL injection, no broken access control, regular pentesting, prompt patching. After a breach, your DPA will ask for your scan history.

AuditCore covers the testing-effectiveness side (Art 32(1)(d)). You still need: DPO appointment, ROPA, DPIA for high-risk processing, breach notification process, sub-processor agreements. Those are paperwork. The pentest evidence isn't — and that's the gap we fill.

Requirement → AuditCore scanner coverage

Each requirement of the standard mapped to the AuditCore scanners that contribute evidence. Full = automated end-to-end; partial = covers part, manual review for rest; manual= AuditCore doesn't automate (process / paperwork / org-only).

IDRequirementCoverageScanners
Art 32(1)(a)
Pseudonymisation and encryption of personal data
TLS in transit checks, sensitive data exposure detection, hardcoded secrets in source.
Encryption at rest verification requires infrastructure access we don't have.
partial
SSLyzeScannerHeaderAnalyzerGitleaksScannerSensitiveFilesScanner
Art 32(1)(b)
Ongoing confidentiality, integrity, availability
Authorization testing (BOLA/BFLA), injection scanning, session security.
full
AuthReplayJwtAnalyzerSessionTesterSqlmapScannerXxeScannerBusinessLogicScanner
Art 32(1)(c)
Ability to restore availability after incident
Resilience testing — race conditions, DoS-amplification vectors. Backup verification is outside scanner scope.
partial
RaceConditionTesterSmugglingScanner
Art 32(1)(d)
Regular testing of effectiveness of technical measures
This is what AuditCore IS. Scheduled scans + change-driven re-scans + per-finding remediation tracking.
full
ZapScannerNucleiScannerNiktoScannerSemgrepScannerTrivyScanner
Art 32(2)
Risk-based selection of measures
Risk scoring of findings (CVSS), severity-aware reporting, false-positive rate disclosed.
full
AiContextScanner
Art 25
Data protection by design and by default
Header misconfigurations, default-permissive CORS, debug endpoints leaking data, JS-rendered content blocking AI/bot indexing of PII pages.
full
HeaderAnalyzerCorsCheckerSensitiveFilesScannerAiAgentScannerPromptInjectionTester
Art 33
Breach notification readiness
Detecting exposed credentials, leaked tokens, public S3-style endpoints — the typical breach vectors that trigger 72h notification.
Detection of exposure is automated; the 72h notification workflow is a process you still own.
partial
GitleaksScannerSubdomainTakeoverScannerSensitiveFilesScanner

Sample findings AuditCore surfaces for this standard

Real findings types our scanners produce. Each maps to one or more of the requirements above.

criticalPersonal data leaked via misconfigured CORS (Art 25, Art 32)

Wildcard CORS + credentials on an API returning user PII means any malicious site can exfiltrate your users' data. Multiple supervisory authorities have fined this exact pattern.

critical/api/users endpoint returns full user list without auth (Art 32(1)(b))

Classic BOLA / IDOR. Single endpoint exposure of personal data triggers Art 33 breach notification + likely fine.

highHardcoded API key in JavaScript bundle (Art 32(1)(a))

Credential exposure = pseudonymisation failure. Often a Stripe/Sendgrid/AWS key with PII-access scope.

highTLS 1.0/1.1 still accepted on PII-handling endpoint

Encryption in transit failure (Art 32(1)(a)). Triggers automatic non-conformity at any GDPR audit.

mediumDebug stack trace leaks file paths + DB schema

Privacy-by-design failure. Even if no PII shown, attackers map your data model from the trace.

Recommended tier

Pro ($299)

Pro covers full Article 32 technical scope: deep DAST + injection scanning + auth/session testing + dependency CVEs + secrets detection. Business tier adds credentialed scans (for testing internal/staff portals) and white-label PDFs for handing to your DPA.

What AuditCore doesn't cover

Honest scope — these items are part of the standard but require process, paperwork, or org-level controls outside what a web scanner can verify. Use a manual auditor / compliance consultant for these.

  • Records of Processing Activities (ROPA / Art 30) — paperwork
  • Data Protection Impact Assessments (DPIA / Art 35)
  • Data Protection Officer appointment + registration (Art 37)
  • Sub-processor due diligence + DPA agreements (Art 28)
  • Data Subject Access Request (DSAR) workflow (Art 15)
  • International data transfer safeguards (Chapter V / SCCs)
  • Lawful basis documentation (Art 6)
  • Privacy policy and consent UI text

FAQ

Is AuditCore enough for GDPR compliance on its own?+

No — and anyone selling you a tool that 'makes you GDPR compliant' is lying. GDPR is roughly 30% technical + 70% organizational (DPO, ROPA, DPIAs, consent, lawful basis, contracts). AuditCore handles the technical 30% well. For the rest, you need a DPO and/or a privacy consultant. We make sure the technical evidence is rock-solid so the org-side work is the only thing your DPO has to argue about.

Will AuditCore findings hold up if a supervisory authority asks for technical evidence after a breach?+

Yes. The PDF report includes scan dates, scope, methodology, per-finding CVSS + remediation, and false-positive rate. CNIL and ICO have both stated they expect 'regular testing of effectiveness' (Art 32(1)(d)) — a scheduled scan history with documented remediation is exactly that. We're not a substitute for the breach-response process, but we're concrete evidence that you took 'appropriate' technical measures.

Does AuditCore handle data minimization checks?+

Partially. We detect endpoints returning more PII than the request needs (e.g., /api/orders/123 returning entire user object instead of just order fields) via the SmartApiScanner + business logic checks. Full minimization audit requires reading your schema + intent — that's a manual review. We surface red flags.

What about consent + cookie banner compliance?+

AuditCore checks cookie technical properties (Secure / HttpOnly / SameSite / Max-Age) but does NOT audit your consent banner UI or lawful basis. Use a dedicated CMP (Cookiebot, Iubenda, OneTrust) for banner compliance — they handle the legal-text side that we don't.

We're a US company with EU customers. Does GDPR still apply?+

If you offer goods/services to people in the EU or monitor their behavior (Art 3), yes — extraterritorial scope. Same Art 32 technical requirements apply. AuditCore findings are equally valid evidence regardless of where your servers are hosted (though hosting location matters for international transfer compliance, which is a separate Art 44+ topic).

How does AuditCore handle Schrems II / international transfers?+

Not directly — Schrems II is about contractual/legal protections for data leaving the EEA (SCCs + Transfer Impact Assessment). What we DO surface: hardcoded endpoints pointing to non-EU services (you can spot transfers happening before procurement signed off), exposed cloud metadata leaking infrastructure location.

Start the audit in 60 seconds

Free 1-page audit, no credit card. Upgrade to Pro ($299) when you need the full standard coverage.