About

Compliance that scales with your codebase, not with your meetings.

ComplianceLint is built for the moment EU AI Act high-risk enforcement begins on August 2, 2026 — and for every AI team that wants their compliance posture to be a deterministic property of their git repository, not a quarterly meeting.

Why we built it

Every existing compliance tool we tried did one of three things wrong:

Cloud upload. Asked us to push our entire source tree to a third party for analysis. That breaks every IP and ITAR conversation before it starts.
Vague checks. Reported “you may need logging” without a specific obligation reference. Untraceable to legal text = untraceable to a courtroom.
Throw-it-over-the-wall consulting. Treated compliance as a quarterly review. Reality: it's a property of every commit.

We built ComplianceLint because the team who ships the code should be the team who knows whether it's compliant — and they should know it before the scan, not after.

What's distinctive

Deterministic obligation engine

247 atomic obligations decomposed from 44 EU AI Act articles. Each obligation traces to verbatim EUR-Lex source text. Same code in, same findings out — no LLM improvisation, no hallucinated article numbers.

Privacy-first by architecture

The scanner runs in your local AI IDE. Your AI reads the code; the obligation engine maps answers to legal verdicts. Only findings + citations cross the network. LUKS2-encrypted dashboard volume, ePrivacy-compliant cookie banner, GDPR Articles 15-21 self-service endpoints.

Git-native audit trail

Your repository is the primary evidence store — not our SaaS. We never execute git on your behalf, never lock you into a host, and your audit trail survives history rewrites via the integrity ledger and force-push acknowledge gate.

Source-available + open obligations

Scanner code, MCP server, and obligation JSONs ship under BSL 1.1. The Deontic Decomposition engine that produces those obligation atoms is private (it's how we keep the obligation set legally rigorous), but every obligation we ship is auditable and forkable.

Who builds it

ComplianceLint is built by Kisum GmbH, a Germany-based software company. We're a small, engineering-led team focused exclusively on EU AI Act compliance tooling and the broader compliance-as-code problem space (GDPR, CRA, NIS2, DORA on the roadmap).

Company information & legal contact: Impressum. Privacy posture: /legal/privacy.

Roadmap (transparent)

Our public commitment is the EU AI Act today. The architecture is regulation-agnostic (obligation atoms + deterministic engine), so the next four pillars layer onto the same scanner:

Phase 1LiveEU AI Act — 247 obligations across 44 articles

Phase 2NextGDPR-as-code — 10-step lifecycle articles operationalised

Phase 3PlannedEU Cyber Resilience Act (CRA) — 3-pillar lifecycle

Phase 4PlannedNIS2 Directive — incident reporting + 17 sectors

Phase 5PlannedDORA — financial-services digital operational resilience

Architecture reuse drops onboarding from 6 weeks for the first regulation to 3-4 weeks for each subsequent one. Public roadmap with rationale lives in the GitHub README.

Get involved

Source-available, community-shaped

Scanner + MCP server + 247 obligation JSONs are public on GitHub under BSL 1.1 (Source Available). Open issues, propose obligation refinements, fork freely — the licence reverts to Apache 2.0 four years after each release.

GitHub Back to home

ComplianceLint provides AI-assisted compliance assessments, not legal advice. All findings require review by qualified legal counsel.