Point it at a vendor. Bandit finds the privacy policy, reads the DPA, checks the SOC 2, and scores everything across 8 GDPR/CCPA dimensions — calibrated to your industry, your tech stack, and what that vendor actually does for you.
GRC scores the policy. Legal negotiates without the findings. IT provisions without knowing what data flows where. No team gets what they need to act on the same assessment.
AI training clauses buried in DPAs. Breach timelines absent from contracts. Sub-processors unlisted in annexes. Buried in plain sight in documents nobody has time to read.
A healthcare vendor and a marketing tool get the same generic assessment. What the vendor actually does for you — which systems they access, what data flows — changes everything about the risk picture.
One assessment, one spreadsheet, forgotten. No history. No trend. No record of what changed between reviews. Every reassessment starts from scratch as if the last one never happened.
Most vendor risk tools treat every assessment the same way. Bandit builds context before it looks — and that context flows forward into every decision.
Industry, locations, regulatory frameworks, and your actual internal tools. Set once. Informs every assessment after.
12 questions per vendor. What data they access, which of your systems they touch, whether they use AI, how critical they are. Stored permanently.
Privacy Bandit, Legal Bandit, and the rubric engine each know what to look for because context from steps 1 and 2 is already loaded before they start.
Every result writes to the vendor's permanent record. Risk tiers, open findings, renewal dates. The tool gets more useful the more you run it.
The LLM extracts evidence signals — present or absent. The rubric converts them to scores using fixed, published rules. Same policy, same score, regardless of which model you use.
What matters isn't just your sector — it's what the vendor does for you. A tech company using NetSuite for finance needs different scrutiny than one using it for CRM. Bandit knows the difference.
Every dimension, every scoring threshold, every enforcement precedent is documented in RUBRIC.md and versioned independently of the application. Changes are attributable. Scores are auditable. Nothing is proprietary.
Modular agents. Each one knows its domain, picks its own tools, and adapts to what it finds. Use one or run the whole crew.
Policy Scout. Privacy policy scoring across 8 GDPR/CCPA dimensions with evidence extraction and contract redlines.
LIVEContract Cracker. GDPR Art. 28(3) DPA checklist, verbatim clause extraction, policy/contract conflict detection, redline briefs.
LIVEModel Mole. AI training risk, model usage terms, EU AI Act compliance, training data opt-out assessment.
COMING SOONSOC Stalker. SOC 2 Type II gap analysis, ISO 27001/27701 certification review, attestation completeness check.
COMING SOONFlow Tracer. Data flow mapping, transfer analysis, sub-processor chain tracing.
COMING SOON
Every bandit assess run saves an HTML report alongside the terminal output.
Each dimension shows what was confirmed and what's missing — with the specific signal that would close the gap.
Enforcement-backed phrases that cap the score. Shown with matched text so you can verify them directly.
For scores ≤ 3, specific DPA and MSA language to request from the vendor — ready for Legal to paste into negotiations.
A standalone redline brief for your legal team. Current contract language verbatim, gaps identified, replacement clauses provided.
Upload DPAs, MSAs, SOC 2 reports from a local folder or Google Drive. Bandit auto-detects document types and merges findings across all sources.
Run bandit vendor add once per vendor. Assessment history, risk trends, renewal dates, and IT notification queue — all stored permanently.
A consolidated follow-up email with all gap questions, formatted and ready to send to the vendor's privacy or legal team.
The AI extracts evidence. Bandit scores it. A published, enforcement-grounded rubric — built from GDPR enforcement actions, FTC settlements, and EDPB guidelines — means GPT-4o and Claude produce the same score from the same policy.
Best overall quality for nuanced policy analysis
API key requiredExcellent quality, widely used in enterprise environments
API key requiredStrong quality at lower cost per assessment
API key requiredFully local. No API key. Data never leaves your machine.
Fully local FreeGood quality, European-hosted option for data residency
API key requiredBandit finds it first. Free, open source, forever.
Privacy Bandit is live today. The rest of the crew ships as each agent is ready.
Bandit finds it first. Free, open source, forever.
Get Started on GitHub ↗