Ship AI
without the lawyers.
Upload your codebase or connect GitHub. Conformis scans every AI feature, classifies its risk under the EU AI Act, and generates audit-ready documentation — in minutes, not months.
Report
Compliance is strangling your roadmap.
Manual audits cost €15,000 — and take six weeks.
By the time the consultant emails you the PDF, your AI feature has shipped twice and the doc is stale.
Enterprise procurement is a wall.
Every B2B deal now demands AI Act documentation. We've seen €200k contracts die over a missing checklist.
Regulations don't sit still.
AI Act, GDPR, NIS-2, DSA. One-shot compliance is obsolete the day you sign it. You need a system, not a document.
Four steps. From codebase to regulator-ready.
Upload or connect
Zip your codebase and upload, or connect GitHub directly. Conformis runs inside an isolated EU-based container. No code leaves the EU.
Detection layer scans every line
AST parsing identifies every call to OpenAI, Anthropic, Google, HuggingFace, or your own ML models.
AI classifies the risk
Each detected feature is mapped against EU AI Act Annex III categories with plain-English rationale.
Documents generate themselves
Article 11 technical documentation with obligations, evidence, and next steps. Exportable as PDF.
Your code never leaves your machine.
Would rather not upload a zip or grant repo access? conformis is a lightweight CLI that scans locally and transmits only the findings — never your source. Perfect for CI pipelines, regulated environments, or founders who'd rather keep everything on disk.
Install the CLI
One dependency, no config. Works anywhere Python 3.9+ runs — laptop, CI runner, air-gapped box.
pip install conformisSet your user id
Find your user id in the dashboard (top-right, under your name). Set it once as an environment variable.
export CONFORMIS_USER_ID=user_xxxxxxxxScan your codebase
conformis walks your project locally with the same AST-based detector the platform uses — Python, JS/TS, package.json.
conformis scan .View results at your dashboard
The CLI prints a link straight to your readiness dashboard — same risk classification and gap analysis as a ZIP upload.
- File path (relative to scan root)
- Line number and library name
- A one-line code snippet and short description
- Full source files or file contents
- .env files or secrets
- Git history or metadata, absolute paths
--privacy-mode strips every code snippet client-side before anything is sent. --dry-run prints the exact JSON payload that would be sent — nothing transmitted — so you can verify before you trust it.
Built for founders who'd rather be shipping.
Automated scanning
AST-level analysis of Python and JS/TS detects AI/ML imports, inference calls, and risk patterns automatically.
EU AI Act classification
Prohibited, High Risk, Limited Risk, or Minimal Risk — per Annex III. With evidence and rationale.
Article 11 PDF
Technical documentation with obligations, evidence snippets, and next steps. Audit-ready in seconds.
EU-resident infrastructure
Your code never leaves the EU. Scanned in isolated infrastructure, retained only with your scan, gone the moment you delete it.
GitHub integration
Connect your repos directly. Scan without downloading. Supports public and private repositories.
API-first
Embed compliance checks in your CI/CD. Block risky merges before they hit main.
What Conformis finds
in a real codebase.
Scan the public openai/openai-quickstart-node repo yourself — deterministic classification means you get exactly this result.
15 files scanned, all containing AI. The vision feature is flagged as a prohibited-practice risk under Article 5 (biometric / emotion processing); transparency and oversight gaps follow across the chat, assistants, and fine-tuning features.
Less than your last legal invoice.
- Compliance score only
- 3 scans/month
- ZIP upload & GitHub integration
- No gap details or guidance
- Full gap analysis per article
- Unlimited scans
- PDF compliance report
- GitHub integration
- Remediation guidance
- Compliance checklist & executive summary
- Priority support
The jump over Pro buys the AI Compliance Copilot — a reasoning advisor over your specific gaps, not just more scans.
- Everything in Pro
- Compliance Copilot (AI advisor)
- Annex IV doc generation
- Developer / Legal / Executive modes
- Conversation history per scan
- Early access to new features
We've thought about it.
Does my code leave my infrastructure?+
No. Conformis runs read-only scans inside an isolated EU-based container, deletes the working copy after each scan, and stores only the analysis output. No model training on your code. Ever.
Does it work with JavaScript and TypeScript?+
Yes. Conformis scans Python, JavaScript, TypeScript, JSX, and TSX. It detects AI libraries like OpenAI, Anthropic, LangChain, Vercel AI SDK, and HuggingFace — including package.json dependencies, React hooks, and API route patterns.
How long does a scan take?+
Under 60 seconds for most codebases. Upload a ZIP or connect GitHub — Conformis scans your files, classifies risk tiers, and generates a PDF report with gap analysis and remediation steps in one shot.
Will this replace our legal counsel?+
No — and that's the point. Conformis handles the 80% of repetitive documentation work. Your legal team focuses on the 20% that actually needs judgment.
What if the AI Act changes?+
It will — it already has: the EU's 2026 Digital Omnibus pushed the main high-risk deadline from Aug 2026 to Dec 2027. We track EUR-Lex and the AI Office for changes like this and update our classification logic and this page when the rules move. Article 5's prohibited-practice bans weren't part of that delay and have applied since Feb 2025.
How accurate is the risk classification?+
Our classifier uses Claude AI benchmarked against published EU Commission guidance. We show you the reasoning and evidence behind every classification — including which exact function or line of code triggered the finding. It's a starting point for your compliance work, not a legal opinion — see our next answer.
Is GitHub integration secure?+
We request read-only access to your repositories. Your code is cloned into an isolated container to run the scan. For ZIP and GitHub scans, we keep the uploaded code alongside the scan record — that's what powers features like Auto-Fix, which needs your real source to generate a patch. Delete a scan and its source is permanently deleted with it. If you'd rather your code never touch our servers at all, use the conformis CLI: it scans locally and only ever transmits findings (file path, line, library, one-line snippet) — never source.
What is the EU AI Act deadline?+
High-risk AI systems must comply by August 2, 2026. Prohibited practices were banned from February 2, 2025. Fines for non-compliance can reach €35 million or 7% of global annual turnover — whichever is higher.