Open-source · Rust-native CLI · MCP server for AI agents

Privacy Engineering for
AI Agents & Developers

Audit code, scan websites, detect 111k+ trackers, map data flows, and generate GDPR policies — in one command.

Install via Cargo

etalon audit
zsh
$ etalon audit ./
 
● Scanning 247 files across 3 languages…
● Running 6 scanners: code, schema, config, server, cname, custom
 
CODE ⚠️ MEDIUM tracker-without-consent
src/tracking.ts:12 — Plausible script loaded before consent check
→ GDPR Art. 6(1)(a)
 
CNAME ⚠️ MEDIUM cname-cloaking
vercel.json:8 — CNAME rewrite to analytics subdomain
→ GDPR Art. 5(1)(a)
 
CONFIG ℹ️ LOW cookie-samesite
src/auth/session.ts:45 — SameSite=Lax recommended over None
 
────────────────────────────────────────────────────
ETALON SCORE: A- (92/100)
3 findings · 0 critical · 0 high · 2 medium · 1 low · 0.8s
The Trust Heartbeat

Not a linter. A 6-scanner intelligence engine.

Every finding is enriched with GDPR references, git blame, and context-aware severity scoring.

🔍

6-Point Static Audit

Parallel scanners analyze every layer of your stack

📦Code Scanner

Tracker SDKs in npm, pip, cargo. Import patterns, API calls, env vars.

🗄️Schema Scanner

PII in Prisma, SQL, Django, SQLAlchemy, TypeORM, Diesel schemas.

⚙️Config Scanner

Cookie settings, CORS, CSP headers, security misconfigurations.

🖥️Server Tracker

Server-side tracking patterns that bypass ad blockers.

🔗CNAME Cloaking

DNS-based tracking cloaked behind first-party CNAME records.

🔧Custom Rules

Your own detection rules via .etalon/rules/ plugin system.

$ etalon audit ./ --include-blame
6 scanners · 3 languages · 6 ORM formats · Context-aware scoring
📜

Policy Generator

Code-aware GDPR policies

Scans your actual codebase and generates a complete 8-section GDPR privacy policy that matches what your code really does. No more lawyer guesswork.

✓ Data Controller & DPO Contact

✓ Third-Party Services (auto-detected)

✓ Cookies & Tracking Technologies

✓ International Data Transfers

✓ Your Rights (Art. 15–22)

$ etalon generate-policy ./ --company "Acme"
✓ Generated privacy-policy.md (8 sections)

Tech Framework Scanner

Blazing fast async fingerprinting

Live website tracking via headless Chromium. Detects framework technologies, intercepts network requests, and verifies if third-party trackers are actually respecting cookie consent banners.

React, Next.js, Vue, Nuxt, Angular detection
Consent banner bypass validation
Headless JS execution & network interception
$ etalon scan https://example.com
Stack: Next.js, Tailwind · Found 4 trackers (2 without consent)
🤖

AI Agent Native

Model Context Protocol Server

Give your AI coding assistants (Claude Desktop, Cursor, Cline) native access to the ETALON intelligence engine. They can autonomously audit PRs and fix privacy violations.

etalon_lookup_vendoretalon_search_vendors
Claude Code (via MCP):
> "I found a call to mixpanel in auth.ts. Mixpanel is an analytics tracker (High Risk) that requires consent. Shall I wrap it in a consent check?"
🌐

111k+ Domain Registry

The live intelligence moat

26,886

Vendor Profiles

111,603

Tracked Domains

23

Categories

138

Detection Patterns

$ etalon lookup analytics.google.com
Google Analytics · analytics · risk: high · GDPR: consent required · DPA: available