Frequently Asked Questions
Clear answers for security teams, compliance leaders, and enterprise decision-makers.
40T performs a controlled, read-only analysis of a public website, evaluating observable behavior such as tracking activity and third-party interactions without impacting the system.
Yes. The scan is non-intrusive and does not modify, access, or interfere with your site in any way.
A limited number per session. Full access requires a subscription. Discovery scans are designed to give you a preview of potential exposure, not a full assessment.
The discovery scan is limited to surface-level exposure signals. Full validated findings, evidence chains, and remediation guidance are available within the platform after sign-up.
Tracking behavior, third-party activity, and AI-driven systems operating outside expected privacy controls — evaluated against widely recognized compliance frameworks.
When data collection occurs before consent or outside expected controls, it may constitute a violation. Non-essential services must obtain user consent before loading under major privacy frameworks.
Evaluation against widely recognized international and regional privacy and security frameworks. Coverage spans major global jurisdictions.
CMPs manage consent configuration — they help you ask for permission. 40T verifies real-world execution — whether your site actually complies with what users were promised.
40T verifies compliance behavior, not just consent configuration. We detect what actually loads on your site, identify risk signals CMPs cannot see, and generate forensic evidence chains that hold up in regulatory proceedings.
No. 40T acts as an independent verification layer above your CMP — confirming that what your CMP claims is actually happening in practice.
Scalable visibility across multiple domains, audit-ready reporting, continuous monitoring, and evidence packages designed for legal and regulatory defense.
Yes, for integration and automation. API access is available on Professional plans and above.
Validated findings with supporting context, severity rankings, jurisdiction-specific citations, and remediation guidance structured for legal and audit use.
Available within the platform after full assessment. Reports are formatted for direct submission to legal teams, auditors, and regulatory bodies.
Structured, defensible insights supported by cryptographic integrity verification, precise timestamps, and traceable evidence chains for audits and regulatory reviews.
Yes. The platform uses controlled analysis and minimal data handling. Backend intelligence is never exposed to the frontend. Scan results are sanitized before display.
40T monitors actual runtime behavior of every service detected on your site. If a script or service begins behaving differently — new outbound connections, altered payloads, unauthorized data collection — 40T flags it with exact evidence. Your CMP will never catch that.
Ensuring automated systems interact within privacy and security expectations — verifying that AI-driven actions on data comply with applicable regulations before they execute.
40T provides visibility into AI-related service behavior and associated risk signals, helping organizations understand what AI services are active on their properties and whether they operate within expected compliance boundaries.
Yes. Agency and enterprise plans include centralized visibility across multiple domains from a single dashboard.
Yes. Governance tools manage policy documentation. 40T validates real-world behavior — confirming that what your policies say is actually happening in practice.