DEV Community

ComplianceLayer
ComplianceLayer

Posted on

FAQ Page Copy — ComplianceLayer

#security #python #msp #cybersecurity

FAQ Page Copy — ComplianceLayer

Goal: Answer objections before they become blockers. SEO-friendly for long-tail queries.
Structure: Grouped by category for scannability.

Product

What does ComplianceLayer scan?

ComplianceLayer performs external security scans across four categories:

  • DNS/Email: SPF, DMARC, DKIM, CAA records, DNSSEC, MX configuration
  • SSL/TLS: Certificate validity, chain issues, expiration, protocol versions, cipher strength
  • Open Ports: TCP scan of common ports (SSH, RDP, SMB, HTTP/S, FTP, databases, etc.)
  • HTTP Headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CORS

Each category receives a score (0-100) and grade (A-F), with specific findings and remediation steps.

How long does a scan take?

A full scan typically completes in 8-15 seconds. DNS and SSL checks are fast; port scanning is the bottleneck. We scan approximately 100 common TCP ports.

Can I scan any domain?

You can scan any publicly accessible domain. We only check externally visible services — the same information any internet-connected system can observe. You don't need to own the domain to scan it, but our Terms of Service prohibit scanning for malicious purposes.

What's the difference between ComplianceLayer and a vulnerability scanner?

Vulnerability scanners (like Nessus, Qualys, or OpenVAS) typically run from inside your network and look for known CVEs on specific hosts. ComplianceLayer scans from the outside — the attacker's perspective — and focuses on configuration issues: exposed services, missing security headers, email authentication gaps, SSL problems. They're complementary, not replacements.

Do you detect actual vulnerabilities?

We detect misconfigurations and exposures that create vulnerability — open RDP, missing DMARC, expired SSL, weak HTTP headers. We don't probe for specific CVEs or attempt exploitation. Think of us as "attack surface visibility" rather than "penetration testing."

Pricing & Billing

How much does ComplianceLayer cost?

  • Free: $0/month — 10 scans/day, 1 domain
  • Starter: $99/month — 250 scans/month, 10 domains
  • Pro: $249/month — 1,000 scans/month, 50 domains
  • Business: $599/month — 5,000 scans/month, 200 domains
  • Enterprise: Custom pricing for unlimited usage

All paid plans include API access, scan history, and email support.

Is the free tier really free?

Yes. No credit card required, no expiration, no feature crippling. The free tier is permanent. We want you to try the product before paying.

Do you offer annual billing?

Yes — pay annually and get 2 months free (17% discount). You can switch to annual billing at any time from your dashboard.

What happens if I exceed my scan limit?

You'll receive a warning email at 80% of your limit. If you hit 100%, additional scans will return a 429 (rate limit) error until your next billing cycle. You can upgrade mid-cycle to get more scans immediately — we'll prorate the charge.

Can I cancel anytime?

Yes. All plans are month-to-month with no contract. Cancel with one click from your dashboard. You'll retain access until the end of your current billing period.

Do you offer refunds?

We don't offer refunds, but we do offer a generous free tier so you can evaluate before paying. If you're unhappy after paying, reach out — we'll work something out.

API & Technical

How do I authenticate API requests?

All API requests use Bearer token authentication. Your API key is available in your dashboard after signup. Include it in the Authorization header:

Authorization: Bearer sk_your_api_key
Enter fullscreen mode Exit fullscreen mode

What's the API rate limit?

Rate limits vary by plan:

  • Free: 1 request/second
  • Starter: 10 requests/second
  • Pro: 25 requests/second
  • Business: 50 requests/second

If you exceed the rate limit, you'll receive a 429 response with a Retry-After header.

Do you have webhooks?

Yes, on Pro and Business plans. You can configure webhooks to receive scan results automatically when they complete. Useful for async/batch scanning workflows.

Is there an SDK?

We have official SDKs for Python and JavaScript/Node.js. Community SDKs exist for Go and Ruby. All SDKs are open-source on GitHub.

Can I white-label reports?

Yes, on Pro and Business plans. You can generate PDF reports with your own logo and branding. Business plans also support custom API domains.

Do you support bulk/batch scanning?

Yes. The /v1/batch/scan endpoint accepts up to 100 domains per request. Results are returned asynchronously via webhook or polling.

Security & Compliance

Is scanning domains I don't own legal?

Yes. We only scan publicly accessible services — the same information any internet-connected system can observe. We don't attempt exploitation, access private data, or perform any intrusive testing. This is equivalent to checking if a website uses HTTPS or what DNS records are published.

That said, our Terms of Service prohibit using ComplianceLayer for malicious purposes, harassment, or competitive intelligence gathering without consent.

How do you handle my data?

Scan results are stored encrypted at rest. We retain scan history according to your plan (7 days for Free, 90 days for Starter, 1 year for Pro, unlimited for Business). You can delete your scan history at any time. We never sell your data.

Are you SOC 2 compliant?

We're working toward SOC 2 Type II certification (expected Q3 2026). In the meantime, we follow SOC 2 controls: encrypted data at rest and in transit, role-based access control, audit logging, and regular security reviews.

Where is my data stored?

All data is stored in the EU (Hetzner data centers in Germany). We can discuss US-only data residency for Enterprise customers.

MSP-Specific

Can I manage multiple clients?

Yes. All paid plans support multiple domains. Starter gives you 10 domains, Pro gives 50, Business gives 200. Each domain can represent a different client.

Can I white-label reports for my clients?

Yes, on Pro and Business plans. Upload your logo, customize the header, and generate client-facing PDF reports that look like they came from your firm.

Does ComplianceLayer integrate with my PSA/RMM?

We're API-first, so you can integrate with anything that accepts webhooks or REST API calls. We don't have native ConnectWise or Datto integrations yet — those are on the roadmap. For now, many MSPs use Zapier or custom scripts.

How do other MSPs use ComplianceLayer?

Common use cases:

  • QBR security slides: Pull a scan before each quarterly review, show clients their score and trend
  • New client onboarding: Scan prospect domains to scope security posture before signing
  • Automated monitoring: Weekly scans via API, alerts when scores drop
  • Compliance evidence: Export scan history for audits and client documentation

Support

How do I get help?

Email support@compliancelayer.net. Free tier gets email support (24-48 hour response). Paid plans get priority support (same-day response). Business and Enterprise get dedicated support channels.

Do you have documentation?

Yes — compliancelayer.net/docs. Includes API reference, SDKs, tutorials, and example code.

Can I request a feature?

Absolutely. Email us or use the feedback form in your dashboard. We read everything and prioritize based on customer demand.

Last updated: 2026-03-07

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Top comments (0)