probo· 20 findings · 3 confirmed high · MODERATE RISK
Compliance Risk Analysis
probo
https://github.com/getprobo/probo
Scanned 2026-03-23 · OpenDocket V1 · Primary: Claude Sonnet · Review: Gemini 2.5 Flash
Important Limitations of This Report
This report is not legal advice and is not defensible in court. It provides directional guidance only. To obtain a defensible compliance assessment, engage a licensed attorney and certified auditor.

Scope limitations: Only public repository content was analyzed. Infrastructure configuration, deployment settings, operational policies, vendor contracts, and staff training are outside scope.

A true compliance audit would also review: vendor contracts and BAAs, staff training records, incident response procedures, physical security controls, and system audit logs — none of which are visible in source code.
Risk Assessment

This analysis identified 20 compliance patterns across SOC2, GDPR. After independent verification by Gemini 2.5 Flash, 3 high-severity findings were confirmed and 1 were identified as possible false positives — likely pattern matches in documentation or configuration files rather than application source code. The 3 confirmed findings represent the primary areas requiring attention.

MODERATE RISK
3 confirmed high-severity findings
3 total patterns identified · 1 flagged as possible false positives by independent review
What This Means If Unaddressed
FrameworkRegulatory BodyMax PenaltyEnforcement Trend
SOC2 (2 high)AICPALoss of enterprise contractsMandatory for enterprise SaaS sales
GDPR (1 high)EU DPAsUp to EUR 20M or 4% turnoverCross-border enforcement rising
Top Findings
High RiskSOC2SOC2-006cmd/probo/main.go:45 · Review: CONFIRMED
Build an incident response infrastructure and operational framework:
High RiskGDPRGDPR-006cmd/probo/main.go:45 · Review: CONFIRMED
Implement a comprehensive breach detection and notification capability:
High RiskSOC2SOC2-008internal/config/config.go:18 · Review: CONFIRMED
Implement a comprehensive backup and disaster recovery strategy:
Gemini Verification Layer
How to read this: The confirmed count is your action list. The false positive count shows where the scanner found keyword patterns in documentation rather than application source code. Click any finding to see exactly what evidence was found and why Gemini made its determination.
18Confirmed
0Context dependent
1Possible false positives
1Additional risk
Primary: Claude Sonnet (Anthropic). Verification: Gemini 2.5 Flash (Google). Neither constitutes legal advice.
Recommended Actions
High
The existing `log.Printf` in `internal/server/middleware.go` effectively logs unauthorized access attempts, serving as an incident detection mechanism. To meet SOC2-006, establish a formal, documented incident response plan that defines comprehensive procedures for responding to, escalating, recovering from incidents, and regularly testing these procedures, ensuring full compliance with incident management standards.
SOC2 · SOC2-006 · Confirmed
High
Given that `internal/config/config.go` and `internal/postgres/migrations/001_initial.up.sql` demonstrate the use of a PostgreSQL database for critical system data, establish and document a comprehensive backup and disaster recovery strategy for this database, including regular testing of restoration procedures. Failure to address this directly impacts the availability and recoverability of system data, risking non-compliance with SOC2-008.
SOC2 · SOC2-008 · Confirmed
High
Enhance `internal/server/middleware.go` by expanding security event logging to capture all data necessary for personal data breach assessment. Integrate this with a dedicated breach detection system to identify reportable incidents and implement mechanisms for notification procedures as per GDPR Articles 33 and 34, to avoid severe penalties.
GDPR · GDPR-006 · Confirmed
Medium
Refactor the `log.Printf` statements in `cmd/probo/main.go`, `internal/server/auth.go`, `internal/graph/resolver.go`, and `internal/server/middleware.go` to utilize a structured logging library (e.g., `uber-go/zap` or `rs/zerolog`). This will embed critical context and metadata into security-relevant events, enhancing their utility for forensic investigations and meeting SOC2-004 audit logging requirements.
SOC2 · SOC2-004 · Confirmed
Medium
Based on `go.mod` and `go.sum`, formalize a vendor risk management process for all third-party dependencies, including vulnerability monitoring and security assessments. This is critical to address the SOC2-007 Vendor Risk Management requirements.
SOC2 · SOC2-007 · Confirmed
+ 4 more recommendations in the Findings tab
Risk Scorecard
FrameworkHigh RiskConfirmedFalse Pos.MediumConcernNo Issue
SOC2291332
GDPR190351
Domains Detected
Saas
67.8%
Framework:
Severity:
SOC2
AICPA · Loss of enterprise contracts
10 findings · 1 possible FP
SOC2-006
High Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The code evidence only demonstrates a technical capability for incident detection (logging unauthorized access), but it provides no insight into the organization's documented procedures for responding, escalating, recovering, testing, or updating a comprehensive incident response plan, which are key requirements of SOC2-006.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] cmd/probo/main.go:45 srv := &http.Server{ Addr: cfg.ListenAddr, Handler: router } [SOURCE] internal/server/middleware.go:38 log.Printf("unauthorized access attempt from IP: %s", r.RemoteAddr) [SOURCE] internal/config/config.go:18 type Config struct { ListenAddr string; DatabaseURL string; JWTSecret string; ... }
Finding
Does the organization maintain an incident response plan with defined procedures for detecting, responding to, escalating, and recovering from security incidents, and are these procedures tested and updated regularly?
Remediation
The existing `log.Printf` in `internal/server/middleware.go` effectively logs unauthorized access attempts, serving as an incident detection mechanism. To meet SOC2-006, establish a formal, documented incident response plan that defines comprehensive procedures for responding to, escalating, recovering from incidents, and regularly testing these procedures, ensuring full compliance with incident management standards.
Remediation refined by Gemini review
SOC2-008
High Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence from `internal/config/config.go`, `internal/postgres/migrations/001_initial.up.sql`, and `internal/server/server.go` confirms the application utilizes a PostgreSQL database to store critical organizational data, and the absence of any backup or recovery procedures within the scope of the provided source code directly implicates a high risk for SOC2-008 compliance regarding data availability and recoverability.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/config/config.go:18 type Config struct { ListenAddr string; DatabaseURL string; JWTSecret string; ... } [CONFIG] internal/postgres/migrations/001_initial.up.sql:1 CREATE TABLE organizations ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name TEXT NOT NULL, ... [SOURCE] internal/server/server.go:29 func New(cfg *config.Config) *Server { ... db, err := sql.Open("postgres", cfg.DatabaseURL) ... }
Finding
Does the organization implement and test backup procedures and disaster recovery plans that ensure the availability and recoverability of system data, including compliance artifacts and organizational records?
Remediation
Given that `internal/config/config.go` and `internal/postgres/migrations/001_initial.up.sql` demonstrate the use of a PostgreSQL database for critical system data, establish and document a comprehensive backup and disaster recovery strategy for this database, including regular testing of restoration procedures. Failure to address this directly impacts the availability and recoverability of system data, risking non-compliance with SOC2-008.
Remediation refined by Gemini review
SOC2-004
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence directly shows unstructured `log.Printf` statements used for security-relevant events within application source code, which typically fails to meet SOC2-004 requirements for comprehensive and detailed audit logs suitable for forensic investigation.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] cmd/probo/main.go:71 log.Printf("Server starting on %s", cfg.ListenAddr) [SOURCE] internal/server/auth.go:58 log.Printf("login attempt for user: %s", req.Email) [SOURCE] internal/graph/resolver.go:67 log.Printf("error creating control: %v", err) [SOURCE] internal/server/middleware.go:38 log.Printf("unauthorized access attempt from IP: %s", r.RemoteAddr)
Finding
Does the system maintain comprehensive audit logs that capture security-relevant events, user actions, and system changes with sufficient detail for forensic investigation and compliance review?
Remediation
Refactor the `log.Printf` statements in `cmd/probo/main.go`, `internal/server/auth.go`, `internal/graph/resolver.go`, and `internal/server/middleware.go` to utilize a structured logging library (e.g., `uber-go/zap` or `rs/zerolog`). This will embed critical context and metadata into security-relevant events, enhancing their utility for forensic investigations and meeting SOC2-004 audit logging requirements.
Remediation refined by Gemini review
SOC2-007
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The repository explicitly lists third-party dependencies in `go.mod` and `go.sum`, and `generated.go` confirms their active use, directly triggering the need for a vendor risk management program under SOC2.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[CONFIG] go.mod:3 require ( github.com/99designs/gqlgen v0.17.x; github.com/lib/pq v1.10.x; github.com/golang-jwt/jwt/ [CONFIG] go.sum:1 [dependency checksums present for all modules] [SOURCE] internal/graph/generated.go:1 // Code generated by github.com/99designs/gqlgen, DO NOT EDIT.
Finding
Does the organization assess and manage risks associated with third-party dependencies and vendor software, including monitoring for known vulnerabilities and ensuring timely patching?
Remediation
Based on `go.mod` and `go.sum`, formalize a vendor risk management process for all third-party dependencies, including vulnerability monitoring and security assessments. This is critical to address the SOC2-007 Vendor Risk Management requirements.
Remediation refined by Gemini review
SOC2-009
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence directly shows a user model lacking multi-factor authentication (MFA) specific fields and a login flow that only handles email and password, indicating a clear absence of MFA support at the application layer as required by SOC2-009.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/server/auth.go:34 func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) { ... hashedPassword, err := bc [SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] internal/server/jwt.go:22 func GenerateToken(userID string, orgID string, role string) (string, error) { ... } [CONFIG] internal/graph/schema.graphqls:8 type Mutation { login(email: String!, password: String!): AuthPayload! ... }
Finding
Does the system support and enforce multi-factor authentication for user access, particularly for administrative and privileged operations?
Remediation
In `internal/model/user.go`, add fields such as `TOTPSecret string`, `MFAEnabled bool`, and `RecoveryCodes []string` to the `User` struct. Modify `internal/server/auth.go`'s `handleLogin` function and `internal/graph/schema.graphqls`'s `login` mutation to incorporate and enforce a second factor for user authentication, mitigating the SOC2-009 Multi-Factor Authentication deficiency.
Remediation refined by Gemini review
SOC2-003
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The application code explicitly uses `srv.ListenAndServe()` in `cmd/probo/main.go`, which initiates an HTTP server without enforcing TLS, indicating a lack of encryption for client-server communication.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] cmd/probo/main.go:45 srv := &http.Server{ Addr: cfg.ListenAddr, Handler: router } [SOURCE] cmd/probo/main.go:71 log.Printf("Server starting on %s", cfg.ListenAddr); if err := srv.ListenAndServe(); err != nil { lo [SOURCE] internal/config/config.go:18 type Config struct { ListenAddr string; DatabaseURL string; JWTSecret string; ... } [SOURCE] internal/server/server.go:29 func New(cfg *config.Config) *Server { ... db, err := sql.Open("postgres", cfg.DatabaseURL) ... }
Finding
Does the system enforce encryption of data in transit using industry-standard TLS protocols for all client-server and service-to-service communications?
Remediation
In `cmd/probo/main.go`, replace the `srv.ListenAndServe()` call on line 71 with `srv.ListenAndServeTLS(certFile, keyFile)` and integrate TLS certificate and key path configurations into `internal/config/config.go`. Alternatively, ensure robust deployment documentation specifies a mandatory external TLS termination proxy (e.g., nginx, Caddy, cloud load balancer) for the service listening on `cfg.ListenAddr`, as the current setup risks non-compliance with SOC2 encryption in transit requirements.
Remediation refined by Gemini review
SOC2-010
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The primary analysis correctly identifies that the cited documentation and configuration files (README.md, LICENSE, go.mod) do not contain or link to the organization's published security policies, vulnerability disclosure procedures, or codes of conduct, which are explicit SOC2 requirements for demonstrating information security governance.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[DOCS] README.md:1 # Probo - Open Source SOC2 Compliance Platform [CONFIG] LICENSE:1 [License file present] [CONFIG] go.mod:1 module github.com/getprobo/probo
Finding
Does the organization maintain and publish security policies, vulnerability disclosure procedures, and codes of conduct that demonstrate a commitment to information security governance?
Remediation
Update the README.md file to explicitly include or link to the organization's published security policies, vulnerability disclosure procedures, and codes of conduct. This direct inclusion or clear referencing of governance documents in a visible repository file is essential for demonstrating commitment to information security governance, as required for SOC2-010 compliance.
Remediation refined by Gemini review
SOC2-001
No Issue Found
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence clearly demonstrates the implementation of secure authentication mechanisms, including bcrypt for password hashing, JWT for token generation, and middleware for verification, which supports the primary analysis's conclusion of 'No Issue Found' for SOC2-001 concerning secure logical access controls.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/server/auth.go:34 func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) { ... hashedPassword, err := bc [SOURCE] internal/server/middleware.go:18 func AuthMiddleware(next http.Handler) http.Handler { token := r.Header.Get("Authorization"); claims [SOURCE] internal/server/jwt.go:22 func GenerateToken(userID string, orgID string, role string) (string, error) { claims := Claims{User [SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] cmd/probo/main.go:67 router.Handle("/api/login", server.handleLogin).Methods("POST")
Finding
Does the system implement secure authentication mechanisms that verify user identity before granting access to the platform, consistent with SOC2 Trust Services Criteria for logical access controls?
Remediation
While `internal/server/jwt.go` handles token generation and `internal/server/middleware.go` performs authentication, ensure robust validation of JWT claims (e.g., audience, issuer, expiration, and signature verification) within the middleware. This proactive measure strengthens user identity verification, consistent with SOC2 Trust Services Criteria for logical access controls.
Remediation refined by Gemini review
SOC2-002
No Issue Found
Regulatory Standard
Gemini Verification
CONFIRMED
The provided source code evidence, specifically the `RequireRole` middleware in `internal/server/middleware.go` and the `orgID` scope validation in `internal/graph/schema.resolvers.go`, explicitly demonstrates the implementation of mechanisms for role-based access control and multi-tenancy, supporting the primary analysis's finding of 'No Issue Found'.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/graph/resolver.go:41 func (r *mutationResolver) CreateControl(ctx context.Context, input model.CreateControlInput) (*mode [SOURCE] internal/server/middleware.go:45 func RequireRole(role string) func(http.Handler) http.Handler { return func(next http.Handler) http. [SOURCE] internal/model/organization.go:12 type Organization struct { ID string; Name string; Plan string; CreatedAt time.Time; UpdatedAt time. [SOURCE] internal/graph/schema.resolvers.go:89 func (r *queryResolver) Controls(ctx context.Context) ([]*model.Control, error) { orgID := auth.OrgI [SOURCE] internal/graph/schema.resolvers.go:112 func (r *queryResolver) Evidence(ctx context.Context, controlID string) ([]*model.Evidence, error) {
Finding
Does the system enforce role-based access control that restricts user capabilities according to the principle of least privilege, ensuring users can only access resources within their authorized scope?
Remediation
Leveraging the `RequireRole` middleware in `internal/server/middleware.go` and `orgID` extraction in resolvers like `internal/graph/schema.resolvers.go`, verify consistent application of these access controls across all sensitive GraphQL mutations and queries. Inconsistent or insufficient application of RBAC could lead to unauthorized access, violating SOC2 principles of least privilege.
Remediation refined by Gemini review
Possible False Positives (1)Gemini flagged these as likely pattern matches in non-source-code files. Review before acting.
GDPR
EU DPAs · Up to EUR 20M or 4% turnover
10 findings
GDPR-006
High Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence indicates an application processing sensitive data (DatabaseURL, JWTSecret) and includes a basic security log for 'unauthorized access', but provides no technical capability for comprehensive breach detection or notification procedures as required by GDPR.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] cmd/probo/main.go:45 srv := &http.Server{ Addr: cfg.ListenAddr, Handler: router } [SOURCE] internal/server/middleware.go:38 log.Printf("unauthorized access attempt from IP: %s", r.RemoteAddr) [SOURCE] internal/config/config.go:18 type Config struct { ListenAddr string; DatabaseURL string; JWTSecret string; ... }
Finding
Does the organization have the technical capability and operational procedures to detect personal data breaches and notify the supervisory authority within 72 hours and affected data subjects without undue delay?
Remediation
Enhance `internal/server/middleware.go` by expanding security event logging to capture all data necessary for personal data breach assessment. Integrate this with a dedicated breach detection system to identify reportable incidents and implement mechanisms for notification procedures as per GDPR Articles 33 and 34, to avoid severe penalties.
Remediation refined by Gemini review
GDPR-001
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The application code clearly defines and processes personal data (user email, password hash), but the provided evidence does not demonstrate the identification, documentation, or communication of a lawful basis for this processing, which is a core GDPR requirement.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] internal/model/organization.go:12 type Organization struct { ID string; Name string; Plan string; CreatedAt time.Time; UpdatedAt time. [SOURCE] internal/graph/schema.resolvers.go:23 func (r *mutationResolver) CreateUser(ctx context.Context, input model.CreateUserInput) (*model.User [SOURCE] internal/postgres/user_store.go:34 func (s *UserStore) Create(ctx context.Context, user *model.User) error { _, err := s.db.ExecContext
Finding
Does the system identify and document a lawful basis under Article 6 of the GDPR for each category of personal data processing, and is this basis communicated to data subjects?
Remediation
Establish and document the lawful basis under GDPR Article 6 for processing user personal data, as defined in `internal/model/user.go` and handled by `internal/graph/schema.resolvers.go` and `internal/postgres/user_store.go`. Communicate this basis to data subjects, e.g., via privacy policy or terms of service linked during user creation, to ensure compliance with GDPR Articles 6 and 13/14.
Remediation refined by Gemini review
GDPR-003
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence demonstrates the creation and storage of personal user data (Email, PasswordHash, ID) in application source code without any corresponding mechanisms or API endpoints for data erasure, indicating a clear gap in supporting the GDPR Right to Erasure.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[CONFIG] internal/graph/schema.graphqls:5 type Mutation { createUser(input: CreateUserInput!): User! login(email: String!, password: String!): [SOURCE] internal/postgres/user_store.go:34 func (s *UserStore) Create(ctx context.Context, user *model.User) error { ... } [SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [CONFIG] internal/postgres/migrations/001_initial.up.sql:1 CREATE TABLE organizations ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name TEXT NOT NULL, ...
Finding
Does the system provide data subjects with the ability to request and obtain the erasure of their personal data, and does the system process such requests completely and within the required timeframe?
Remediation
Extend `internal/graph/schema.graphqls` to include a `deleteUser` mutation and add its associated data removal logic in `internal/postgres/user_store.go`, ensuring all personal data linked to `internal/model/user.go` is completely expunged. This is crucial for upholding GDPR Article 17, the Right to Erasure.
Remediation refined by Gemini review
GDPR-007
Medium Risk
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence clearly shows personal user data (email, password hash) stored in the database via the `User` model and `user_store.go`, with no indication of automated data retention or cleanup policies, which is a direct GDPR Article 5(1)(e) storage limitation risk.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[CONFIG] internal/postgres/migrations/001_initial.up.sql:1 CREATE TABLE organizations ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name TEXT NOT NULL, crea [SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] internal/postgres/user_store.go:34 func (s *UserStore) Create(ctx context.Context, user *model.User) error { ... } [SOURCE] internal/model/evidence.go:10 type Evidence struct { ID string; ControlID string; Title string; Description string; FileURL string
Finding
Does the system implement data retention policies that ensure personal data is not kept longer than necessary for its processing purpose, with automated mechanisms for data cleanup or archival?
Remediation
Add `created_at` and `deleted_at` fields to `organizations` and `users` tables in `internal/postgres/migrations/001_initial.up.sql`, updating `internal/model/user.go` accordingly. Implement logic within `internal/postgres/user_store.go` to enforce data retention periods for this personal data, preventing indefinite storage contrary to GDPR Article 5(1)(e).
Remediation refined by Gemini review
GDPR-002
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The application creates user accounts and stores personal data (email, password hash) without any evidence of obtaining, recording, or managing explicit user consent within the provided source code snippets.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[CONFIG] internal/graph/schema.graphqls:5 type Mutation { createUser(input: CreateUserInput!): User! login(email: String!, password: String!): [SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] internal/graph/schema.resolvers.go:23 func (r *mutationResolver) CreateUser(ctx context.Context, input model.CreateUserInput) (*model.User
Finding
Does the system obtain, record, and manage user consent in a manner that is freely given, specific, informed, and unambiguous, with the ability for users to withdraw consent at any time?
Remediation
Modify `internal/model/user.go` to include fields for consent status, timestamp, and specific purpose, and update `internal/graph/schema.graphqls` and `internal/graph/schema.resolvers.go` to capture and record explicit, granular user consent during the `createUser` process, thereby complying with GDPR's requirement for freely given, specific, informed, and unambiguous consent.
Remediation refined by Gemini review
GDPR-004
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The application's Go resolvers and GraphQL schema indicate personal data handling (e.g., `me: User!`) but lack explicit functionality to export this data in a structured, machine-readable format as required by GDPR Article 20.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/graph/schema.resolvers.go:89 func (r *queryResolver) Controls(ctx context.Context) ([]*model.Control, error) { orgID := auth.OrgI [SOURCE] internal/graph/schema.resolvers.go:112 func (r *queryResolver) Evidence(ctx context.Context, controlID string) ([]*model.Evidence, error) { [CONFIG] internal/graph/schema.graphqls:12 type Query { controls: [Control!]! evidence(controlID: ID!): [Evidence!]! me: User! ... }
Finding
Does the system provide data subjects with the ability to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller?
Remediation
Modify `internal/graph/schema.graphqls` to include a new query (e.g., `exportMyData`) and add corresponding Go resolver logic in `internal/graph/schema.resolvers.go` to provide a data subject's personal data (e.g., from the `User` type) in a structured, commonly used, and machine-readable format, fulfilling GDPR Article 20 data portability obligations.
Remediation refined by Gemini review
GDPR-005
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence directly shows the User struct containing sensitive PII (Email, PasswordHash) and functions retrieving this data, indicating potential violations of data minimization and purpose limitation principles.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/model/user.go:15 type User struct { ID string; Email string; PasswordHash string; OrganizationID string; Role string; [SOURCE] internal/graph/resolver.go:41 func (r *mutationResolver) CreateControl(ctx context.Context, input model.CreateControlInput) (*mode [SOURCE] internal/server/middleware.go:18 func AuthMiddleware(next http.Handler) http.Handler { ... } [SOURCE] internal/postgres/user_store.go:56 func (s *UserStore) GetByID(ctx context.Context, id string) (*model.User, error) { row := s.db.Query
Finding
Does the system architecture incorporate data protection principles by design and by default, including data minimization, purpose limitation, storage limitation, and appropriate technical safeguards?
Remediation
Modify `internal/postgres/user_store.go` to ensure `PasswordHash` is only retrieved by dedicated authentication functions, not by general user retrieval methods like `GetByID`. Implement granular field-level authorization within `internal/graph/resolver.go` to restrict access to sensitive fields like `Email` and `PasswordHash` based on the requesting user's authorization, thereby enforcing GDPR's data minimization and purpose limitation principles.
Remediation refined by Gemini review
GDPR-008
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The source code defines how the database connection is configured, and while it doesn't directly perform a cross-border transfer, the absence of explicit data residency controls for storing personal data through the `DatabaseURL` presents a clear compliance risk under GDPR Chapter V.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/config/config.go:18 type Config struct { ListenAddr string; DatabaseURL string; JWTSecret string; ... } [SOURCE] internal/server/server.go:29 func New(cfg *config.Config) *Server { ... db, err := sql.Open("postgres", cfg.DatabaseURL) ... } [CONFIG] internal/postgres/migrations/001_initial.up.sql:1 CREATE TABLE organizations ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name TEXT NOT NULL, ...
Finding
Does the system implement appropriate safeguards for the transfer of personal data to third countries or international organizations, consistent with GDPR Chapter V requirements?
Remediation
Modify `internal/config/config.go` to include explicit `DataResidencyRegion` or `DatabaseLocation` fields in the `Config` struct and leverage this in `internal/server/server.go` to enforce data storage jurisdiction based on tenant requirements, mitigating the risk of non-compliant cross-border personal data transfers under GDPR Chapter V.
Remediation refined by Gemini review
GDPR-009
Pattern of Concern
Regulatory Standard
Gemini Verification
CONFIRMED
The evidence cites application source code files defining core data models (`Control`, `Evidence`, `Policy`) in a SAAS domain, which likely handle data warranting a Data Protection Impact Assessment (DPIA) due to potential high-risk processing, and the architecture must support ongoing risk assessment as per GDPR Art. 35.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[SOURCE] internal/model/control.go:10 type Control struct { ID string; OrganizationID string; Title string; Description string; Status str [SOURCE] internal/model/evidence.go:10 type Evidence struct { ID string; ControlID string; Title string; Description string; FileURL string [SOURCE] internal/model/policy.go:10 type Policy struct { ID string; OrganizationID string; Title string; Content string; Version int; Cr
Finding
Has a Data Protection Impact Assessment been conducted for high-risk processing activities, and does the system architecture support the ongoing assessment and mitigation of data protection risks?
Remediation
Update the `Evidence` struct in `internal/model/evidence.go` and the `Policy` struct in `internal/model/policy.go` to include explicit fields for data sensitivity classification or DPIA status, thereby enabling the system architecture to better support ongoing assessment and mitigation of data protection risks, as required by GDPR Art. 35.
Remediation refined by Gemini review
GDPR-010
No Issue Found
Regulatory Standard
Gemini Verification
ADDITIONAL RISK
The primary analysis correctly identified user data collection points via `createUser` and `login` and questioned the existence of privacy notices, but incorrectly concluded 'No Issue Found,' thereby understating a clear GDPR Article 13 requirement.
Gemini 2.5 Flash · Confidence: HIGH
Evidence
[CONFIG] internal/graph/schema.graphqls:5 type Mutation { createUser(input: CreateUserInput!): User! login(email: String!, password: String!): [SOURCE] internal/graph/schema.resolvers.go:23 func (r *mutationResolver) CreateUser(ctx context.Context, input model.CreateUserInput) (*model.User [SOURCE] cmd/probo/main.go:67 router.Handle("/api/login", server.handleLogin).Methods("POST") [DOCS] README.md:1 # Probo - Open Source SOC2 Compliance Platform
Finding
Does the system present users with clear, accessible, and comprehensive privacy notices at the point of data collection, and does the organization maintain a privacy policy that meets GDPR transparency requirements?
Remediation
Modify the user registration and login flows, as handled by `createUser` in `internal/graph/schema.graphqls` and `internal/graph/schema.resolvers.go`, to prominently display a clear, accessible link to a comprehensive privacy policy. This action is necessary to meet GDPR Article 13 requirements for informing data subjects at the point of data collection, avoiding potential non-compliance and penalties.
Remediation refined by Gemini review
What This Analysis Covers

OpenDocket scans source code patterns — specifically whether code handles regulated data in compliance-aware ways. It searches for evidence of encryption, access controls, consent mechanisms, audit logging, and other patterns that regulators look for.

What It Does Not Cover
  • Only public repository content is analyzed
  • Files in .gitignore are not scanned
  • Infrastructure, deployment, and cloud configuration are outside scope
  • Operational policies and procedures are outside scope
  • This analysis covers code at time of scan — changes after scan date are not reflected
Legal Limitations
  • This report is not defensible in court
  • It does not constitute legal advice
  • It does not satisfy regulatory audit requirements
  • To obtain a defensible compliance assessment, engage a licensed compliance attorney and certified auditor
  • OpenDocket provides directional guidance only
How Findings Are Generated
  • Primary analysis by Claude Sonnet (Anthropic)
  • Verification by Gemini 2.5 Flash (Google)
  • Question libraries are open source and community-maintained
  • All questions cite regulatory source text
  • Questions have not been validated by a licensed attorney
Why Two Models?

Claude Sonnet scans broadly — it finds every pattern that could indicate a compliance risk. This produces a comprehensive set of findings but includes noise from documentation files, config references, and test data.

Gemini 2.5 Flash then challenges each finding independently. It asks: is this evidence from actual application code? Would a regulator actually find this concerning? Is the severity appropriate?

The result is a tiered output:

  • CONFIRMED — Gemini agrees this is a real risk
  • CONTEXT DEPENDENT — Risk depends on deployment/infrastructure
  • POSSIBLE FALSE POSITIVE — Likely noise, review before acting

The confirmed count is the number you should act on. The total count shows the full scope of what was examined.

Evidence Tiers

Evidence is classified into three tiers based on file type:

  • [SOURCE] — Application source code (.ts, .py, .go, .rs, etc.) — strongest evidence
  • [CONFIG] — Configuration files (.yml, .json, .toml, Dockerfile) — moderate evidence
  • [DOCS] — Documentation (.md, .txt, .html) — context only, cannot produce High Risk findings

A finding is only classified as High Risk if supported by at least two source code files with matching evidence. Documentation references alone produce Pattern of Concern at most.

How to Use This Report
  • Share with your engineering lead for remediation planning
  • Share with your attorney as a starting point for compliance review
  • Re-scan after remediation to track progress
  • Do not present this as proof of compliance
Findings based on OpenDocket's open source question libraries. View and contribute