Skip to main content
News & Insights

The Update for
Digital Health.

Technical depth, regulatory updates, and insights into the future of health identities.

5 min read

Compliance Analysis Without Code Upload: Why azuma nori Never Sees Your Source Code

azuma Team
Core Team

For most digital health companies, source code is the most valuable asset – and also the most sensitive one. That's exactly why it's a problem that many compliance and code-analysis tools require you to upload your code to a third-party cloud for analysis. You trade compliance for losing control over your own IP.

azuma nori takes the opposite approach: the analysis runs locally on the developer's machine, and the source code never leaves the device. This article explains why that makes a real difference, both architecturally and legally.

The dilemma of cloud-based code analysis

Tools that check code for security or compliance properties need access to the code. The convenient path for vendors is to upload the code and analyze it server-side. For the customer, this creates several problems at once:

  • IP exposure: The entire source code – the company's core asset – ends up with a third party. Even with careful vendors, residual risk remains, and every additional location where the code is stored expands the attack surface.
  • Privacy and secrets: Codebases often contain more than logic – configuration, comments, occasionally accidentally committed secrets. An upload turns all of that into a transfer and storage problem.
  • Contractual and regulatory hurdles: Especially in healthcare, strict requirements apply to data processing agreements, data locality, and confidentiality. Uploading code to an external cloud can trigger approval processes or simply be contractually excluded.

The result: the teams with the highest security and compliance requirements – digital health companies – are precisely the ones who find it hardest to adopt cloud-based analysis tools.

azuma nori's approach: local instead of cloud

nori is designed as a standalone client that runs locally on the developer's machine. Compliance analysis happens right where the code already lives. There is no code upload to azuma; the source code never leaves the device.

azuma nori: local compliance analysis without uploading code to the cloud

This flips the control relationship: the customer retains full control over their IP. There's no new location where the code is stored, no additional transfer path, no external processor with access to the core asset.

For digital health companies, this has several practical consequences:

  • IP protection by design: The most valuable asset stays in-house. This isn't a contractual assurance you have to take a vendor's word for – it's a property of the architecture.
  • Simpler approvals: If no code leaves the company, many of the privacy and data-processing questions raised by a cloud upload simply don't apply. That significantly shortens internal approval processes.
  • Consistent with your own compliance story: If you're already operating under BSI TR-03161, GDPR, and – depending on the product – the CRA, it's hard to justify using a compliance tool that itself creates a privacy and confidentiality risk. A local tool is consistent here, rather than contradictory.

To the best of our knowledge, this consistently local approach – compliance analysis without any code upload – isn't a given in the digital health compliance tooling market, but rather the exception.

"Full control" – what that means in practice

The phrase "the customer retains full control" is easy to say. In nori, it's architecturally anchored:

  • The code is not transmitted to azuma.
  • The analysis runs on the customer's machine, not on the vendor's servers.
  • No external copy of the codebase is created as a byproduct of the analysis.

That doesn't mean security is a solved problem – responsibility for your own environment still lies with you. But it eliminates an entire category of risk that never fully disappears with cloud-based tools, structurally.

Frequently asked questions

Is my source code transmitted to azuma?

No. nori runs locally on the developer's machine. The source code never leaves the device and is not transmitted to azuma.

How can nori check my code, then?

The analysis happens locally – right where the code already lives. No upload is needed for the check to run against a policy's requirements.

Does this reduce my own privacy and approval effort?

Usually, yes. If no code leaves the company, many of the data-processing-agreement and data-locality questions a cloud upload would raise simply don't apply. The legal assessment in your specific case, however, remains your own.

Is the local approach less capable than a cloud solution?

Running locally affects where the analysis happens – not what gets checked. nori covers several regulations (including BSI TR-03161, BSI TR-02102, and the EU CRA in beta); more on that in the article "How nori translates between regulation and code" (coming soon).


Want to check compliance without handing over your code? Sign up for the free trial (three selected controls included) or get in touch.

As of: July 2026. Please verify architecture and feature details for azuma nori on the product page before making a purchasing decision.