BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
NZCountry-specific compliance

GateTest for Aotearoa New Zealand

GateTest is built in Aotearoa. The Privacy Act 2020 and the NZISM together set the technical baseline for any product holding NZ personal information. We catch the technical findings the OPC and NZISM assessors care about — and our home-market customers get the closest support loop.

Run a scan — from $29See compliance modules

What devs in Aotearoa New Zealand build with

Stack and host shapes we see across the Aotearoa New Zealand dev market — GateTest is tuned for all of them.

Popular stack
Next.jsTypeScriptPostgresStripeNode.js
Popular hosts
CloudflareVercelAWS Sydney (ap-southeast-2)

The 3 modules most relevant in Aotearoa New Zealand

Every Aotearoa New Zealand scan runs all 91 modules — these three are the highest-signal for Privacy Act 2020 + NZISM.

secretsSecurity

AWS keys, GitHub tokens, Stripe keys, passwords, private keys, DB strings — caught before commit.

logPiiSecurity

Credentials, tokens, request bodies and sensitive identifiers logged in plaintext.

webHeadersSecurity

CSP / HSTS / XFO / CORS misconfig across Next.js, Vercel, Netlify, Express, Fastify, nginx.

Privacy Act 2020 + NZISM — what GateTest catches

Each bullet ties a real GateTest module to a specific clause in the Aotearoa New Zealand compliance landscape. Official source →

secrets
IPP 5 — storage and security of personal information

secrets module catches hardcoded credentials before commit — the most common IPP 5 failure cited in OPC compliance notices.

logPii
IPP 5 — reasonable security safeguards

logPii flags PII written to console / logger / structlog / pino calls — including JSON.stringify(req.body) and template-string interpolation of password/token/jwt.

webHeaders
NZISM 17.1.10 — web application security

webHeaders flags CSP unsafe-eval / unsafe-inline, missing HSTS, wildcard CORS with credentials, missing X-Content-Type-Options — the headers NZISM web-application-security control explicitly lists.

errorSwallow
Privacy Act 2020 §115 — notifiable privacy breaches

errorSwallow catches empty catch blocks, .catch(() => {}) on Promise chains, and Node-callback (err, ...) handlers that ignore err — the silent-failure path that turns a breach into a silent breach.

dependencies
NZISM 14.1.8 — patching

dependencies flags out-of-date pins, deprecated packages, missing lockfiles. The NZISM patching control treats outdated runtime dependencies as a finding.

Honest limitations

GateTest is a code-quality + security scanner — not a SOC 2 / HIPAA / ISO auditor. We catch the technical findings auditors look for, but the audit itself needs a qualified human assessor.

  • ·GateTest is not an NZISM-certified assessor — we surface the technical findings; GCSB-recognised assessors run the certification.
  • ·Privacy Act 2020 has extraterritorial reach; if you hold NZ personal information from offshore, you still need the same controls.

Who hires GateTest in Aotearoa New Zealand

Wellington gov supplier inside the NZISM-aligned procurement track
Auckland fintech preparing for an OPC privacy assessment
Christchurch SaaS shipping to NZ public-sector buyers

Pricing

Starting at $29 USD — paid via Stripe in your local currency.

Quick
$29
4 modules
Full
$99
All 91 modules
Scan + Fix
$199
+ AI auto-fix PR
Forensic
$399
+ pair review + exec summary
CLI is MIT-licensedAvailable on GitHub Marketplace soon

Try it on your own repo

$29 Quick scan, no signup. Pay only when results land.

Run a Aotearoa New Zealand scan — $29