If it rises an alarm seeing any 3rd party domain that would be trivial and not enough.
It would than have to dig for a data processing agreement in the terms+conditions. This can only happen once domain and company name have been correlated.
It gives a good CMS/JS security overview (much better compared to other services I previously used), scans for cookies and HTTP/S headers, locates privacy policy and bunch of other non-intrusive checks. Subdomain discovery is awesome. Full GDPR compliance (e.g. legal + human + physical) obviously requires many days of manwork and will likely cost a bunch of money =)
If it rises an alarm seeing any 3rd party domain that would be trivial and not enough.
It would than have to dig for a data processing agreement in the terms+conditions. This can only happen once domain and company name have been correlated.
What else could it check?