Compliance docs, drafted in minutes
not months
Generate AI-drafted GDPR & CCPA compliance documents tailored to your SaaS in minutes — a starting point for your lawyer to review, not a replacement for one.
⚠️ AI-generated drafts. Not legal advice. ComplyKit is not a law firm — have outputs reviewed by qualified counsel before publishing.
A faster first draft, not a substitute for counsel
Built for early-stage SaaS founders who need a structured starting point for their compliance docs — and the budget to spend on review, not drafting.
Minutes, Not Months
Answer a short questionnaire about your SaaS. We generate a customised privacy policy draft in seconds — ready to hand to your lawyer.
Framework-Aware
Each output maps directly to current GDPR Articles 13–14 and CCPA §1798.100 disclosure requirements — so the structural pieces aren't missed.
Draft Templates
Outputs are AI-generated draft templates — a starting point. ComplyKit is not a law firm and the drafts are not legal advice. Always have a qualified lawyer review before publishing.
Multi-Jurisdiction Awareness
Tell us where you operate (EU/EEA, UK, US, global) and we tailor the lawful-basis and rights sections to the regimes you mention.
Clean, Exportable Output
Markdown + browser print-to-PDF. Drop into your trust centre, security questionnaire, or hand to counsel for redlining.
Cheaper Than Starting From Zero
Ballpark¹: full external GDPR + CCPA documentation drafting from a privacy lawyer runs $4k–$15k. Use ComplyKit to get a structured first draft, then pay your lawyer to review — not to type.
¹ Indicative range based on common privacy-counsel hourly rates of $250–$500 × an estimated 15–30 hours of drafting work for a multi-framework policy. Your actual costs will vary.
Generate your compliance docs
Fifty-four free AI-drafting tools live now. Answer a few questions, get a starting-point document your lawyer can finalize.
Privacy Policy
GDPR & CCPA compliant privacy policy drafted from your actual data practices — subprocessors, retention, lawful bases, and user rights.
Terms of Service
Plain-English ToS covering acceptable use, payment, subscriptions, UGC, liability cap, and governing law — adapted to your business model.
Cookie Policy
Cookie-category table with provider disclosures, opt-out links, and ePrivacy Directive notes — matched to your actual analytics and ad stack.
Refund Policy
Refund & cancellation policy for SaaS subscriptions. Covers pro-rata refunds, free trial terms, EU 14-day cooling-off rights, and governing law.
Acceptable Use Policy
Define prohibited uses, enforcement actions, and user obligations for your platform. Covers spam, scraping, UGC, IP infringement, and enforcement procedures.
GDPR Data Processing Agreement (DPA)
Article 28 DPA ready to send to B2B customers. Sub-processor list, TOMs, breach notification, international transfer clauses, and audit rights included.
HIPAA Business Associate Agreement (BAA)
HIPAA BAA for US healthcare SaaS. Covers ePHI safeguards, breach notification, permitted uses, sub-contractor BAA chain, and state-specific addenda.
NDA Generator
Mutual or one-way NDAs for contractors, investors, and partnerships. Optional non-compete, non-solicitation, and liquidated damages clauses. Jurisdiction-specific.
Information Security Policy
SOC 2–aligned InfoSec policy covering access control, encryption, vulnerability management, incident response, and vendor risk. Tailored to your stack.
Incident Response Plan
Generate a NIST-structured Incident Response Plan. Covers severity classification, CSIRT roles, containment playbooks, GDPR 72-hour breach notification, and post-incident review.
DPIA Template Generator
Generate a GDPR Article 35 Data Protection Impact Assessment. Covers necessity & proportionality test, risk assessment table with residual risk ratings, safeguards map, and Art. 36 DPA consultation check.
Data Retention Policy
Generate a GDPR-compliant Data Retention Policy with per-category retention schedules, deletion procedures, legal basis table, backup retention, and legal hold process.
CCPA / CPRA Compliance Pack
Generate your CCPA/CPRA compliance pack: Notice at Collection, Do Not Sell or Share opt-out page, and California Consumer Privacy Rights summary.
Sub-Processor List
Generate a GDPR Art. 28(4) public sub-processor list with 40+ pre-loaded vendors, transfer mechanisms, processing countries, and DPA links.
BCP / DRP Plan
Generate a Business Continuity & Disaster Recovery Plan with RTO/RPO objectives, recovery playbooks, and SOC 2 A1 / GDPR Art. 32 alignment.
Vendor Risk Assessment
Generate a security questionnaire to send to new SaaS vendors before onboarding. Covers data handling, access controls, SOC 2, GDPR, and sub-processor obligations.
DSR Response Template
Generate GDPR-compliant response letters for Data Subject Requests — access, erasure, portability, rectification, restriction, and objection. Covers all 8 rights under Art. 15–22.
Employee Privacy Notice
GDPR Article 13/14 compliant privacy notice for employees, contractors, and job applicants. Covers HR data, lawful bases, monitoring, retention, and data subject rights.
GDPR Article 30 RoPA
Form-based Records of Processing Activities builder. Document each processing activity with data subjects, lawful basis, retention periods, recipients, and international transfers.
SOC 2 Gap Assessment
Evaluate your current security controls against SOC 2 Trust Service Criteria. Get a gap report with prioritised remediation roadmap and policy document checklist.
ISO 27001 Gap Assessment
Assess readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls in 14 domains. Gap report with phased remediation roadmap.
EU AI Act Declaration
Generate Art. 50 transparency notices and provider/deployer compliance documentation for your AI system under Regulation (EU) 2024/1689.
NIS2 Compliance Checklist
Assess your organisation against all 10 NIS2 Art. 21 cybersecurity requirements. Get a scored gap report with prioritised remediation roadmap for EU digital service providers.
HIPAA Security Risk Assessment
Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards (45 CFR Part 164). Required for all covered entities and business associates.
GDPR Transfer Impact Assessment (TIA)
Generate a Schrems II-compliant TIA for all international data transfers. Covers SCCs, EU-US DPF, UK IDTA, BCRs, country risk analysis, and supplementary measures.
PCI DSS SAQ Generator
Generate a PCI DSS v4.0 Self-Assessment Questionnaire. Covers SAQ A, SAQ A-EP, SAQ C, and SAQ D for merchants and service providers.
LGPD (Brazil) Compliance Pack
Generate a LGPD-compliant Aviso de Coleta, Data Subject Rights Summary, and Privacy Policy addendum for Brazil's Lei Geral de Proteção de Dados.
TPRM Policy Generator
Generate a complete Third-Party Risk Management policy with vendor tiers, due diligence matrix, contract requirements, and monitoring controls.
Cookie Consent Audit
Audit your CMP configuration, consent banner, consent records, and Google Consent Mode v2 against GDPR, ePrivacy, and CCPA requirements.
GDPR LIA Generator
Generate a documented Legitimate Interests Assessment (LIA) for GDPR Art. 6(1)(f). 3-step balancing test with conclusion and privacy notice guidance.
AI/ML Model Card Generator
Generate an EU AI Act–compliant Model Card for your AI system. Covers GPAI Art. 53 technical documentation, risk classification, bias evaluation, training data governance, and safety measures.
Whistleblower Policy Generator
Generate a Whistleblower (Speak Up) Policy compliant with EU Directive 2019/1937 and UK PIDA. Covers reporting channels, protected disclosures, anti-retaliation protections, and GDPR-compliant data handling.
AI Acceptable Use Policy
Generate an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act obligations, prohibited AI inputs and outputs, bias and accuracy disclosures, human oversight levels, data training transparency, and enforcement mechanisms.
Children's Privacy Policy
Generate a COPPA-compliant and GDPR Article 8 Children's Privacy Notice. Covers parental consent verification, age thresholds by jurisdiction, data minimisation for children, UK Children's Code obligations, and parental rights.
GDPR Breach Notification Template
Generate a GDPR Article 33 supervisory authority breach notification form, Article 34 individual notification letter, and Art. 33(5) breach register entry — with 72-hour deadline guidance and DPA-specific filing instructions.
SOC 2 Evidence Pack Generator
Get a personalised SOC 2 evidence collection checklist by Trust Service Criteria control area — with exact evidence items, auditor expectations, collection steps for AWS/GitHub/GCP, and PBC folder organisation guide.
Trust Centre Page Generator
Generate a complete security & compliance Trust Centre page for your SaaS website. Covers certifications, infrastructure, encryption, pen testing, bug bounty, sub-processors, privacy & a security FAQ for enterprise prospects.
AI Privacy Impact Assessment (AI-PIA)
Generate a GDPR Article 35 DPIA specifically for AI systems. Covers EU AI Act risk classification, Annex III use cases, automated decision-making (Art. 22), bias assessment, human oversight documentation, and DPA consultation analysis.
ISO 27701 PIMS Gap Assessment
Assess your readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls across 8 domains. Annex A (controllers) + Annex B (processors). Includes ISO 27701 ↔ GDPR alignment map and certification roadmap.
Security Awareness Training Policy
Generate a complete Security Awareness Training Policy for your SaaS. Training schedule, curriculum, phishing simulation programme, completion tracking, and graduated consequences. Mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6, GDPR Art. 32.
DSAR Policy & Procedure
Generate an internal GDPR data subject access request (DSAR) policy covering all 8 rights, identity verification, per-right procedures, timelines, refusal grounds, DSR register template, and escalation paths.
AI Risk Register
Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22 ADM risks, algorithmic bias, prompt injection, model drift, and ISO 42001 — with inherent risk scores and mitigation plans.
GDPR Processor Security Policy
Generate Art. 28(3)(c) TOMs documentation — encryption, access control, incident response, audit rights, and sub-processor obligations.
Internal IT & BYOD Policy
Generate an employee IT acceptable use and BYOD policy covering device controls, network access, cloud apps, remote work, and monitoring disclosure.
Access Control Policy
Generate a complete Access Control Policy covering RBAC, least privilege, MFA, privileged access management, user provisioning, access reviews, and remote access controls.
Data Classification Policy
Generate a Data Classification Policy with tiered classification levels (Public/Internal/Confidential/Restricted), handling standards, storage controls, labelling, and disposal procedures.
Vulnerability Management Policy
Generate a Vulnerability Management & Patch Management Policy with scanning cadence, CVSS severity classification, remediation timelines, exception handling, and compliance mappings.
Cryptography & Encryption Policy
Generate a Cryptography & Encryption Policy with approved algorithms, at-rest and in-transit encryption requirements, key management lifecycle, TLS standards, and compliance mappings.
More frameworks on the roadmap
Join the waitlist to get notified when these ship. No promises on timelines.
SOC 2 Type II Policy Pack
🌐 Global Enterprise
Pre-written SOC 2 Type II policy bundle — access control, change management, incident response, vendor management, and more.
ISO 27001 ISMS Documentation Pack
🌐 Global
Full ISMS documentation pack: Statement of Applicability, Risk Register template, internal audit checklist, management review agenda.
How it works
From zero to compliance package in an afternoon — not a quarter.
Describe your SaaS
Answer a plain-English questionnaire about what your product does, what data you collect, where you operate, and which subprocessors you use.
AI drafts your privacy policy
ComplyKit sends your answers to OpenAI and gets back a structured Privacy Policy draft mapped to GDPR Articles 13–14 and CCPA disclosure requirements. It’s a draft, not legal advice.
Copy, export, hand to counsel
Copy to clipboard, download as Markdown, or print to PDF. Hand the draft to a qualified privacy lawyer for review before publishing.
Re-generate as you grow
Add a subprocessor? Open a new market? Re-run the generator and get an updated draft. Each generation is a fresh draft — always have it reviewed.
Be first in line
Join the waitlist and we'll let you know when more frameworks (Terms, DPA, Cookie Policy) ship. Founding members will get an early discount when paid plans launch.