CMMC 2.013 min read17 July 2026
Complete guide to CMMC 2.0 Level 2 compliance: 110 NIST 800-171 practices, C3PAO assessments, SPRS scoring, SSP, POAM, DFARS 252.204-7012 obligations, and cyber incident reporting for US defense contractors.
Read the guide→Digital Markets Act14 min read17 July 2026
Complete guide to DMA compliance: gatekeeper designation thresholds, Art. 5 absolute obligations, Art. 6 fair conduct, Art. 7 messaging interoperability, transparency requirements, and Commission enforcement proceedings against Apple, Google, Meta.
Read the guide→Product4 min read17 July 2026
ComplyKit has added two new free compliance generators: CMMC 2.0 Level 2 Gap Assessment (109th) and Digital Markets Act Compliance Checklist (110th). Now 110 free generators, no account required.
Read the guide→ePrivacy15 min read16 July 2026
Complete guide to the EU ePrivacy Regulation draft — what changes from ePrivacy Directive 2002/58/EC, cookie consent rules under Art. 5(3), direct marketing obligations, M2M communications, and DPA enforcement in 2026.
Read the guide→EU AI Act15 min read16 July 2026
Complete guide to algorithmic fairness testing — demographic parity, equalised odds, intersectional bias testing, EU AI Act Art. 10 training data governance, and building a practical bias audit programme.
Read the guide→Product4 min read16 July 2026
ComplyKit has added two new free compliance generators: EU ePrivacy Regulation Readiness Assessment (107th) and AI Fairness & Bias Audit Checklist (108th). Now 108 free generators, no account required.
Read the guide→ISO 2770112 min read15 July 2026
ISO/IEC 27701 is the international standard for privacy information management systems (PIMS). It extends ISO 27001 with dedicated PII controller and processor controls, maps to GDPR, and provides a certification path. Here's the complete implementation guide.
Read the guide→NIST CSF13 min read15 July 2026
NIST released CSF 2.0 in February 2024 — the biggest update since the framework launched in 2014. The new GOVERN function, expanded supply chain risk, and updated Tier definitions change how organisations approach cybersecurity maturity. Here's the complete guide.
Read the guide→Product4 min read15 July 2026
ComplyKit has added two new free compliance generators: ISO 27701 PIMS Gap Assessment (105th) and NIST CSF 2.0 Tier Assessment (106th). Now 106 free generators, no account required.
Read the guide→EU AI Act9 min read14 July 2026
COM(2022) 496 — the proposed EU AI Liability Directive — introduces two liability tracks for AI: strict liability for high-risk AI systems and fault-based liability with a rebuttable presumption for all other AI. With EU AI Act reaching full applicability in August 2026, here's what AI companies need to know.
Read the guide→DORA10 min read14 July 2026
DORA Article 28 requires all financial entities to maintain a comprehensive ICT third-party provider register and submit it to their NCA. This guide covers the mandatory fields, criticality assessment methodology, Art. 30 contractual provisions, and what's being flagged in NCA examinations.
Read the guide→Product Updates4 min read14 July 2026
ComplyKit adds two new free generators: EU AI Liability Directive Gap Assessment (COM(2022) 496) and DORA ICT Third-Party Register (Art. 28). Now 104 generators covering the full compliance stack for SaaS founders and financial services compliance teams.
Read the guide→FCA / UK Regulation11 min read13 July 2026
Everything UK-regulated firms need to know about FCA Consumer Duty (PS22/9): the four outcomes, fair value assessments, consumer understanding standard, vulnerable customers, SM&CR accountability, and annual board attestation.
Read the guide→SOC 210 min read13 July 2026
How to prepare for your first or renewal SOC 2 Type II audit — evidence collection plans, sampling windows, access review cadence, penetration testing timing, sub-service organisation reports, and what auditors actually look for.
Read the guide→Product5 min read13 July 2026
ComplyKit hits 102 free compliance generators with two new additions: an FCA Consumer Duty Compliance Checklist (42 items, PRIN 2A / PS22/9) and a SOC 2 Type II Readiness Assessment (42 items, evidence collection, audit period monitoring).
Read the guide→Payment Regulation12 min read12 July 2026
Everything payment service providers, fintechs, and open banking platforms need to know about PSD2 Strong Customer Authentication, EBA RTS Art. 5 dynamic linking, SCA exemptions, PSD3/PSR transition, and eIDAS API obligations.
Read the guide→NIS211 min read12 July 2026
Complete guide to NIS2 Directive (EU) 2022/2555 Art. 23 incident reporting obligations for essential and important entities: significant incident classification, 24h early warning, 72h intermediate notification, CSIRT coordination, 1-month final report, and GDPR Art. 33 parallel obligations.
Read the guide→Product5 min read12 July 2026
ComplyKit reaches 100 free compliance generators — a major milestone. Today's additions: PSD2/PSD3 SCA Compliance Checklist (40 items, Strong Customer Authentication + open banking + PSD3 readiness) and NIS2 Incident Reporting Playbook (42 items, Art. 23 24h/72h/1-month reporting). No account required.
Read the guide→EU Data Act12 min read11 July 2026
The EU Data Act applies from 12 September 2025. It gives users the right to access IoT-generated data, forces cloud providers to enable switching within 30 days, and creates mandatory B2G data-sharing obligations. Here's the plain-English breakdown for SaaS founders, IoT manufacturers, and cloud providers.
Read the guide→AI Governance14 min read11 July 2026
The NIST AI RMF 1.0 (January 2023) is the most widely referenced AI governance framework globally. It's voluntary but increasingly required by regulators, procurement officers, and enterprise customers. Here's how to actually implement it — from writing an AI risk policy to running pre-deployment red-teaming.
Read the guide→Product4 min read11 July 2026
ComplyKit now has 98 free compliance generators — 2 away from the milestone 100. Today: EU Data Act Compliance Checklist (Regulation (EU) 2023/2854, applicable September 2025) and NIST AI RMF Gap Assessment (GOVERN/MAP/MEASURE/MANAGE, 48 items).
Read the guide→ISO 2700114 min read10 July 2026
ISO 27001:2022 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes, adding 11 new controls. Here's what changed, what auditors look for, and how to run a proper gap assessment before your Stage 1 audit.
Read the guide→DORA13 min read10 July 2026
DORA Regulation (EU) 2022/2554 has applied since January 2025. When your ICT system fails, you have hours to classify the incident and potentially notify your regulator. Here's how Art. 19 major incident classification works, what the RTS thresholds are, and what to do in the first 72 hours.
Read the guide→Product4 min read10 July 2026
ComplyKit now has 96 free compliance generators — 4 from the milestone 100. Today we launched the ISO 27001:2022 Annex A Controls Gap Assessment (covering all 93 controls and the 11 new 2022 controls) and the DORA Major ICT Incident Classification Matrix (Art. 19 criteria, RTS thresholds, 72h reporting).
Read the guide→CRA11 min read9 July 2026
Regulation (EU) 2024/2847 (CRA) applies from December 2027. Manufacturers of products with digital elements must meet strict security-by-design, vulnerability handling, SBOM, CVD policy, and CE marking requirements. Here's what to do and when.
Read the guide→Employment Law10 min read9 July 2026
EU Directive 2019/1937 requires companies with 50+ employees to establish internal whistleblowing channels with 7-day acknowledgment, 3-month follow-up, and anti-retaliation protection. Here's what's required and how GDPR applies.
Read the guide→Product Updates5 min read9 July 2026
ComplyKit has reached 94 free compliance generators with two major new additions: the EU Cyber Resilience Act (CRA) Compliance Checklist for manufacturers of connected products, and the EU Whistleblowing Directive Compliance Checker for organisations with 50+ employees.
Read the guide→EU AI Act13 min read8 July 2026
Complete guide to EU AI Act high-risk AI system conformity assessment requirements. Art. 9 risk management, Art. 10 data governance, Art. 11 technical documentation, Art. 14 human oversight, Art. 15 accuracy, and post-market monitoring obligations for providers.
Read the guide→CSRD14 min read8 July 2026
Complete guide to CSRD gap assessment for European companies. Double materiality assessment methodology, ESRS 1/2 general disclosures, ESRS E1 climate reporting (Scope 1/2/3, transition plan), ESRS S1 workforce metrics, gender pay gap, and limited assurance requirements.
Read the guide→ComplyKit5 min read8 July 2026
ComplyKit now covers 92 frameworks with the launch of the EU AI Act High-Risk System Conformity Assessment (Art. 9–15) and CSRD Gap Assessment (ESRS 1/2/E1–E5/S1–S4/G1). Free, no account required.
Read the guide→Supply Chain Compliance11 min read7 July 2026
What a legally robust supplier code of conduct must cover under the EU Corporate Sustainability Due Diligence Directive (CSDDD), German Supply Chain Act (LkSG), and UK Modern Slavery Act. With practical implementation guide.
Read the guide→MiFID II12 min read7 July 2026
A practical MiFID II compliance guide covering the 8 key pillars: client suitability and ESG preferences, costs disclosure, best execution, transaction reporting, product governance, conflicts of interest, MAR surveillance, and algorithmic trading.
Read the guide→ComplyKit7 min read7 July 2026
ComplyKit has reached 90 free compliance generators covering GDPR, SOC 2, HIPAA, ISO 27001, MiFID II, DORA, CSDDD, FedRAMP, EU AI Act, and 15+ more frameworks.
Read the guide→Australian Financial Services11 min read6 July 2026
Complete guide to APRA Prudential Standard CPS 234 Information Security — covering all 8 requirement areas, APRA notification timelines, third-party ICT risk, and the CPG 234 annual self-assessment.
Read the guide→EU Financial Services12 min read6 July 2026
Complete guide to the DORA Regulatory Technical Standards (RTS) that became effective January 17, 2025 — covering ICT risk management, major incident reporting timelines, third-party ICT risk, and the TLPT programme.
Read the guide→EU Financial Services9 min read6 July 2026
Practical guide to the DORA major ICT incident reporting regime — how to classify major incidents under Commission Delegated Regulation (EU) 2024/1772, and how to manage the 4-hour, 72-hour, and 1-month NCA notification timelines.
Read the guide→ISO 270019 min read5 July 2026
ISO 27001:2022 Clause 9.3 requires top management to review the ISMS at planned intervals. Here's exactly what the 7 mandatory inputs and 3 mandatory outputs are, and what BSI or DNV will look for.
Read the guide→GDPR10 min read5 July 2026
GDPR Article 25 requires privacy by design and by default — but what does that mean in practice? A technical and legal breakdown for SaaS founders and engineers, covering all 7 PbD principles and common enforcement actions.
Read the guide→ISO 270018 min read5 July 2026
ISO 27001 requires both a management review (Cl. 9.3) and an internal audit programme (Cl. 9.2). They serve different purposes but feed each other. Here's how to run both effectively.
Read the guide→FedRAMP12 min read4 July 2026
A practical guide to FedRAMP authorization for cloud service providers — covering Low/Moderate/High impact levels, Agency vs JAB paths, SSP requirements, 3PAO selection, and continuous monitoring obligations.
Read the guide→HITRUST11 min read4 July 2026
A practical guide to HITRUST CSF certification for healthcare SaaS founders — covering the e1, i1, and r2 levels, what enterprise buyers require, the assessment process, and how HITRUST maps to HIPAA.
Read the guide→HITRUST9 min read4 July 2026
A direct comparison of SOC 2 Type II and HITRUST CSF for healthcare SaaS companies — covering what enterprise buyers require, control overlap, cost, timeline, and when to pursue each.
Read the guide→Penetration Testing9 min read3 July 2026
Pen testing is required by SOC 2, ISO 27001, PCI DSS, and NIS2 — but the requirements differ. Here's what each framework actually mandates, what auditors sample as evidence, and how to structure your penetration testing programme.
Read the guide→Cyber Insurance10 min read3 July 2026
Cyber insurance has become a SaaS sales enabler, investor requirement, and financial safety net. Here's exactly what underwriters ask about MFA, EDR, backup, incident response, and patching — and how to improve your security posture before applying.
Read the guide→GDPR8 min read3 July 2026
The EU-US Data Privacy Framework replaced Privacy Shield in July 2023. Here's what it covers, who can use it, how it compares to SCCs and BCRs, and what happens if it's challenged again.
Read the guide→CCPA11 min read2 July 2026
The CPRA overhauled California's privacy law in 2023. Sensitive PI controls, GPC signal obligations, the right to correction, data minimisation, and a new enforcement agency changed what compliance requires. Here's the full picture.
Read the guide→NIST12 min read2 July 2026
CMMC 2.0 is now embedded in DoD contracts. Any contractor handling Controlled Unclassified Information needs to meet NIST SP 800-171's 110 requirements and maintain a SPRS score. Here's what the requirements actually mean.
Read the guide→CCPA10 min read2 July 2026
A practical CCPA/CPRA compliance checklist for SaaS companies. Covers privacy notices, Do Not Sell or Share link, GPC signal, deletion and correction rights, sensitive PI controls, and service provider contracts.
Read the guide→SOC 211 min read1 July 2026
A practical guide to SOC 2 remediation — how to prioritise control gaps, assign owners, collect evidence, and get audit-ready within 90 days of completing your gap assessment.
Read the guide→Privacy13 min read1 July 2026
A practical guide to FERPA compliance for EdTech SaaS companies. Covers the school official exception, student data restrictions, required DPA provisions, COPPA overlap, and state student privacy laws (SOPIPA, NY §2-d).
Read the guide→SOC 212 min read1 July 2026
A practical guide to SOC 2 audit evidence collection. Covers what the PBC list is, how auditors sample evidence for each Trust Service Criterion, what format works, and how to avoid the common evidence failures.
Read the guide→PCI DSS12 min read30 June 2026
PCI DSS v4.0 became mandatory in March 2025. This guide covers all 12 requirement groups, the four key changes from v3.2.1, how to conduct a gap assessment, and what Qualified Security Assessors look for in a RoC or SAQ submission.
Read the guide→HIPAA13 min read30 June 2026
The HIPAA Security Risk Assessment is the most-cited missing document in OCR enforcement actions. This guide covers exactly what §164.308(a)(1) requires, all three safeguard categories, HHS/NIST methodology, and how to create an SRA that satisfies OCR audit scrutiny.
Read the guide→PCI DSS10 min read30 June 2026
Four key requirements are new or significantly expanded in PCI DSS v4.0, all mandatory since March 2025. This guide explains what Req 6.4.3 (payment page scripts), 11.6.1 (tamper detection), 8.4 (MFA expansion), and 5.4 (phishing) require and how to implement them.
Read the guide→ISO 4200114 min read27 June 2026
A deep dive into ISO/IEC 42001:2023 — the first international AI Management System standard. What AIMS requires, how it differs from ISO 27001 and the EU AI Act, and how to get certified.
Read the guide→Privacy Law13 min read27 June 2026
A practical guide to PIPEDA compliance and Bill C-27 (CPPA) preparation for SaaS companies with Canadian customers. Covers all 10 Fair Information Principles, breach notification, and upcoming automated decision-making obligations.
Read the guide→EU AI Act11 min read27 June 2026
How ISO/IEC 42001:2023 AI Management System certification supports EU AI Act compliance for high-risk AI providers and deployers — clause-by-article mapping, gaps, and what you still need to do.
Read the guide→ISO 2700110 min read26 June 2026
A practical guide to conducting ISO 27001:2022 Clause 9.2 internal audits. Covers mandatory requirements, what auditors check, common nonconformities, and how to prepare for Stage 1 and Stage 2 certification.
Read the guide→NIS212 min read26 June 2026
A complete guide to NIS2 Article 21 cybersecurity risk assessments. Covers entity classification, all 10 mandatory measure categories, management body accountability under Art. 20, and how to document your risk assessment for your national competent authority.
Read the guide→ISO 270019 min read26 June 2026
Understand the key differences between ISO 27001 Clause 9.2 internal audits and Stage 1/Stage 2 certification audits. What each covers, who conducts them, what findings look like, and how a good internal audit prepares you to pass certification.
Read the guide→ISO 2700111 min read25 June 2026
The Risk Treatment Plan (Clause 6.1.3) is where ISO 27001 gets real — it turns your risk register into a control implementation roadmap and provides the traceability chain auditors follow from risk to SoA. Here's what it must contain and the mistakes that sink audits.
Read the guide→GDPR12 min read25 June 2026
GDPR Art. 7 consent is one of the most misused lawful bases in SaaS. Pre-ticked boxes, bundled consent, and using consent where legitimate interests would be cleaner — all common mistakes. Here's exactly what valid consent requires and how to manage it correctly.
Read the guide→ISO 2700110 min read25 June 2026
ISO 27001 Clause 6 contains three mandatory outputs — risk assessment, risk treatment plan, and Statement of Applicability — that must form a consistent, traceable chain. Here's how they work together, what auditors check, and the correct order of operations.
Read the guide→EU AI Act11 min read24 June 2026
The EU AI Act imposes different obligations depending on whether you're a provider or deployer, and which risk tier your AI system falls into. Here's the full obligations map — from prohibited practices and transparency to technical documentation, conformity assessment, and GPAI requirements.
Read the guide→GDPR12 min read24 June 2026
A comprehensive GDPR compliance audit checklist covering all major obligations — lawful basis, transparency, data subject rights, processor agreements, security, breach notification, DPIAs, international transfers, and accountability. With article references and common failures for each.
Read the guide→EU AI Act10 min read24 June 2026
If your AI system falls into an Annex III use case — employment, credit scoring, biometrics, education, or law enforcement — you face the full set of EU AI Act provider obligations. Here's what each requirement means in practice, with timelines and common mistakes.
Read the guide→ISO 2700111 min read23 June 2026
ISO 27001 clause 6.1.2 requires a systematic information security risk assessment before certification. Here's exactly what it must contain, how to build a risk register, and how it connects to your Statement of Applicability.
Read the guide→Security Frameworks10 min read23 June 2026
CIS Controls v8 reorganised 153 sub-controls into 153 Safeguards across 18 Controls and three Implementation Groups. Here's what SaaS SMBs actually need to do for IG1 and IG2, and how it maps to SOC 2 and ISO 27001.
Read the guide→ISO 270018 min read23 June 2026
The ISO 27001 risk assessment (clause 6.1.2) and Statement of Applicability (clause 6.1.3(d)) are two separate mandatory documents — but they must be consistent. Here's exactly how they relate and what auditors check.
Read the guide→ISO 2700111 min read22 June 2026
The Statement of Applicability (SoA) is a mandatory ISO 27001 document covering all 93 Annex A controls. Learn what must be in it, how to justify exclusions, and what auditors check.
Read the guide→SOC 210 min read22 June 2026
Enterprise customers send Vendor Security Questionnaires (VSQs) before signing any SaaS contract. Learn what they ask, why SaaS companies fail them, and how to prepare a complete response that unblocks deals.
Read the guide→Privacy9 min read22 June 2026
Canada's PIPEDA applies to private-sector organisations handling personal information in the course of commercial activity. Here's what SaaS companies need to do to comply, and what Bill C-27 (CPPA) changes.
Read the guide→SOC 212 min21 June 2026
The SOC 2 System Description is the longest part of the report. Here's exactly what AICPA DC Section 200 requires — and how to write one auditors won't push back on.
Read the guide→NIST11 min21 June 2026
NIST released CSF 2.0 in February 2024 with a new GOVERN function and broader scope. Here's how to use it as a SaaS company — and how it maps to SOC 2, ISO 27001, and NIS2.
Read the guide→SOC 28 min21 June 2026
These are two different documents with different audiences. Here's what each covers, who reads them, and why you need both for a complete SOC 2 audit.
Read the guide→SOC 210 min read20 June 2026
The management assertion letter is required before every SOC 2 audit. Learn what AICPA AT-C §205 requires, the three assertions management must make, what goes wrong, and how to draft a solid assertion for Type I and Type II audits.
Read the guide→UK Cyber Essentials11 min read20 June 2026
UK Cyber Essentials covers 5 technical control areas and is increasingly required for UK government contracts and enterprise procurement. This guide covers CE vs CE+, the 5 control areas, what fails assessments, and how to prepare.
Read the guide→SOC 29 min read20 June 2026
Type I and Type II SOC 2 reports differ in more than just the audit period. Learn what changes in the management assertion, what evidence each requires, which one to pursue first, and how to plan your audit timeline.
Read the guide→Security Policies10 min read19 June 2026
SOC 2 CC8.1 is one of the most-tested criteria in Type II audits — and where SaaS companies most often fail on evidence, not practice. This guide covers what auditors sample, how to configure GitHub branch protection, CI/CD log retention, emergency change documentation, and the PR-as-change-record model.
Read the guide→Risk & Compliance11 min read19 June 2026
Supply chain attacks are now a top compliance risk for SaaS companies. This guide covers ISO 27001 A.5.19-A.5.22 supplier relationship requirements, SOC 2 CC9.2 vendor risk management, NIS2 Art. 21(d) supply chain security obligations, and how to build a supplier security programme that satisfies auditors.
Read the guide→Security Policies10 min read19 June 2026
Security awareness training is required by ISO 27001 A.6.3, SOC 2 CC1.4, HIPAA §164.308(a)(5), and NIS2 Art. 21(2)(g). This guide covers what a compliant training programme looks like, what evidence auditors sample, how to run phishing simulations, and how to achieve 95%+ completion rates with evidence ready for audit.
Read the guide→Security Policies10 min read10 June 2026
ISO 27001 A.8.20–8.23 are required network security controls. SOC 2 CC6.6 is tested. PCI DSS Req 1 mandates a documented firewall policy. Here’s what your network security policy must cover for cloud-native SaaS in 2026 — firewall architecture, segmentation, ZTNA, DDoS, and what auditors actually look for.
Read the guide→Security Policies10 min read10 June 2026
You can’t protect what you can’t see. ISO 27001 A.5.9 requires asset inventory. CIS Controls 1 and 2 are the most foundational controls in the v8 framework. Yet cloud auto-scaling, SaaS sprawl, and forgotten secrets make traditional asset management broken for modern SaaS. Here’s how to fix it.
Read the guide→Security Policies10 min read10 June 2026
Zero Trust isn’t a product — it’s a posture. For cloud-native SaaS, the perimeter is identity, not network. This guide covers ZTNA vs VPN, what Zero Trust actually means under NIST SP 800-207, and a practical maturity model with the controls you can ship in 6 months.
Read the guide→Security Policies9 min read9 June 2026
SOC 2 CC6.3, ISO 27001 A.8.5, and PCI DSS Req 8 all require documented password and authentication policies. Here's what your policy must cover, including MFA requirements, password length standards, service account controls, and the NIST guidance most companies misapply.
Read the guide→Security Policies9 min read9 June 2026
ISO 27001 A.6.7 requires documented teleworking security measures. SOC 2 CC6.6 covers network protections. GDPR Art. 32 applies to all remote processing of personal data. Here's what your remote work security policy must cover in 2026.
Read the guide→ISO 2700111 min read9 June 2026
ISO 27001:2022 Annex A has 93 controls across 4 domains. SaaS companies frequently over-complicate implementation. Here's what each control means in practice, which ones are most commonly selected, and how to document applicability for your Statement of Applicability.
Read the guide→Security Policy9 min read8 June 2026
SOC 2 CC7.2 and ISO 27001 A.8.15/A.8.16 require documented log management and monitoring controls. Here's what your policy must cover, how to configure SIEM alerting, and the evidence auditors need.
Read the guide→Security Policy10 min read8 June 2026
Email is the #1 attack vector for SaaS businesses. Here's how to build an email security policy covering DMARC enforcement, anti-phishing controls, DLP, and compliance with ISO 27001 A.8.23, SOC 2, and NIS2.
Read the guide→Compliance11 min read8 June 2026
NIST CSF 2.0 added a new Govern function and became the global cybersecurity reference framework. Here's how SaaS founders can use it to structure their security programme alongside SOC 2 and ISO 27001.
Read the guide→DORA Compliance11 min read7 June 2026
DORA Art. 5–16 requires EU financial entities and ICT third-party service providers to maintain a documented ICT risk management framework. This guide covers the five DORA pillars, Art. 30 contractual requirements, and what SaaS vendors selling to financial institutions must prepare.
Read the guide→Security Policies10 min read7 June 2026
HR security is one of the most-overlooked compliance requirements for SaaS companies. This guide covers ISO 27001 A.6.1/A.6.2/A.6.3/A.6.5 controls, SOC 2 CC1.1/CC6.2 background checks and training, pre-employment screening, offboarding checklists, and security awareness obligations.
Read the guide→Security Testing11 min read7 June 2026
Penetration testing is required by SOC 2, ISO 27001, DORA, and PCI DSS — but how often, what scope, and what evidence do auditors need? This guide covers frequency requirements by framework, scoping decisions, vendor selection, and how to use pen test results to fix gaps before your audit.
Read the guide→Security Policies10 min read6 June 2026
How to build a vulnerability management programme that satisfies SOC 2 CC7.1 and ISO 27001 A.8.8. Covers scanning cadence, CVSS severity classification, remediation timelines, patch management, and exception handling.
Read the guide→Security Policies11 min read6 June 2026
How to build a cryptography and encryption policy that satisfies ISO 27001 A.10/A.8.24, SOC 2 CC6.7, GDPR Art. 32, HIPAA, and PCI DSS. Covers approved algorithms, encryption at rest and in transit, key management, and the GDPR breach notification safe harbour.
Read the guide→Security Policies10 min read6 June 2026
How to implement a Secure Software Development Lifecycle (SDLC) that satisfies SOC 2 CC8 and ISO 27001 A.8.25 without a dedicated AppSec team. Covers code review requirements, branch protection, CI/CD security controls, SAST/DAST, and audit evidence.
Read the guide→Security Policies10 min read5 June 2026
How to build a complete access control policy for a SaaS company. Covers RBAC, least privilege, MFA, privileged access management, user provisioning, access reviews, and compliance mapping for SOC 2, ISO 27001, HIPAA, and PCI DSS.
Read the guide→Security Policies9 min read5 June 2026
A practical guide to building a data classification policy for SaaS companies. Covers tier structures, handling standards, storage controls, labelling, and compliance mapping for ISO 27001 Annex A.8, SOC 2, GDPR, HIPAA, and PCI DSS.
Read the guide→Security Policies9 min read5 June 2026
How to build a change management policy that satisfies SOC 2 CC8, ISO 27001 Annex A.8.32, and HIPAA change control requirements. Covers code review, deployment gates, change approval workflows, emergency changes, and evidence collection.
Read the guide→GDPR10 min read4 June 2026
GDPR Article 28(3)(c) requires processors to implement and document technical and organisational measures. Here's exactly what your processor security policy needs to cover — and how to structure it for enterprise due diligence.
Read the guide→Security9 min read4 June 2026
An Internal IT and BYOD policy is required for SOC 2, ISO 27001, and GDPR Art. 32. Here's what it needs to cover, how to handle personal devices without alienating your team, and how to map it to every major compliance framework.
Read the guide→Financial Regulation11 min read4 June 2026
The EU Digital Operational Resilience Act (DORA) applies to financial entities and their critical ICT providers. If your SaaS serves banks, insurers, or investment firms — or if you're a Critical Third-Party Provider — here's what you need to comply with.
Read the guide→GDPR Compliance12 min read2 June 2026
A complete guide to building a GDPR-compliant DSAR handling policy for SaaS companies — intake channels, identity verification, response timelines, per-right procedures, refusal grounds, and audit logging.
Read the guide→AI Governance13 min read2 June 2026
A practical guide to building an AI risk register for SaaS products covering EU AI Act risk categories, GDPR Art. 22 automated decision-making, algorithmic bias risks, prompt injection, and ISO 42001 alignment.
Read the guide→AI Governance11 min read2 June 2026
A practical guide to ISO 42001 — the AI Management System standard — for SaaS founders. Covers scope, key requirements, how it relates to ISO 27001 and the EU AI Act, and whether you need certification.
Read the guide→Privacy11 min read1 June 2026
ISO 27701:2019 is the privacy extension to ISO 27001 — and the most underrated lever for enterprise privacy assurance. Here's what it is, who needs it, how it maps to GDPR, and how to assess your readiness.
Read the guide→Security11 min read1 June 2026
74% of breaches involve a human element. Here's how to build a security awareness training programme that satisfies SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA, NIS2, and PCI DSS — without boring your team into compliance theatre.
Read the guide→GDPR10 min read1 June 2026
GDPR Article 32 requires 'appropriate' technical and organisational measures — a standard that has been the basis of most major GDPR fines. Here's what TOMs actually mean for SaaS, with a 22-item checklist mapped to SOC 2 and ISO 27001.
Read the guide→Enterprise Sales10 min read31 May 2026
A Trust Centre is your enterprise security sales page. Here's what every SaaS company needs to include — certifications, infrastructure, encryption, pen testing, privacy compliance, and a security FAQ that answers what procurement teams actually ask.
Read the guide→GDPR11 min read31 May 2026
When must you conduct a DPIA for your AI system? How does GDPR Art. 35 intersect with the EU AI Act? This guide covers AI-specific risks, automated decision-making (Art. 22), bias obligations, and the 9 steps to conduct an AI-PIA.
Read the guide→Enterprise Sales9 min read31 May 2026
Enterprise buyers send VSAQs, SIG Lites, and custom security questionnaires before signing. Here's how to build a repeatable process, what each section covers, and how a Trust Centre can answer 70% of questions before they're asked.
Read the guide→GDPR Compliance10 min read30 May 2026
A practical guide to GDPR Article 33 supervisory authority notification and Article 34 individual notification — including mandatory content, 72-hour timeline, and ready-to-submit templates.
Read the guide→SOC 212 min read30 May 2026
A practical guide to collecting and organising SOC 2 evidence for Type I and Type II audits — by control area, with exact evidence items, naming conventions, and collection steps for AWS, GitHub, and common SaaS tools.
Read the guide→GDPR Compliance11 min read30 May 2026
What counts as special category data under GDPR Article 9, when SaaS products trigger its strict requirements, and exactly what you must do differently — from legal basis to DPIAs to security measures.
Read the guide→AI Governance9 min read29 May 2026
A practical guide to writing an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act Art. 26 obligations, prohibited AI uses, bias disclosures, human oversight levels, and enforcement mechanisms.
Read the guide→Privacy11 min read29 May 2026
What SaaS founders need to know about COPPA (under-13 in the US), GDPR Article 8 (age of digital consent in the EU), and the UK Children's Code. Who needs to comply, what parental consent requires, and the highest-risk mistakes.
Read the guide→GDPR8 min read29 May 2026
What GDPR Article 5(1)(c) data minimisation requires in practice: schema design, analytics, logs, backups, and AI training data. Includes a data minimisation audit checklist for SaaS founders.
Read the guide→EU AI Act11 min read28 May 2026
The EU AI Act's GPAI obligations (Art. 53) are live. Here's what a model card needs to include — training data summaries, capability documentation, safety testing results, and more — and how to generate one for free.
Read the guide→Employment & Ethics10 min read28 May 2026
EU Directive 2019/1937 requires organisations with 50+ employees to establish internal reporting channels. Here's what your whistleblower policy must cover, what penalties apply, and how to generate one for free.
Read the guide→EU AI Act12 min read28 May 2026
The EU AI Act is in force, GDPR Art. 22 applies to automated decisions, and enterprise customers are asking about AI governance policies. Here's the complete documentation stack for AI-powered SaaS in 2026.
Read the guide→GDPR9 min read27 May 2026
18-control audit checklist for your cookie consent setup. Check banner design, consent validity, GCM v2, consent records, and CMP configuration against GDPR, ePrivacy, and ICO requirements.
Read the guide→GDPR10 min read27 May 2026
A complete guide to GDPR legitimate interests for SaaS founders. 3-step LIA process (purpose test, necessity test, balancing test), when LI works and when it doesn't, and common enforcement mistakes.
Read the guide→GDPR11 min read27 May 2026
A complete guide to UK GDPR for SaaS companies. Key differences from EU GDPR, ICO registration, PECR, adequacy decisions, international transfers, and the Data (Use and Access) Act 2025.
Read the guide→Compliance9 min read26 May 2026
LGPD (Lei Geral de Proteção de Dados) enforcement is ramping up. Here's what SaaS founders need to know: ANPD fines, 10 lawful bases, data subject rights, and a practical compliance checklist.
Read the guide→Compliance10 min read26 May 2026
A third-party risk management (TPRM) policy is now required by ISO 27001, SOC 2, GDPR, and NIS2. Here's what to include, how to tier your vendors, and a free template generator.
Read the guide→Compliance8 min read26 May 2026
Australia's Privacy and Other Legislation Amendment Act 2024 introduces a statutory tort for serious privacy invasions, enhanced breach notification, and new children's privacy rules. Here's what changes for SaaS.
Read the guide→Security11 min25 May 2026
A practical guide to PCI DSS v4.0 for SaaS companies that take payments. Covers SAQ types, CDE scoping, the 12 requirements, and how hosted payment pages reduce your compliance burden.
Read the guide→GDPR12 min25 May 2026
A complete guide to GDPR Chapter V international data transfer mechanisms. Covers the EU-US Data Privacy Framework, Standard Contractual Clauses (2021), UK IDTA, BCRs, and when a Transfer Impact Assessment is required post-Schrems II.
Read the guide→Privacy10 min25 May 2026
Asia-Pacific privacy law guide for SaaS founders. Covers Thailand's PDPA and Singapore's PDPA: applicability, consent requirements, data subject rights, breach notification, and practical compliance steps for global SaaS.
Read the guide→Compliance8 min read24 May 2026
The NIS2 Directive went live in October 2024. Cloud services, SaaS platforms, and managed service providers are explicitly in scope. Here's what you must do to comply with the 10 Art. 21 cybersecurity requirements.
Read the guide→HIPAA8 min read24 May 2026
The HIPAA Security Risk Assessment is legally required for every covered entity and business associate — and it's one of OCR's most cited violations. Here's how to conduct, document, and maintain your SRA.
Read the guide→GDPR7 min read24 May 2026
Every SaaS company that processes personal data on behalf of customers is a data processor under GDPR Art. 28. Here's exactly what that means: mandatory DPA terms, sub-processor rules, TOMs, audit rights, and breach notification.
Read the guide→ISO 270018 min read23 May 2026
A practical guide to conducting an ISO 27001 gap assessment across all 14 Annex A domains. Understand what a certification body will look for, how to score your controls, and what to fix before engaging an auditor.
Read the guide→EU AI Act9 min read23 May 2026
The EU AI Act is in phased application. Article 5 prohibitions are already in force. GPAI obligations hit in August 2025. High-risk system requirements apply from August 2026. Here's your practical checklist.
Read the guide→Security7 min read23 May 2026
ISO 27001 and SOC 2 serve different markets and have different processes. This guide helps you decide which to pursue first based on your customers, geography, and resources — and whether you can do both efficiently.
Read the guide→GDPR10 min read22 May 2026
Your Records of Processing Activities is more than a box-ticking exercise. Here's how to build and maintain a RoPA that actually holds up under DPA scrutiny — and helps you sell to enterprise customers.
Read the guide→SOC 211 min read22 May 2026
Hiring a SOC 2 auditor before you're ready costs time and money. Here's how to conduct a thorough gap analysis yourself, identify what's missing, and know when you're actually ready for a Type II audit.
Read the guide→HIPAA10 min read22 May 2026
HIPAA's Security Rule requires covered entities and business associates to conduct a formal Security Risk Assessment. Here's what it involves, what it must include, and how SaaS companies should approach it.
Read the guide→GDPR10 min read21 May 2026
Understand all 8 GDPR data subject rights, your obligations as a SaaS company, response timelines, valid grounds for refusal, and how to build a scalable DSR process.
Read the guide→GDPR9 min read21 May 2026
A practical guide to handling GDPR Subject Access Requests (SARs) in SaaS — what to include, how to verify identity, when to extend, and how to respond when you can't provide everything.
Read the guide→GDPR8 min read21 May 2026
When is a DPO mandatory under GDPR, what do they do, and what are the risks of getting this wrong? A practical guide for SaaS founders on DPO requirements, appointment, and alternatives.
Read the guide→Vendor Risk8 min read20 May 2026
A practical guide to vendor risk management for SaaS founders — how to tier vendors, what to ask in security questionnaires, and what evidence to require before granting access to customer data.
Read the guide→GDPR9 min read20 May 2026
What is a Transfer Impact Assessment under GDPR? When do you need one, what must it cover, and how do you conduct one for a SaaS company relying on US cloud providers and AI APIs?
Read the guide→GDPR8 min read20 May 2026
How to build and maintain GDPR Article 30 Records of Processing Activities (RoPA) for a SaaS company. Includes a worked template, controller vs processor obligations, and the 250-employee exemption explained.
Read the guide→GDPR9 min read19 May 2026
GDPR Article 17 gives users the right to delete their data. Here's exactly when you must comply, when you can refuse, and how to build a deletion workflow for your SaaS.
Read the guide→GDPR8 min read19 May 2026
If you hire in the EU, GDPR Art. 13 requires you to give employees a privacy notice at the time of data collection. Here's exactly what it must contain and when you need it.
Read the guide→Global Privacy Law9 min read19 May 2026
Japan's Act on the Protection of Personal Information (APPI) applies to SaaS with Japanese users. Here's how it compares to GDPR and what you need to do to comply.
Read the guide→CCPA / CPRA8 min read18 May 2026
CPRA added "sharing" to California's opt-out right. Here's exactly what your Do Not Sell or Share page must contain, how to honor the GPC signal, and how to handle authorized agents.
Read the guide→SOC 2 / Business Continuity9 min read18 May 2026
BCP and DRP are SOC 2 Availability Criteria requirements — not optional extras. Here's what you need to document, how to set realistic RTOs and RPOs, and what auditors look for.
Read the guide→GDPR7 min read18 May 2026
GDPR Art. 28 requires processors to notify controllers of sub-processor changes. Your sub-processor list is part of your sales and compliance stack — here's what to include and how to maintain it.
Read the guide→GDPR10 min read17 May 2026
GDPR Article 35 requires a DPIA before any high-risk processing. Here's a practical, step-by-step guide for SaaS founders: when a DPIA is mandatory, what it must cover, and how to write one that would survive a supervisory authority review.
Read the guide→GDPR9 min read17 May 2026
Getting cookie consent right is one of the most-enforced areas of GDPR. This guide covers consent management platforms, when you actually need consent vs legitimate interest, Consent Mode v2, and what DPA enforcement looks like in 2026.
Read the guide→Privacy Law8 min read17 May 2026
Selling to Canadian customers? PIPEDA (Canada's federal privacy law) applies — and it's materially different from GDPR. This guide covers PIPEDA's 10 principles, key differences from GDPR, consent requirements, breach notification, and what's changing with Bill C-27.
Read the guide→Security9 min read16 May 2026
ISO 27001 and SOC 2 are the two dominant security frameworks for SaaS companies. This guide explains the differences, costs, timelines, and which framework your enterprise customers actually want to see.
Read the guide→GDPR8 min read16 May 2026
Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is mandatory before high-risk processing. This guide explains when SaaS founders must conduct a DPIA, what it contains, and how to run one.
Read the guide→EU AI Act9 min read16 May 2026
The EU AI Act introduces fines up to €35 million or 7% of global revenue. This guide explains how liability works under the AI Act, who is a 'provider' vs 'deployer', and what SaaS founders building on top of AI APIs must do now.
Read the guide→GDPR8 min read15 May 2026
Everything SaaS founders need to know about GDPR Article 33 and 34 breach notification — what triggers the 72-hour clock, what to include in your report, and how to avoid fines.
Read the guide→CCPA9 min read15 May 2026
The California Privacy Rights Act (CPRA) amendments are reshaping CCPA compliance. Here's what's changed for SaaS companies in 2026: sensitive personal information, opt-out requirements, data minimisation, and new CPPA enforcement.
Read the guide→SOC 28 min read15 May 2026
What enterprise customers ask for before signing your SaaS contract — and how to prepare. Security questionnaires, SOC 2 reports, DPAs, pen tests, and more.
Read the guide→Legal Basics8 min read14 May 2026
When do you need an NDA? What's the difference between mutual and one-way NDAs? Which clauses matter for SaaS founders — and which are just fluff? A practical guide.
Read the guide→GDPR7 min read14 May 2026
GDPR Article 30 requires most organisations to maintain a Record of Processing Activities (RoPA). What it must contain, who has to keep it, and how to build one for your SaaS.
Read the guide→GDPR8 min read14 May 2026
Privacy by Design is a GDPR requirement under Article 25, not just a nice-to-have. Here's what it means in practice for SaaS founders building products in 2026.
Read the guide→SOC 28 min read13 May 2026
SOC 2 Type 1 proves your controls exist on a single day. Type 2 proves they worked over 6–12 months. Here's when you need each, what the audit looks like, and how to get there without breaking the bank.
Read the guide→GDPR7 min read13 May 2026
GDPR's storage limitation principle means you can't keep user data forever. Here's how to build a data retention policy for your SaaS, what retention periods to use for different data types, and how to actually delete data at scale.
Read the guide→GDPR8 min read13 May 2026
Consent is not the only lawful basis under GDPR — and often the wrong choice for SaaS. Legitimate interests (Article 6(1)(f)) covers most product analytics, security logging, and B2B marketing. Here's how to use it correctly.
Read the guide→Legal7 min read12 May 2026
The complete checklist: privacy policy, terms, cookie policy, DPA, AUP, refund policy — what each does, when you need it, and how to generate them free.
Read the guide→Legal6 min read12 May 2026
What an AUP does, when it's legally required, the 10 prohibited uses every SaaS should cover, and how to enforce it without killing legitimate users.
Read the guide→GDPR7 min read12 May 2026
What cookies require consent, how the ePrivacy Directive interacts with GDPR, the difference between a cookie policy and a consent banner, and the state of enforcement in 2026.
Read the guide→HIPAA8 min read11 May 2026
Selling to US healthcare customers and EU businesses? You'll need both a HIPAA BAA and a GDPR DPA. Here's how they differ, when each is required, and how to manage both in your contract stack.
Read the guide→GDPR7 min read11 May 2026
Every SaaS company has sub-processors — but many founders don't know it. Here's what a sub-processor is under GDPR, why it matters, what your DPA must say about them, and how to build a compliant sub-processor list.
Read the guide→Compliance9 min read10 May 2026
Brazil's LGPD covers 215 million people and applies to any SaaS with Brazilian users. Here's how it compares to GDPR and what you actually need to do.
Read the guide→EU AI Act9 min read9 May 2026
The EU AI Act is now in force. Most SaaS products fall into the limited or minimal risk tier — but GPAI model obligations and transparency requirements kicked in August 2025. Here's what you actually need to do.
Read the guide→SOC 210 min read9 May 2026
SOC 2 is the de-facto security certification for enterprise SaaS sales. Here's what it actually involves, how long it takes, what it costs, and which trust service criteria matter for your product.
Read the guide→GDPR6 min read7 May 2026
GDPR Article 28 requires a contract with every vendor who processes personal data for you. Here's what a DPA must include, who needs one, and common mistakes.
Read the guide→Privacy8 min read6 May 2026
Both CCPA and GDPR protect personal data — but they work differently. Here's what each law requires, how they overlap, and which applies to your SaaS.
Read the guide→GDPR7 min read5 May 2026
Your cookie policy tells users what cookies you use. Cookie consent gives you legal permission to set them. Confusing the two is one of the most common GDPR mistakes. Here's what you actually need.
Read the guide→HIPAA7 min read5 May 2026
Most SaaS founders panic at the word HIPAA. Here's a practical breakdown of who actually needs to comply, what it costs, and what you need to do first.
Read the guide→Legal9 min read3 May 2026
The clauses every SaaS ToS needs, what each one actually does, and the mistakes that leave founders exposed. Plain English, written for founders — not lawyers.
Read the guide→GDPR8 min read1 May 2026
Everything a SaaS privacy policy must include under GDPR Art. 13 and Art. 14. A practical checklist for founders — plus common mistakes that trigger DPA complaints.
Read the guide→