GDPR, privacy policies, terms of service, cookie law — explained without the jargon.
A complete guide to building a GDPR-compliant DSAR handling policy for SaaS companies — intake channels, identity verification, response timelines, per-right procedures, refusal grounds, and audit logging.
Read the guide→A practical guide to building an AI risk register for SaaS products covering EU AI Act risk categories, GDPR Art. 22 automated decision-making, algorithmic bias risks, prompt injection, and ISO 42001 alignment.
Read the guide→A practical guide to ISO 42001 — the AI Management System standard — for SaaS founders. Covers scope, key requirements, how it relates to ISO 27001 and the EU AI Act, and whether you need certification.
Read the guide→ISO 27701:2019 is the privacy extension to ISO 27001 — and the most underrated lever for enterprise privacy assurance. Here's what it is, who needs it, how it maps to GDPR, and how to assess your readiness.
Read the guide→74% of breaches involve a human element. Here's how to build a security awareness training programme that satisfies SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA, NIS2, and PCI DSS — without boring your team into compliance theatre.
Read the guide→GDPR Article 32 requires 'appropriate' technical and organisational measures — a standard that has been the basis of most major GDPR fines. Here's what TOMs actually mean for SaaS, with a 22-item checklist mapped to SOC 2 and ISO 27001.
Read the guide→A Trust Centre is your enterprise security sales page. Here's what every SaaS company needs to include — certifications, infrastructure, encryption, pen testing, privacy compliance, and a security FAQ that answers what procurement teams actually ask.
Read the guide→When must you conduct a DPIA for your AI system? How does GDPR Art. 35 intersect with the EU AI Act? This guide covers AI-specific risks, automated decision-making (Art. 22), bias obligations, and the 9 steps to conduct an AI-PIA.
Read the guide→Enterprise buyers send VSAQs, SIG Lites, and custom security questionnaires before signing. Here's how to build a repeatable process, what each section covers, and how a Trust Centre can answer 70% of questions before they're asked.
Read the guide→A practical guide to GDPR Article 33 supervisory authority notification and Article 34 individual notification — including mandatory content, 72-hour timeline, and ready-to-submit templates.
Read the guide→A practical guide to collecting and organising SOC 2 evidence for Type I and Type II audits — by control area, with exact evidence items, naming conventions, and collection steps for AWS, GitHub, and common SaaS tools.
Read the guide→What counts as special category data under GDPR Article 9, when SaaS products trigger its strict requirements, and exactly what you must do differently — from legal basis to DPIAs to security measures.
Read the guide→A practical guide to writing an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act Art. 26 obligations, prohibited AI uses, bias disclosures, human oversight levels, and enforcement mechanisms.
Read the guide→What SaaS founders need to know about COPPA (under-13 in the US), GDPR Article 8 (age of digital consent in the EU), and the UK Children's Code. Who needs to comply, what parental consent requires, and the highest-risk mistakes.
Read the guide→What GDPR Article 5(1)(c) data minimisation requires in practice: schema design, analytics, logs, backups, and AI training data. Includes a data minimisation audit checklist for SaaS founders.
Read the guide→The EU AI Act's GPAI obligations (Art. 53) are live. Here's what a model card needs to include — training data summaries, capability documentation, safety testing results, and more — and how to generate one for free.
Read the guide→EU Directive 2019/1937 requires organisations with 50+ employees to establish internal reporting channels. Here's what your whistleblower policy must cover, what penalties apply, and how to generate one for free.
Read the guide→The EU AI Act is in force, GDPR Art. 22 applies to automated decisions, and enterprise customers are asking about AI governance policies. Here's the complete documentation stack for AI-powered SaaS in 2026.
Read the guide→18-control audit checklist for your cookie consent setup. Check banner design, consent validity, GCM v2, consent records, and CMP configuration against GDPR, ePrivacy, and ICO requirements.
Read the guide→A complete guide to GDPR legitimate interests for SaaS founders. 3-step LIA process (purpose test, necessity test, balancing test), when LI works and when it doesn't, and common enforcement mistakes.
Read the guide→A complete guide to UK GDPR for SaaS companies. Key differences from EU GDPR, ICO registration, PECR, adequacy decisions, international transfers, and the Data (Use and Access) Act 2025.
Read the guide→LGPD (Lei Geral de Proteção de Dados) enforcement is ramping up. Here's what SaaS founders need to know: ANPD fines, 10 lawful bases, data subject rights, and a practical compliance checklist.
Read the guide→A third-party risk management (TPRM) policy is now required by ISO 27001, SOC 2, GDPR, and NIS2. Here's what to include, how to tier your vendors, and a free template generator.
Read the guide→Australia's Privacy and Other Legislation Amendment Act 2024 introduces a statutory tort for serious privacy invasions, enhanced breach notification, and new children's privacy rules. Here's what changes for SaaS.
Read the guide→A practical guide to PCI DSS v4.0 for SaaS companies that take payments. Covers SAQ types, CDE scoping, the 12 requirements, and how hosted payment pages reduce your compliance burden.
Read the guide→A complete guide to GDPR Chapter V international data transfer mechanisms. Covers the EU-US Data Privacy Framework, Standard Contractual Clauses (2021), UK IDTA, BCRs, and when a Transfer Impact Assessment is required post-Schrems II.
Read the guide→Asia-Pacific privacy law guide for SaaS founders. Covers Thailand's PDPA and Singapore's PDPA: applicability, consent requirements, data subject rights, breach notification, and practical compliance steps for global SaaS.
Read the guide→The NIS2 Directive went live in October 2024. Cloud services, SaaS platforms, and managed service providers are explicitly in scope. Here's what you must do to comply with the 10 Art. 21 cybersecurity requirements.
Read the guide→The HIPAA Security Risk Assessment is legally required for every covered entity and business associate — and it's one of OCR's most cited violations. Here's how to conduct, document, and maintain your SRA.
Read the guide→Every SaaS company that processes personal data on behalf of customers is a data processor under GDPR Art. 28. Here's exactly what that means: mandatory DPA terms, sub-processor rules, TOMs, audit rights, and breach notification.
Read the guide→A practical guide to conducting an ISO 27001 gap assessment across all 14 Annex A domains. Understand what a certification body will look for, how to score your controls, and what to fix before engaging an auditor.
Read the guide→The EU AI Act is in phased application. Article 5 prohibitions are already in force. GPAI obligations hit in August 2025. High-risk system requirements apply from August 2026. Here's your practical checklist.
Read the guide→ISO 27001 and SOC 2 serve different markets and have different processes. This guide helps you decide which to pursue first based on your customers, geography, and resources — and whether you can do both efficiently.
Read the guide→Your Records of Processing Activities is more than a box-ticking exercise. Here's how to build and maintain a RoPA that actually holds up under DPA scrutiny — and helps you sell to enterprise customers.
Read the guide→Hiring a SOC 2 auditor before you're ready costs time and money. Here's how to conduct a thorough gap analysis yourself, identify what's missing, and know when you're actually ready for a Type II audit.
Read the guide→HIPAA's Security Rule requires covered entities and business associates to conduct a formal Security Risk Assessment. Here's what it involves, what it must include, and how SaaS companies should approach it.
Read the guide→Understand all 8 GDPR data subject rights, your obligations as a SaaS company, response timelines, valid grounds for refusal, and how to build a scalable DSR process.
Read the guide→A practical guide to handling GDPR Subject Access Requests (SARs) in SaaS — what to include, how to verify identity, when to extend, and how to respond when you can't provide everything.
Read the guide→When is a DPO mandatory under GDPR, what do they do, and what are the risks of getting this wrong? A practical guide for SaaS founders on DPO requirements, appointment, and alternatives.
Read the guide→A practical guide to vendor risk management for SaaS founders — how to tier vendors, what to ask in security questionnaires, and what evidence to require before granting access to customer data.
Read the guide→What is a Transfer Impact Assessment under GDPR? When do you need one, what must it cover, and how do you conduct one for a SaaS company relying on US cloud providers and AI APIs?
Read the guide→How to build and maintain GDPR Article 30 Records of Processing Activities (RoPA) for a SaaS company. Includes a worked template, controller vs processor obligations, and the 250-employee exemption explained.
Read the guide→GDPR Article 17 gives users the right to delete their data. Here's exactly when you must comply, when you can refuse, and how to build a deletion workflow for your SaaS.
Read the guide→If you hire in the EU, GDPR Art. 13 requires you to give employees a privacy notice at the time of data collection. Here's exactly what it must contain and when you need it.
Read the guide→Japan's Act on the Protection of Personal Information (APPI) applies to SaaS with Japanese users. Here's how it compares to GDPR and what you need to do to comply.
Read the guide→CPRA added "sharing" to California's opt-out right. Here's exactly what your Do Not Sell or Share page must contain, how to honor the GPC signal, and how to handle authorized agents.
Read the guide→BCP and DRP are SOC 2 Availability Criteria requirements — not optional extras. Here's what you need to document, how to set realistic RTOs and RPOs, and what auditors look for.
Read the guide→GDPR Art. 28 requires processors to notify controllers of sub-processor changes. Your sub-processor list is part of your sales and compliance stack — here's what to include and how to maintain it.
Read the guide→GDPR Article 35 requires a DPIA before any high-risk processing. Here's a practical, step-by-step guide for SaaS founders: when a DPIA is mandatory, what it must cover, and how to write one that would survive a supervisory authority review.
Read the guide→Getting cookie consent right is one of the most-enforced areas of GDPR. This guide covers consent management platforms, when you actually need consent vs legitimate interest, Consent Mode v2, and what DPA enforcement looks like in 2026.
Read the guide→Selling to Canadian customers? PIPEDA (Canada's federal privacy law) applies — and it's materially different from GDPR. This guide covers PIPEDA's 10 principles, key differences from GDPR, consent requirements, breach notification, and what's changing with Bill C-27.
Read the guide→ISO 27001 and SOC 2 are the two dominant security frameworks for SaaS companies. This guide explains the differences, costs, timelines, and which framework your enterprise customers actually want to see.
Read the guide→Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is mandatory before high-risk processing. This guide explains when SaaS founders must conduct a DPIA, what it contains, and how to run one.
Read the guide→The EU AI Act introduces fines up to €35 million or 7% of global revenue. This guide explains how liability works under the AI Act, who is a 'provider' vs 'deployer', and what SaaS founders building on top of AI APIs must do now.
Read the guide→Everything SaaS founders need to know about GDPR Article 33 and 34 breach notification — what triggers the 72-hour clock, what to include in your report, and how to avoid fines.
Read the guide→The California Privacy Rights Act (CPRA) amendments are reshaping CCPA compliance. Here's what's changed for SaaS companies in 2026: sensitive personal information, opt-out requirements, data minimisation, and new CPPA enforcement.
Read the guide→What enterprise customers ask for before signing your SaaS contract — and how to prepare. Security questionnaires, SOC 2 reports, DPAs, pen tests, and more.
Read the guide→When do you need an NDA? What's the difference between mutual and one-way NDAs? Which clauses matter for SaaS founders — and which are just fluff? A practical guide.
Read the guide→GDPR Article 30 requires most organisations to maintain a Record of Processing Activities (RoPA). What it must contain, who has to keep it, and how to build one for your SaaS.
Read the guide→Privacy by Design is a GDPR requirement under Article 25, not just a nice-to-have. Here's what it means in practice for SaaS founders building products in 2026.
Read the guide→SOC 2 Type 1 proves your controls exist on a single day. Type 2 proves they worked over 6–12 months. Here's when you need each, what the audit looks like, and how to get there without breaking the bank.
Read the guide→GDPR's storage limitation principle means you can't keep user data forever. Here's how to build a data retention policy for your SaaS, what retention periods to use for different data types, and how to actually delete data at scale.
Read the guide→Consent is not the only lawful basis under GDPR — and often the wrong choice for SaaS. Legitimate interests (Article 6(1)(f)) covers most product analytics, security logging, and B2B marketing. Here's how to use it correctly.
Read the guide→The complete checklist: privacy policy, terms, cookie policy, DPA, AUP, refund policy — what each does, when you need it, and how to generate them free.
Read the guide→What an AUP does, when it's legally required, the 10 prohibited uses every SaaS should cover, and how to enforce it without killing legitimate users.
Read the guide→What cookies require consent, how the ePrivacy Directive interacts with GDPR, the difference between a cookie policy and a consent banner, and the state of enforcement in 2026.
Read the guide→Selling to US healthcare customers and EU businesses? You'll need both a HIPAA BAA and a GDPR DPA. Here's how they differ, when each is required, and how to manage both in your contract stack.
Read the guide→Every SaaS company has sub-processors — but many founders don't know it. Here's what a sub-processor is under GDPR, why it matters, what your DPA must say about them, and how to build a compliant sub-processor list.
Read the guide→Brazil's LGPD covers 215 million people and applies to any SaaS with Brazilian users. Here's how it compares to GDPR and what you actually need to do.
Read the guide→The EU AI Act is now in force. Most SaaS products fall into the limited or minimal risk tier — but GPAI model obligations and transparency requirements kicked in August 2025. Here's what you actually need to do.
Read the guide→SOC 2 is the de-facto security certification for enterprise SaaS sales. Here's what it actually involves, how long it takes, what it costs, and which trust service criteria matter for your product.
Read the guide→GDPR Article 28 requires a contract with every vendor who processes personal data for you. Here's what a DPA must include, who needs one, and common mistakes.
Read the guide→Both CCPA and GDPR protect personal data — but they work differently. Here's what each law requires, how they overlap, and which applies to your SaaS.
Read the guide→Your cookie policy tells users what cookies you use. Cookie consent gives you legal permission to set them. Confusing the two is one of the most common GDPR mistakes. Here's what you actually need.
Read the guide→Most SaaS founders panic at the word HIPAA. Here's a practical breakdown of who actually needs to comply, what it costs, and what you need to do first.
Read the guide→The clauses every SaaS ToS needs, what each one actually does, and the mistakes that leave founders exposed. Plain English, written for founders — not lawyers.
Read the guide→Everything a SaaS privacy policy must include under GDPR Art. 13 and Art. 14. A practical checklist for founders — plus common mistakes that trigger DPA complaints.
Read the guide→Free GDPR-compliant generators. No signup. No lawyer fees.
See all generators →