110 free generators — no account required

Free Compliance Document Generators

Answer a few questions. Get an AI-drafted starting-point document your lawyer can finalize. All free. 110 generators, no account required.

⚠️ AI-generated drafts. Not legal advice. ComplyKit is not a law firm.

🔒

Privacy Policy

~3 min

Generate a GDPR & CCPA compliant privacy policy tailored to your SaaS. Covers data collection, subprocessors, retention, international transfers, and user rights.

GDPRCCPACPRAePrivacy
Generate free →
📄

Terms of Service

~3 min

Generate a plain-English Terms of Service covering acceptable use, payment & subscriptions, user-generated content, IP ownership, liability cap, and governing law.

Governing LawLiability CapUGCSubscriptions
Generate free →
🍪

Cookie Policy

~2 min

Generate a Cookie Policy with a category table, specific tool disclosures, opt-out instructions, and ePrivacy Directive notes — matched to your actual analytics and ad stack.

ePrivacyGDPRPECRAnalytics
Generate free →
💸

Refund Policy

~3 min

Generate a Refund & Cancellation Policy for your SaaS. Covers subscription cancellation, pro-rata refunds, free trial terms, EU 14-day cooling-off rights, and governing law.

SubscriptionsEU Consumer LawCancellation
Generate free →
🚫

Acceptable Use Policy

~3 min

Generate an Acceptable Use Policy defining what users can and cannot do on your platform. Covers prohibited uses, enforcement actions, user obligations, and IP rights.

User ConductEnforcementUGCIP Rights
Generate free →
🤝

GDPR Data Processing Agreement (DPA)

~4 min

Generate a complete Article 28 DPA — sub-processor list, technical & organisational measures, breach notification, international transfer clauses, and audit rights. Send to your B2B customers.

GDPR Art. 28B2B SaaSSub-processorsTOMs
Generate free →
🏥

HIPAA Business Associate Agreement (BAA)

~4 min

Generate a HIPAA BAA for your SaaS. Covers ePHI safeguards, breach notification (45 CFR § 164.410), sub-contractor BAA chain requirements, and state-specific addenda. Required for any SaaS handling patient data.

HIPAAePHIHealthcare SaaSBAA
Generate free →
🤝

NDA Generator

~3 min

Generate a Mutual or One-Way Non-Disclosure Agreement in minutes. Optional non-solicitation, non-compete, and liquidated damages clauses. Jurisdiction-specific governing law. For contractors, investors, partnerships, and employees.

Mutual NDAOne-Way NDANon-CompeteContractors
Generate free →
🔐

Information Security Policy

~4 min

Generate a SOC 2–aligned Information Security Policy covering access control, encryption, incident response, vulnerability management, and vendor risk. Tailored to your stack and compliance targets.

SOC 2ISO 27001GDPR Art. 32Enterprise
Generate free →
🚨

Incident Response Plan

~4 min

Generate a complete NIST SP 800-61 Incident Response Plan. Covers severity classification (P1–P4), CSIRT roles, containment playbooks by incident type, GDPR 72-hour breach notification, HIPAA BNR, evidence handling, and post-incident review.

SOC 2 CC7NIST 800-61GDPR Art. 33ISO 27035
Generate free →
🔍

DPIA Template Generator

~4 min

Generate a GDPR Article 35 Data Protection Impact Assessment. Covers necessity & proportionality test, risk assessment table with residual risk ratings, safeguards map, and prior DPA consultation check (Art. 36). Required for high-risk processing.

GDPR Art. 35Privacy by DesignRisk AssessmentDPA Consultation
Generate free →
🗂️

Data Retention Policy

~3 min

Generate a GDPR-compliant Data Retention Policy with per-category retention schedules, deletion procedures, legal basis table, backup retention, log retention, employee data section, and optional legal hold process.

GDPR Art. 5Storage LimitationRight to ErasureSOC 2
Generate free →
🇺🇸

CCPA / CPRA Compliance Pack

~3 min

Generate your complete CCPA/CPRA compliance pack: Notice at Collection (required at point of data collection), 'Do Not Sell or Share My Personal Information' opt-out page, and California Consumer Privacy Rights summary. GPC signal, SPI categories, and Delete Act support included.

CCPACPRANotice at CollectionDo Not SellGPC
Generate free →
📋

Sub-Processor List

~3 min

Generate a GDPR Art. 28(4) public sub-processor list ready to publish on your website. 40+ pre-loaded vendors (AWS, Stripe, OpenAI, Sentry, HubSpot, and more) with legal entities, processing countries, transfer mechanisms, and DPA links. Includes authorisation approach, change notification process, and objection procedure.

GDPR Art. 28Sub-processorsDPFSCCsInternational Transfers
Generate free →
🔄

BCP / DRP Plan

~4 min

Generate a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering RTO/RPO objectives, recovery playbooks for up to 12 disaster scenarios, SOC 2 A1 criteria, ISO 27001 A.17, and GDPR Art. 32 availability requirements. Includes BIA table, backup architecture, roles, communication plan, and testing schedule.

SOC 2 A1ISO 27001 A.17GDPR Art. 32HIPAARTO/RPO
Generate free →
🔍

Vendor Risk Assessment

~3 min

Generate a complete vendor security questionnaire to send to new SaaS vendors before onboarding. Covers 14 assessment sections including data security, access controls, encryption, business continuity, incident response, and compliance certifications. Configurable by risk tier (Critical / High / Medium / Low) and data categories.

ISO 27001 A.15SOC 2 CC9.2GDPR Art. 28Third-Party Risk
Generate free →
📩

DSR Response Template

~2 min

Generate GDPR-compliant response letters for Data Subject Requests — covering all 8 rights: access, erasure, portability, rectification, restriction, objection, direct marketing opt-out, and automated decision-making. Handles fulfilled, partial, extended, refused, and identity-unverified outcomes.

GDPR Art. 15–22SAR / DSARData Subject Rights72h Acknowledgement
Generate free →
👤

Employee Privacy Notice

~3 min

Generate a GDPR Article 13/14 compliant Employee Privacy Notice for staff, contractors, and job applicants. Covers HR data categories, lawful bases, workplace monitoring, data recipients, international transfers, retention schedules, and all 8 data subject rights. Country-specific notes for Germany, France, Netherlands, UK, and more.

GDPR Art. 13/14HR ComplianceEmployment LawSpecial Category Data
Generate free →
📊

GDPR Article 30 RoPA

~5 min

Form-based Records of Processing Activities (RoPA) builder compliant with GDPR Article 30. Add each processing activity with data subjects, lawful basis, recipients, international transfers, retention periods, and technical & organisational measures. Generates a complete, audit-ready RoPA document.

GDPR Art. 30Controller ObligationsProcessing ActivitiesInternational Transfers
Generate free →
🎯

SOC 2 Gap Assessment

~5 min

Evaluate your current security controls against SOC 2 Trust Service Criteria (CC / A / C / PI / P). Answer control questions, see where you stand, and get a prioritised remediation roadmap with policy document checklist before hiring an auditor.

SOC 2 TSCSecurity CCAvailability A1Audit Readiness
Generate free →
🔍

ISO 27001 Gap Assessment

~6 min

Assess your readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls in 14 domains. Answer control questions, get a readiness score, and receive a phased remediation roadmap with policy documents checklist before engaging a certification body.

ISO 27001:2022Annex A14 DomainsISMS Certification
Generate free →
🤖

EU AI Act Transparency Declaration

~4 min

Generate an EU AI Act Art. 50 transparency notice and provider/deployer compliance documentation pack for your AI system under Regulation (EU) 2024/1689. Covers risk classification, GPAI obligations, GDPR Art. 22 intersection, and prohibited practices confirmation.

EU AI Act Art. 50Provider ObligationsAI TransparencyGPAI
Generate free →
🛡️

NIS2 Compliance Checklist

~5 min

Assess your organisation against all 10 NIS2 Art. 21 cybersecurity requirements. Get a scored gap report with prioritised remediation roadmap. For EU SaaS platforms, managed service providers, and digital service providers.

NIS2 Art. 21EU Cybersecurity DirectiveEssential & Important Entities
Generate free →
🏥

HIPAA Security Risk Assessment

~5 min

Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards (45 CFR Part 164). Required for all covered entities and business associates. Includes ePHI inventory, threat/vulnerability assessment, risk levels, and remediation roadmap.

HIPAA SRA45 CFR 164Covered EntitiesBusiness Associates
Generate free →
🌍

GDPR Transfer Impact Assessment (TIA)

~6 min

Generate a Schrems II-compliant GDPR Transfer Impact Assessment (TIA) for all your international data transfers. Covers EU-US Data Privacy Framework, Standard Contractual Clauses (2021 SCCs), UK IDTA, BCRs, country-level legal risk analysis, and supplementary measures.

Schrems IIChapter V GDPRSCCsDPFUK IDTA
Generate free →
💳

PCI DSS SAQ Generator

~7 min

Generate a PCI DSS v4.0 Self-Assessment Questionnaire (SAQ) for your payment card environment. Covers SAQ A (fully outsourced), SAQ A-EP (e-commerce), SAQ C, and SAQ D (all merchants/service providers). Includes gap analysis, remediation priorities, and v4.0 new requirements.

PCI DSS v4.0SAQ ASAQ DCard DataMerchant
Generate free →
🇧🇷

LGPD (Brazil) Compliance Pack

~5 min

Generate a LGPD-compliant Aviso de Coleta (Notice at Collection), Data Subject Rights Summary, and Privacy Policy addendum for Brazil's Lei Geral de Proteção de Dados. Covers all 10 lawful bases, 9 Art. 18 rights, sensitive data, and ANPD compliance.

LGPD Art. 9ANPDBrazil Data Protection10 Lawful Bases
Generate free →
🔗

Third-Party Risk Management (TPRM) Policy

~6 min

Generate a complete internal TPRM policy with vendor tiers, due diligence matrix, contract requirements, ongoing monitoring frequency, incident response, and offboarding controls. Maps to ISO 27001 A.15, SOC 2 CC9.2, GDPR Art. 28, and NIS2 Art. 21(d).

ISO 27001 A.15SOC 2 CC9.2GDPR Art. 28Vendor Risk
Generate free →
🍪

Cookie Consent Audit & CMP Compliance Checker

~5 min

Audit your cookie consent setup against GDPR, ePrivacy Directive, UK PECR, and CCPA. Check CMP configuration, banner design, consent records, withdrawal mechanisms, and Google Consent Mode v2 compliance. 18-control assessment with prioritised remediation checklist.

GDPR Art. 7ePrivacy DirectiveICO PECRCCPAGCM v2
Generate free →
⚖️

GDPR Legitimate Interests Assessment (LIA)

~6 min

Generate a documented Legitimate Interests Assessment under GDPR Art. 6(1)(f). 3-step balancing test: purpose test (is there a legitimate interest?), necessity test (is it the minimum necessary?), and balancing test (do data subject rights override?). Includes privacy notice guidance and Art. 21 objection rights.

GDPR Art. 6(1)(f)Art. 21 ObjectionBalancing TestEDPB
Generate free →
🧠

AI/ML Model Card Generator

~7 min

Generate a comprehensive AI/ML Model Card for EU AI Act compliance. Covers GPAI technical documentation (Art. 53 Annex XI/XII), risk classification, training data governance (Art. 10), performance evaluation, bias assessment, safety measures, human oversight (Art. 14), and environmental impact.

EU AI Act Art. 53GPAI DocumentationHigh-Risk AIISO 42001
Generate free →
🔔

Whistleblower Policy Generator

~6 min

Generate a Whistleblower (Speak Up) Policy compliant with EU Directive 2019/1937 and UK PIDA. Covers reporting channels, protected disclosures, anti-retaliation protections, investigation timelines, GDPR-compliant data handling, and country-specific competent authority references.

EU Directive 2019/1937UK PIDAAnti-RetaliationGDPR Art. 23
Generate free →
🤖

AI Acceptable Use Policy

~5 min

Generate an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act obligations, prohibited AI input content, prohibited output uses, bias and accuracy disclosures, human oversight levels, data-training transparency, content moderation approach, and enforcement mechanisms.

EU AI ActGDPR Art. 22DSAProhibited AI Uses
Generate free →
👶

Children's Privacy Policy (COPPA & GDPR Art. 8)

~6 min

Generate a COPPA-compliant and GDPR Article 8 Children's Privacy Notice. Covers parental consent verification methods, age thresholds by jurisdiction, data minimisation for children, UK ICO Children's Code obligations, third-party restrictions, and parental rights to review, correct, and delete child data.

COPPAGDPR Art. 8UK Children's CodeCCPA Under-13
Generate free →
🚨

GDPR Breach Notification Template Generator

~5 min

Generate a GDPR Article 33 supervisory authority breach notification form, an Article 34 plain-language individual notification letter, and an Article 33(5) internal breach register entry. Covers all mandatory disclosure elements with 72-hour deadline guidance.

GDPR Art. 33GDPR Art. 34Breach Register72-Hour Rule
Generate free →
📦

SOC 2 Evidence Pack Generator

~5 min

Get a personalised SOC 2 evidence collection checklist organised by Trust Service Criteria control area. Covers exact evidence items, what auditors sample, how to collect from AWS/GitHub/GCP, PBC folder structure, and gap remediation for Type I and Type II audits.

SOC 2 Type ISOC 2 Type IIEvidence CollectionPBC
Generate free →
🛡️

Trust Centre Page Generator

~5 min

Generate a complete security & compliance Trust Centre page for your SaaS website. Covers certifications, infrastructure, data regions, encryption, pen testing, bug bounty/disclosure, authentication, sub-processors, privacy compliance summary, and a pre-filled security FAQ for enterprise prospects.

Enterprise SalesSecurity PageTrust CenterSecurity FAQ
Generate free →
🤖

AI Privacy Impact Assessment (AI-PIA) Generator

~6 min

Generate a GDPR Article 35 DPIA specifically for AI systems. Covers EU AI Act risk classification (Annex III), automated decision-making obligations (GDPR Art. 22), bias and fairness assessment, human oversight requirements, training data governance, and DPA prior consultation analysis (Art. 36).

GDPR Art. 35EU AI ActArt. 22 ADMBias Assessment
Generate free →
🛡️

ISO 27701 PIMS Gap Assessment

~7 min

Assess your readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls across 8 domains, Annex A (controllers) + Annex B (processors). Includes ISO 27701 ↔ GDPR alignment table, certification roadmap, and gap remediation priorities.

ISO 27701:2019PIMSGDPR MappingAnnex A / B
Generate free →
🎓

Security Awareness Training Policy

~5 min

Generate a complete Security Awareness Training Policy for your SaaS. Covers training schedule, curriculum, phishing simulation programme, completion tracking, and graduated consequences. Mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6, and GDPR Art. 32.

SOC 2 CC1.4ISO 27001 A.6.3HIPAA §164.308(a)(5)NIS2 Art. 21(2)(g)
Generate free →
📬

DSAR Policy & Procedure

~5 min

Generate a complete internal DSAR (Data Subject Access Request) policy and procedure. Covers all 8 GDPR data subject rights, identity verification methods, per-right procedures, response timelines, refusal grounds, DSR register template, escalation paths, and audit logging requirements.

GDPR Art. 12–22UK GDPRDSR WorkflowAudit Trail
Generate free →
🤖

AI Risk Register

~7 min

Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22 automated decision-making risks, algorithmic bias, prompt injection, model drift, third-party AI supply chain risks, and ISO 42001 alignment — with inherent risk scores, mitigation plans, and monitoring KPIs.

EU AI ActISO 42001GDPR Art. 22NIST AI RMF
Generate free →
🔒

GDPR Processor Security Policy

~6 min

Generate Art. 28(3)(c) TOMs documentation for data processors. Covers encryption, access control, network security, application security, monitoring, HR controls, incident response (72-hour breach notification to controller), business continuity, audit rights, and sub-processor obligations — audit-ready for enterprise customers.

GDPR Art. 28(3)(c)TOMsProcessorsEnterprise
Generate free →
💻

Internal IT & BYOD Policy

~6 min

Generate an Internal IT Acceptable Use and BYOD Policy for your SaaS team. Covers device controls, network access, cloud apps, acceptable use, data handling, remote work security, monitoring disclosure (GDPR Art. 6(1)(f) legitimate interests), enforcement, and alignment to SOC 2 CC6.7, ISO 27001 A.6.2 / A.8, GDPR Art. 32, HIPAA, and PCI DSS Req. 12.

SOC 2ISO 27001BYODGDPR Art. 32
Generate free →
🔐

Access Control Policy

~6 min

Generate a complete Access Control Policy for your SaaS company covering RBAC, least privilege, MFA requirements, privileged access management (PAM), user provisioning and deprovisioning, access reviews, remote access controls, and data access governance. Maps to SOC 2 CC6, ISO 27001 Annex A.9, HIPAA §164.312, PCI DSS Req 7 & 8, and GDPR Art. 32.

SOC 2 CC6ISO 27001 A.9HIPAAPCI DSS Req 7-8NIS2
Generate free →
🗂️

Data Classification Policy

~6 min

Generate a Data Classification Policy with a tiered classification scheme (Public / Internal / Confidential / Restricted), data type examples per tier, handling standards, storage controls, labelling guidance, and secure disposal procedures. Maps to ISO 27001 Annex A.8, SOC 2 C1, GDPR Art. 5/25/32, HIPAA, and PCI DSS Req 3 & 9.

ISO 27001 A.8SOC 2 C1GDPR Art. 5HIPAAPCI DSS
Generate free →
🔍

Vulnerability Management Policy

~5 min

Generate a Vulnerability Management & Patch Management Policy covering scanning cadence, CVSS severity classification, remediation timelines by severity, exception and risk acceptance process, tracking tools, and compliance mappings for SOC 2 CC7.1, ISO 27001 A.8.8, PCI DSS Req 6, NIS2 Art. 21(2)(e), NIST SP 800-40, and GDPR Art. 32.

SOC 2 CC7.1ISO 27001 A.8.8PCI DSS Req 6NIS2NIST
Generate free →
🔐

Cryptography & Encryption Policy

~5 min

Generate a Cryptography & Encryption Policy covering approved and prohibited algorithms, encryption at rest and in transit, key management lifecycle (generation, storage, rotation, destruction), TLS standards, secrets management requirements, and compliance mappings for ISO 27001 A.10, SOC 2 CC6.7, GDPR Art. 32, HIPAA, PCI DSS, and NIS2 Art. 21(2)(h).

ISO 27001 A.10SOC 2 CC6.7GDPR Art. 32HIPAAPCI DSS
Generate free →

Secure SDLC Policy

~5 min

Generate a Secure Software Development Lifecycle (SDLC) Policy covering code review requirements, branch protection, CI/CD security scanning (SAST, SCA, secrets detection), secrets management, environment separation, deployment authorisation, and dependency vulnerability management. Maps to SOC 2 CC8.1, ISO 27001 A.8.25/A.8.32, PCI DSS Req 6, and NIS2.

SOC 2 CC8.1ISO 27001 A.8.25PCI DSS Req 6NIS2
Generate free →

DORA ICT Risk Management Policy

~5 min

Generate a DORA-compliant ICT Risk Management Policy (EU Regulation 2022/2554) covering all five pillars: identification & risk assessment, protection & prevention, detection, response & recovery, and resilience testing. For financial entities, ICT third-party service providers, and SaaS vendors selling to EU financial institutions.

DORA Art. 5–16DORA Art. 28–30FintechFinancial Entity
Generate free →

Log Management & Monitoring Policy

~5 min

Generate a Log Management and Monitoring Policy for SaaS covering SIEM tool configuration, mandatory log sources (authentication, cloud infra, DB, admin access), log retention schedules, alerting thresholds, log integrity controls (immutable storage, NTP clock sync), and compliance evidence for SOC 2 CC7.2, ISO 27001 A.8.15/A.8.16/A.8.17, NIS2 Art. 21, HIPAA §164.312(b), and PCI DSS Req 10.

SOC 2 CC7.2ISO 27001 A.8.15HIPAA §164.312(b)NIS2
Generate free →

Email Security Policy

~5 min

Generate an Email Security Policy covering DMARC/DKIM/SPF authentication (with DMARC policy progression from p=none to p=reject), anti-phishing controls, business email compromise (BEC) prevention, DLP rules for outbound PII/PHI/PCI data, email encryption requirements, archiving and retention, phishing simulation programme, and incident response. Maps to ISO 27001 A.8.23/A.8.7, SOC 2 CC6.7, NIS2 Art. 21(2)(g), HIPAA, PCI DSS Req 5, and GDPR Art. 32.

ISO 27001 A.8.23DMARC/DKIM/SPFSOC 2 CC6.7NIS2BEC
Generate free →

Password & Authentication Policy

~5 min

Generate a Password & Authentication Policy covering password complexity and length requirements, MFA enforcement scope, approved MFA methods (FIDO2/passkeys/TOTP), password manager policy, service account controls, privileged account management, SSO approach, account lockout, and session timeout. Maps to SOC 2 CC6.1/CC6.3, ISO 27001 A.8.5/A.8.2, PCI DSS v4.0 Req 8 (12-char minimum from March 2025), NIST SP 800-63B, NIS2 Art. 21(2)(j), and HIPAA §164.312(a).

SOC 2 CC6.1/CC6.3ISO 27001 A.8.5PCI DSS Req 8NIST 800-63BNIS2
Generate free →

Remote Work Security Policy

~5 min

Generate a Remote Work & Teleworking Security Policy covering device security controls (encryption, EDR, MDM), VPN and network requirements, home network security standards, data handling rules, cloud application controls, physical security at remote locations, GDPR-compliant employee monitoring disclosure, and incident reporting. Maps to ISO 27001 A.6.7/A.8.1, SOC 2 CC6.6/CC6.7, GDPR Art. 32, HIPAA §164.310/312, NIS2 Art. 21, PCI DSS Req 8.4.3, and NIST SP 800-46.

ISO 27001 A.6.7SOC 2 CC6.6GDPR Art. 32NIS2HIPAA
Generate free →
🌐

Network Security Policy

~8 min

Generate a complete Network Security Policy covering firewall architecture, network segmentation, remote access controls (VPN/ZTNA), intrusion detection, DDoS protection, DNS security, and network monitoring. Maps to ISO 27001 A.8.20–A.8.23 (network security controls), SOC 2 CC6.6/CC6.7 (logical access from external boundaries; transmission of confidential information), PCI DSS v4.0 Req 1–2 (network security controls and secure configurations), NIS2 Art. 21, and HIPAA §164.312.

ISO 27001 A.8.20SOC 2 CC6.6PCI DSS Req 1NIS2HIPAA
Generate free →
📦

Asset Management Policy

~7 min

Generate a complete Asset Management Policy covering hardware, software, cloud infrastructure, data assets, and secrets inventory. Covers asset lifecycle (procurement → active → decommissioning → disposal), NIST 800-88 disposal methods, cloud resource tagging policy, secrets management, and MDM requirements. Maps to ISO 27001 A.5.9/5.10/5.11/8.1, SOC 2 CC6.1/CC6.7, CIS Controls v8 (Control 1/2), PCI DSS Req 2/12.3, NIST SP 800-171, and HIPAA §164.310(d).

ISO 27001 A.5.9SOC 2 CC6.1CIS ControlsPCI DSSNIST
Generate free →
👥

HR Security Policy

~6 min

Generate a Human Resources Security Policy covering pre-employment screening, employment contract security clauses, security awareness training requirements (annual, onboarding, phishing simulation), offboarding checklists with access revocation SLAs, remote working controls, and disciplinary process tiers. Maps to ISO 27001 A.6.1–A.6.7, SOC 2 CC1.1/CC1.4/CC6.2/CC6.3, NIS2 Art. 21(2)(g), and HIPAA §164.308(a)(3)/(5).

ISO 27001 A.6SOC 2 CC1.1NIS2HIPAA
Generate free →
🔄

Change Management Policy

~7 min

Generate a Change Management Policy covering environment separation (dev/staging/prod), code review requirements and branch protection configuration, deployment authorisation models (auto-deploy / manual / release manager), change documentation (PR-as-change-record), emergency change procedures with retroactive review, infrastructure change controls (IaC-only for production), security patch timelines, and CI/CD evidence collection. Maps to SOC 2 CC8.1, ISO 27001 A.8.32/A.8.8/A.8.25, HIPAA §164.308(a)(5), PCI DSS Req 6.3–6.5, and NIS2 Art. 21(2)(e).

SOC 2 CC8.1ISO 27001 A.8.32PCI DSS Req 6NIS2
Generate free →

SOC 2 Management Assertion Letter

~5 min

Generate the Management Assertion Letter required before every SOC 2 audit. Covers the three AICPA-required assertions (system description fairly presented, controls suitably designed, controls operating effectively), trust service category scope, system component inventory, controls summary, and signature block. Supports Type I, Type II, and Bridge Letters. AICPA AT-C §205 compliant.

SOC 2 Type ISOC 2 Type IIAICPA TSC 2017Pre-Audit
Generate free →

Cyber Essentials Compliance Checklist

~8 min

Assess your readiness for UK Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification. 22-control interactive checklist across all 5 CE areas: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. Generates a personalised gap report with prioritised remediation steps, certifying body guidance, and a 30-day remediation checklist.

UK Cyber EssentialsCE+NCSCUK Government
Generate free →

SOC 2 System Description Generator

~8 min

Draft Section 3 of your SOC 2 report — the System Description — covering all 9 AICPA DC Section 200 required elements: infrastructure components, software, data, personnel, procedures, COSO control environment (all 5 components), subservice organisations with carve-out or inclusive treatment, Complementary User Entity Controls (CUECs), and management declaration placeholder. For Type I, Type II, and Bridge Letters.

SOC 2 Type ISOC 2 Type IIDC Section 200AICPAPre-Audit
Generate free →

NIST CSF 2.0 Gap Assessment

~10 min

Assess your cybersecurity posture against the NIST Cybersecurity Framework 2.0 (published February 2024). 37-subcategory interactive checklist across all 6 functions including the new GOVERN function (risk strategy, supply chain security, leadership accountability). Generates a scored gap report with prioritised remediation, implementation tier analysis, and framework crosswalk (SOC 2, ISO 27001, NIS2 Art. 21).

NIST CSF 2.0GOVERN FunctionFedRAMPUS Federal
Generate free →

ISO 27001 Statement of Applicability

~12 min

Generate your ISO 27001:2022 Statement of Applicability (SoA) — all 93 Annex A controls across 4 themes (Organisational/People/Physical/Technological). Applicability decisions pre-populated by company profile (cloud-native SaaS, SaaS with office, hybrid, on-prem). Per-control justifications for exclusions and implementation status (Planned/Partial/Implemented/Reviewed). Mandatory ISMS document for ISO 27001 certification (clause 6.1.3(d)).

ISO 27001:202293 Annex A ControlsISMSCertification
Generate free →

SOC 2 Vendor Security Questionnaire

~8 min

Generate a pre-filled Vendor Security Questionnaire (DDQ) response — the document enterprise customers send before signing. Covers all 12 standard categories: security certifications (SOC 2, ISO 27001), encryption, access controls, MFA, network security, incident response, pen testing, availability SLA, sub-processors, data retention, audit logging, and compliance frameworks supported. Reduces enterprise deal cycle time by days.

SOC 2Vendor SecurityEnterprise SalesDue Diligence
Generate free →

ISO 27001 Risk Assessment Template

~10 min

Generate a clause 6.1.2 ISO 27001:2022 information security risk assessment — pre-loaded with 20 common SaaS risks across 8 categories, 5×5 risk matrix, threat and vulnerability analysis, risk scoring, treatment decisions (Mitigate/Transfer/Avoid/Accept), and Annex A control mappings. Required before ISO 27001 certification and pairs with the Statement of Applicability.

ISO 27001:2022Clause 6.1.2Risk RegisterISMS
Generate free →

CIS Controls v8 Gap Assessment

~12 min

Assess your organisation's security posture against all 18 CIS Controls v8 safeguards across IG1, IG2, and IG3 implementation groups. Get a scored gap report (0–100%) with per-control status, critical gap prioritisation, SOC 2 / ISO 27001 / NIST CSF 2.0 crosswalk, and a phased remediation roadmap. Ideal for US SMBs, security programme baseline, and SOC 2 / ISO 27001 preparation.

CIS Controls v8IG1 / IG2 / IG3US SMBSOC 2 Alignment
Generate free →
🤖

EU AI Act Compliance Checklist

~10 min

Step-by-step EU AI Act obligations checklist for AI providers and deployers. Covers prohibited practices (Art. 5), transparency (Art. 50), high-risk AI requirements (Art. 9–15 — risk management, data governance, technical documentation, logging, human oversight, accuracy), conformity assessment, GPAI model obligations (Art. 53–55), and AI literacy (Art. 4). Scored by risk tier.

EU AI ActHigh-Risk AIGPAIArt. 50 Transparency
Generate free →
🇪🇺

GDPR Compliance Audit Checklist

~12 min

Comprehensive GDPR compliance audit across all key obligations — lawful basis (Art. 6), special category data (Art. 9), transparency (Art. 12–14), data subject rights (Art. 15–22), records of processing (Art. 30), processor agreements (Art. 28), security (Art. 32), breach notification (Art. 33–34), DPIAs (Art. 35), international transfers (Art. 44–49), and accountability (Art. 5(2)). Score your compliance posture and get a prioritised remediation report.

GDPRArt. 28 DPAsArt. 35 DPIAArt. 44 TransfersAccountability
Generate free →
🛡️

ISO 27001 Risk Treatment Plan

~10 min

Generate a complete ISO 27001:2022 Clause 6.1.3 Risk Treatment Plan — the mandatory document that links your risk register to Annex A controls and your Statement of Applicability. Pre-loaded with 10 common SaaS risks across 8 categories. Covers treatment decisions (Mitigate/Transfer/Avoid/Accept), Annex A control selection, risk owners, implementation timelines, residual risk scoring, and formal risk acceptance register. Required before ISO 27001 certification and pairs with the Risk Assessment (Clause 6.1.2) and SoA (Clause 6.1.3(d)).

ISO 27001:2022Clause 6.1.3Risk TreatmentAnnex AISMS
Generate free →

GDPR Consent Management Policy

~8 min

Generate a complete GDPR Art. 7 Consent Management Policy covering all consent types collected (marketing email, analytics cookies, advertising cookies, profiling, third-party sharing, special category, children's data, AI training), collection mechanisms (opt-in, double opt-in, cookie banner), withdrawal processes (Art. 7(3)), record-keeping for accountability (Art. 5(2)), children's consent (Art. 8 — under 16), ePrivacy cookie consent requirements, and consent chain documentation for third-party sharing.

GDPRArt. 7 ConsentArt. 8 ChildrenePrivacyCookie Consent
Generate free →
🔍

ISO 27001 Internal Audit Checklist

~12 min

Generate a Clause 9.2 ISO 27001:2022 internal audit checklist covering all mandatory ISMS clauses (4–10) and 14 key Annex A control areas: access control (A.5.15–A.8.5), asset management, cryptography (A.8.24), supplier security (A.5.19–21), incident management (A.5.24–26), vulnerability management (A.8.8), change management (A.8.32), and business continuity (A.5.29, A.8.13). Per-control status (Conforms/Partially Conforms/Nonconformity/N/A) with evidence and finding fields. Generates a formal internal audit report for certification preparation, surveillance audits, and Clause 9.2 compliance.

ISO 27001:2022Clause 9.2Internal AuditISMSCertification Prep
Generate free →
🇪🇺

NIS2 Risk Assessment

~10 min

Generate a NIS2 Article 21 cybersecurity risk assessment for Essential and Important Entities. Covers all 10 Art. 21(2) mandatory measure categories: risk analysis policies (a), incident handling (b), business continuity/backup (c), supply chain security (d), secure development/vulnerability management (e), effectiveness assessment/pen testing (f), cyber hygiene/training (g), cryptography (h), access control/asset management (i), and MFA/secure communications (j). Risk register with likelihood, impact, treatment decision, owner, and notes. Art. 20 management body accountability guidance. Generates a full NIS2 risk assessment report with Art. 21 compliance gap table and phased remediation roadmap.

NIS2Art. 21Essential EntityImportant EntityEU Cybersecurity
Generate free →
🤖

ISO 42001 AI Management System Gap Assessment

~10 min

Assess your organisation’s readiness against ISO/IEC 42001:2023 — the international standard for AI Management Systems (AIMS). Covers all mandatory clauses: Cl. 4 (context), Cl. 5 (leadership + AI Policy), Cl. 6 (planning + AI risk assessment + SoA), Cl. 7 (support + competence), Cl. 8 (operation: AI risk assessment, AI Impact Assessment, lifecycle controls, data governance, decommissioning), Cl. 9 (performance evaluation + internal audit), and Annex A controls (transparency, explainability, human oversight, data governance, third-party AI). Generates a gap assessment report with AIMS maturity score, critical gaps, certification roadmap, and EU AI Act alignment notes.

ISO 42001AI GovernanceAIMSEU AI ActResponsible AI
Generate free →
🍁

PIPEDA / Bill C-27 Compliance Checklist

~10 min

Assess your organisation’s compliance with Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) and prepare for Bill C-27 (Consumer Privacy Protection Act / CPPA). Covers all 10 PIPEDA Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Also covers Bill C-27 upcoming obligations: mandatory privacy compliance program, automated decision-making transparency (s.55/62), right to explanation, data portability (s.63), PIAs for high-risk activities, de-identification standard, and enhanced children’s privacy. Province-specific context: Alberta PIPA, BC PIPA, Quebec Law 25.

PIPEDABill C-27CPPACanada PrivacyOPC
Generate free →
💳

PCI DSS v4.0 Gap Assessment

~10 min

Assess your organisation’s readiness against PCI DSS v4.0 across all 12 requirement groups — from network security controls (Req 1) and stored account data protection (Req 3) to access management (Req 7-8), logging (Req 10), vulnerability management (Req 11), and information security policy (Req 12). Includes the four new v4.0 requirements: Req 5.4 (phishing protection), Req 6.4.3 (payment page script management), Req 8.4 (expanded MFA to all CDE access), and Req 11.6.1 (payment page change/tamper detection). Entity-type context: Merchant (Level 1-4), Service Provider, or SaaS vendor. Generates a gap assessment report with QSA-ready evidence guidance and phased remediation roadmap.

PCI DSSv4.0Payment SecurityCDEQSA
Generate free →
🏥

HIPAA Security Risk Assessment

~10 min

Generate a HIPAA Security Rule §164.308(a)(1) Security Risk Assessment covering all administrative, physical, and technical safeguards. Identifies ePHI risks across 18 HIPAA Security Rule safeguard areas: workforce training, access management, workstation controls, device media controls, audit controls, transmission security, and more. Includes risk scoring, vulnerability identification, and recommended safeguards aligned to HHS guidance and NIST SP 800-66r2. For covered entities (healthcare providers, health plans, clearinghouses) and business associates.

HIPAASRAePHICovered EntityBusiness Associate
Generate free →
📊

SOC 2 Remediation Tracker

~10 min

Track SOC 2 control remediation across CC1-CC9, A1, and C1. Assign owners, set due dates, mark evidence collected, and generate a full remediation & evidence collection plan with PBC list. The essential next step after your SOC 2 gap assessment.

SOC 2RemediationEvidence CollectionAudit Prep
Generate free →
🎓

FERPA Compliance Checklist

~8 min

FERPA compliance checklist for EdTech SaaS companies and educational institutions. Covers the school official exception (34 CFR §99.31(a)(1)), student data restrictions, COPPA overlap for under-13 students, and state student privacy laws (California SOPIPA, New York §2-d, SDPC NDPA).

FERPAEdTechStudent Data PrivacyCOPPASOPIPA
Generate free →
🏙️

CCPA / CPRA Compliance Checklist

~8 min

Interactive CCPA and CPRA compliance assessment for businesses collecting personal information from California residents. Covers all consumer rights, Do Not Sell or Share link, GPC signal, sensitive PI controls, data minimisation and retention (CPRA), service provider contracts, and security requirements. Generates a full compliance gap analysis report.

CCPACPRACalifornia PrivacyGPCConsumer RightsCPPA
Generate free →
🎖️

NIST 800-171 / CMMC 2.0 Assessment

~10 min

Assess NIST SP 800-171 compliance mapped to CMMC 2.0 Level 2 for organisations handling Controlled Unclassified Information (CUI) under DoD contracts. Covers all 14 security families: access control, MFA, encryption, incident response (72-hour DIBNet reporting), risk assessment, and configuration management. Generates an SSP framework and pre-populated POA&M for SPRS upload.

NIST 800-171CMMC 2.0DoDCUIDFARSSPRS
Generate free →
🔍

Penetration Testing Policy

~6 min

Generate a penetration testing policy covering scope, methodology, testing frequency, provider qualifications, CVSS-based finding classification, remediation timelines (Critical 7d / High 30d / Medium 90d), report handling, retesting, and responsible disclosure. Covers SOC 2 CC4.1, ISO 27001 A.8.8, PCI DSS Req 11, NIS2 Art. 21(2)(e), and HIPAA.

SOC 2ISO 27001PCI DSSNIS2HIPAAPen Testing
Generate free →
🛡️

Cyber Insurance Readiness Assessment

~8 min

Assess your security posture against the controls cyber insurers evaluate during underwriting. Covers all Big-5 underwriting factors: MFA (remote access/email/admin), EDR deployment, immutable backup, patch management, and incident response. Also covers email security, network controls, and data protection. Generates a gap report and 30-day action plan.

Cyber InsuranceMFAEDRBackupIncident ResponseRisk Management
Generate free →
🇺🇸

FedRAMP Authorization Roadmap

~10 min

Generate a FedRAMP Authorization Roadmap covering control readiness across all key NIST SP 800-53 families, SSP requirements, 3PAO assessment prep, and continuous monitoring obligations. Covers FedRAMP Low, Moderate, and High impact levels via Agency or JAB authorization path.

FedRAMPATONIST SP 800-53GovTech3PAOConMon
Generate free →
🏥

HITRUST CSF Readiness Assessment

~8 min

Assess your readiness for HITRUST CSF certification across all three levels — e1 (44 controls), i1 (182 controls), and r2 (375+ controls). Built for healthcare SaaS, digital health, and health IT vendors. Covers HIPAA alignment, BAAs, access control, encryption, risk analysis, incident response, and breach notification.

HITRUSTHIPAAHealthcare SaaSe1i1r2Digital Health
Generate free →
📋

~7 min

Generate a complete ISO/IEC 27001:2022 Clause 9.3 management review record covering all 7 mandatory inputs and 3 mandatory outputs for certification bodies.

ISO 27001ISMSManagement ReviewCl. 9.3Certification
Generate free →
🔏

~8 min

Generate a GDPR Article 25 Privacy by Design and by Default assessment covering all 7 PbD principles, technical measures, DPIA triggers, and an implementation roadmap.

GDPRPrivacy by DesignArt. 25DPbDPbDEDPB
Generate free →
🏛️

~8 min

Assess your compliance with APRA Prudential Standard CPS 234 Information Security. Covers all 8 requirement areas: capability, policy, asset classification, controls, incident management, testing, internal audit, and APRA notification obligations (72h incidents, 10-day weaknesses, annual self-assessment).

APRACPS 234Australian Financial ServicesInformation SecurityPrudential
Generate free →
🇪🇺

~9 min

Assess your compliance with the EU Digital Operational Resilience Act (DORA) Regulatory Technical Standards, effective January 2025. Covers ICT risk management, major incident reporting (4h/72h/1 month), resilience testing, and third-party ICT risk register. For EU financial entities.

DORAEU Financial ServicesICT RiskIncident ReportingRTSCTPP
Generate free →
🌍

~8 min

Generate a comprehensive Supplier Code of Conduct aligned with CSDDD (EU Corporate Sustainability Due Diligence Directive), German Supply Chain Act (LkSG), UK Modern Slavery Act, and ILO Core Labour Standards. Covers forced labour, child labour, environmental standards, anti-corruption, audit rights, and cascading obligations to sub-suppliers.

CSDDDLkSGModern Slavery ActSupply Chain Due DiligenceHuman RightsILO
Generate free →
📈

~10 min

Assess your EU investment firm's compliance across 8 MiFID II pillars: authorisation and governance, client suitability (including ESG preferences per Del. Reg. 2021/1253), costs and charges disclosure, best execution, transaction reporting (MiFIR Art. 25, 65 data fields), product governance, conflicts of interest, and MAR market abuse surveillance.

MiFID IIMiFIRESMAInvestment FirmEU Financial ServicesESG SuitabilityTransaction Reporting
Generate free →
🤖

~12 min

Assess your high-risk AI system against all Art. 9–15 EU AI Act obligations. Covers: risk management system (Art. 9), data governance (Art. 10), technical documentation (Annex IV), human oversight with automation bias controls (Art. 14), accuracy and robustness (Art. 15), QMS, EU AI database registration, post-market monitoring, and EU Declaration of Conformity. For providers of Annex III AI systems.

EU AI ActHigh-Risk AIAnnex IIIArt. 9–15Conformity AssessmentCE MarkingAI Compliance
Generate free →
🌱

~10 min

Assess your company's CSRD readiness across all European Sustainability Reporting Standards (ESRS). Covers ESRS 1 double materiality assessment, ESRS 2 governance disclosures, ESRS E1 climate (GHG Scope 1/2/3, transition plan, physical risks), ESRS S1 workforce metrics and gender pay gap, ESRS S2–S4 value chain and social, and ESRS G1 anti-corruption. For Phase 2 reporters (FY2025) and beyond.

CSRDESRSESG ReportingDouble MaterialityClimateGHGEU Sustainability
Generate free →
🔒

~10 min

Assess your product's compliance with the EU Cyber Resilience Act (Regulation 2024/2847). Covers all Annex I Part I product security requirements (secure by design/default, authentication, encryption, integrity, logging, DoS resilience, updateability), Annex I Part II vulnerability handling obligations (CVD policy, ENISA 24h reporting, free security updates), Annex VII technical documentation and SBOM, and conformity assessment + CE marking. For manufacturers and importers of connected hardware and software products.

CRACyber Resilience ActEU 2024/2847IoT SecuritySBOMCVDCE MarkingProduct Security
Generate free →
📢

~8 min

Assess your organisation's compliance with EU Directive 2019/1937 on whistleblower protection. Covers internal reporting channel requirements (Art. 8-9 — written, oral, in-person), 7-day acknowledgment and 3-month diligent follow-up (Art. 11), confidentiality obligations (Art. 16), GDPR intersection (DPIA, Art. 13-14 notices, data retention), anti-retaliation protection (Art. 19 — reversed burden of proof), policy communication, manager training, and record-keeping. Required for companies with 50+ employees and all financial sector firms.

WhistleblowingDir. 2019/1937Anti-RetaliationGDPRHinSchGEmployment LawCompliance
Generate free →
🔐

ISO 27001:2022 Annex A Controls Gap Assessment

~20 min

Assess all ISO 27001:2022 Annex A controls across four themes: Organisational (A.5 — 37 controls including threat intelligence A.5.7, cloud A.5.23, ICT readiness A.5.30), People (A.6 — 8 controls including remote working A.6.7), Physical (A.7 — 14 controls), and Technological (A.8 — 34 controls including configuration management A.8.9, data masking A.8.11, DLP A.8.12, secure coding A.8.28). Generate a detailed gap analysis with prioritised remediation roadmap and certification journey timeline for ISO 27001:2022 certification.

ISO 27001:2022Annex A93 ControlsISMSGap AssessmentCertificationCISO
Generate free →
🚨

DORA Major ICT Incident Classification Matrix

~6 min

Classify ICT-related incidents under DORA Regulation (EU) 2022/2554 (applicable 17 January 2025). Evaluate all Art. 19 classification criteria per Commission Delegated Regulation (EU) 2024/1772: client threshold (>10% or 50,000 clients), transaction threshold (>10% or €5M), reputational impact, duration (≥4h for critical functions), geographic spread, data loss/integrity, and critical function impact. Generates classification report with 24h early warning / 72h intermediate / 1-month final reporting timelines, RTO/RPO analysis, parallel GDPR/NIS2 obligations, and competent authority contacts. For EU financial entities: banks, payment institutions, investment firms, insurers, CCPs, crypto-asset service providers.

DORAEU 2022/2554Art. 19Major Incident72h ReportingFinancial EntitiesICT Risk
Generate free →
🤖

NIST AI RMF Gap Assessment

~12 min

Assess your organisation's AI governance maturity against the NIST AI Risk Management Framework 1.0 (published January 2023 by NIST). Evaluate 48 items across all four core functions — GOVERN (14 items: risk policy, tolerance, roles, human oversight, vendor risk), MAP (12 items: AI system inventory, high-risk use cases, bias assessment, risk categorisation), MEASURE (12 items: performance and fairness metrics, red-teaming, robustness/security/privacy testing, drift monitoring), and MANAGE (10 items: risk treatment, model rollback, incident logging, continuous improvement). Generates a scored gap assessment report with maturity rating (AI RMF Leader / Progressing Well / Foundation Stage / Significant Gaps), critical and high-priority gap cards, GOVERN/MAP/MEASURE/MANAGE deep dives, framework crosswalk (EU AI Act, ISO 42001), and a phased 0-12 month remediation roadmap. For AI developers, deployers, AI product companies, and enterprises using AI.

NIST AI RMF 1.0GOVERNMAPMEASUREMANAGETrustworthy AIISO 42001EU AI ActAI Governance
Generate free →
🔗

EU Data Act Compliance Checklist

~10 min

Assess compliance with Regulation (EU) 2023/2854 (EU Data Act, applicable September 2025). Covers user data access rights (Art. 3-8 — real-time access, machine-readable format, third-party sharing, prohibition on contractual restrictions), B2B data sharing contracts (Art. 9-13 — mandatory clauses, unfair clause blacklist), B2G data requests (Art. 14-26 — exceptional necessity, purpose limitation, data deletion), and cloud switching obligations (Art. 23-31 — 30-day maximum transition period, zero egress fees from 2027, interoperability APIs). Generates a compliance gap report with remediation roadmap for IoT manufacturers, cloud providers, SaaS companies, and data holders.

EU Data ActReg. 2023/2854Data SharingCloud SwitchingIoTData HolderB2G
Generate free →
🤖

NIST AI RMF Gap Assessment

~15 min

Assess your AI governance maturity against the NIST AI Risk Management Framework 1.0 (January 2023). Evaluate 48 items across all four core functions: GOVERN (14 items — AI risk policy, human oversight, third-party AI vendor risk, legal review), MAP (12 items — AI system inventory, risk categorisation, bias assessment, affected population documentation), MEASURE (12 items — performance metrics, fairness testing, red-teaming, post-deployment monitoring, explainability), and MANAGE (10 items — risk treatment plans, emergency shutdown, incident response, model versioning). Generates a maturity gap report with function-level scoring and a three-phase remediation roadmap. For AI developers, deployers, and enterprises using AI.

NIST AI RMFAI GovernanceGOVERNMAPMEASUREMANAGEAI RiskISO 42001
Generate free →
💳

PSD2/PSD3 SCA Compliance Checklist

~10 min

Assess your Strong Customer Authentication (SCA) implementation and PSD3 readiness under PSD2 (Directive 2015/2366) and EBA RTS on SCA (Delegated Regulation (EU) 2018/389). 40 items across SCA requirements (dynamic linking, Art. 5 authentication codes, TRA exemption monitoring), open banking APIs (eIDAS certificate validation, API uptime SLA, TPP onboarding rules), PSD3/PSR transition (COM(2023) 366 — IBAN/name verification, open finance, APP fraud liability), consumer rights (Art. 73-74 refund obligations), and fraud prevention (EBA fraud rate reporting, PCI DSS). Generates SCA compliance report with gap cards and remediation roadmap for PSPs, TPPs, banks, fintechs, and e-money institutions.

PSD2 Art. 97EBA RTS on SCAPSD3Open BankingSCA ExemptionsTPPAISPPISPFraud Prevention
Generate free →
🚨

NIS2 Incident Reporting Playbook

~12 min

Step-by-step NIS2 Art. 23 incident reporting readiness playbook for essential and important entities. 42 items across incident detection & classification, 24-hour early warning (Art. 23(1)(a)), 72-hour intermediate notification (Art. 23(1)(b) with IoC package and impact assessment), CSIRT coordination and NCA engagement (Art. 11-14), 1-month final report with full root cause analysis (Art. 23(1)(c)), and post-incident review with evidence retention. Covers significant-incident classification thresholds, parallel GDPR Art. 33 obligations, EU-CyCLONe escalation, and CSIRT directory for EU Member States. Generates a complete incident reporting playbook with NIS2 notification templates, timeline checklist, and gap remediation plan. Penalties: EE up to €10M / 2% global turnover; IE up to €7M / 1.4%.

NIS2 Art. 2324h Early Warning72h NotificationCSIRT1-Month ReportEssential EntityImportant EntityIncident Response
Generate free →
🇬🇧

FCA Consumer Duty Compliance Checklist

~10 min

42-item FCA Consumer Duty (PRIN 2A / PS22/9) gap assessment covering all four outcomes: Products & Services (target market, product governance, foreseeable harm), Price & Value (fair value assessment, value chain analysis, add-on products, renewal pricing PS21/5), Consumer Understanding (comprehension testing, digital dark patterns, vulnerable customers FG21/1), Consumer Support (exit processes, claims outcomes, financial difficulty). Includes governance (annual board attestation PRIN 2A.2.18R, SM&CR champion, MI framework), distributor/manufacturer information sharing obligations, and monitoring programme. Generates full compliance assessment report with per-outcome scorecard, critical gap remediation plan, and fair value assessment framework.

PRIN 2APS22/9Four OutcomesFair ValueConsumer UnderstandingSM&CRBoard AttestationFG21/1FCAUK Financial Services
Generate free →
🔍

SOC 2 Type II Readiness Assessment

~12 min

42-item SOC 2 Type II audit readiness assessment for the observation period — evidence collection planning (population lists, automated evidence, AICPA sampling methodology), access controls and quarterly reviews (CC6 — JML process within 24-48h SLA, PAM, MFA enforcement, service account rotation), change management (CC8 — approval tickets for every production deployment, branch protection, SAST/DAST in CI/CD), continuous monitoring (CC7 — SIEM operations, monthly vulnerability scans, annual pen test timing, backup restore tests), risk management (CC3/CC9 — sub-service org CUEC mapping for AWS/GCP/Azure, vendor SOC 2 review, BCP/DR tabletop), and policies (CC1/CC2 — policy review cycle, 100% acknowledgement records). Generates Type II readiness report with AICPA sampling windows, evidence gap analysis, and T-6 month audit preparation timeline.

SOC 2 Type IIAICPA TSCEvidence CollectionType I to Type IIAudit PeriodCommon CriteriaAccess ReviewContinuous MonitoringSaaS Security
Generate free →
⚖️

EU AI Liability Directive Gap Assessment

~10 min

42-item EU AI Liability Directive (COM(2022) 496) readiness assessment across 6 categories: scope and coverage (EU AI Act Annex III classification, territorial scope, provider/deployer role), strict liability readiness for high-risk AI (Art. 4 — no-fault exposure, insurance coverage, disclosure obligations, harm causation chain), fault-based liability and rebuttable presumption (Art. 3 — duty of care standard, court-ordered disclosure, logging requirements, contributory negligence framework), transparency and evidence obligations (EU AI Act Art. 13/72/73, Annex IV technical docs, human oversight), AI governance (ISO 42001, AI risk register, FRIA under EU AI Act Art. 27, CAIO designation, ERM), and claims readiness (legal hold procedure, supply chain indemnification, GPAI catastrophic risk). Timely as EU AI Act reaches full applicability August 2026. Generates report referencing specific COM(2022) 496 articles and EU AI Act provisions.

EU AI Liability DirectiveCOM(2022) 496EU AI ActHigh-Risk AIStrict LiabilityRebuttable PresumptionGPAIAI GovernanceAI Compliance
Generate free →
🏦

DORA ICT Third-Party Register

~12 min

42-item DORA Art. 28 ICT third-party register compliance assessment across 6 categories: register structure and mandatory RTS fields (LEI, data locations, sub-contractor chain, NCA submission format), criticality assessment and CTPP designation (Art. 28(4) criteria — substitutability, concentration risk, systemic importance, exit strategy per Art. 28(8)), Art. 30 mandatory contractual provisions (all 11 elements: service description, data locations, applicable law, performance monitoring, audit/inspection rights, incident reporting, BCP obligations, data portability, sub-contractor change notification, DORA termination rights, exit assistance), ongoing monitoring and due diligence (continuous monitoring, annual reviews, TLPT scope, CTPP oversight), ICT resilience integration (BCP/DRP TPSP dependencies, BIA, RTO/RPO testing, DORA Art. 17–23 incident reporting), and governance and NCA reporting (management body approval, annual register submission, legacy contract remediation). For EU financial entities: banks, payment institutions, investment firms, insurance undertakings.

DORAICT Third-Party RiskArt. 28Art. 30CTPPConcentration RiskNCARegister of InformationFinancial Services
Generate free →
🔐

ISO 27701 PIMS Gap Assessment

~11 min

42-item ISO/IEC 27701 Privacy Information Management System gap assessment across 6 domains: PIMS scope and ISO 27001 integration (§4–5 — scope statement, PII role determination as controller/processor, management commitment, privacy objectives); PII controller controls (§7 — lawful basis per GDPR Art. 6, privacy notices Art. 13/14, consent management and withdrawal, data subject rights: access/erasure/portability/objection Art. 15–21, PII minimisation, purpose limitation, third-party sharing); PII processor controls (§8 — Art. 28 GDPR DPAs with all mandatory provisions, controller instruction compliance, sub-processor list and notification, return/deletion on termination, audit facilitation, breach notification to controllers, international transfer safeguards); privacy risk management and DPIA (ISO 27701 §5, 6.3 — privacy risk assessment integrated with ISO 27001, Art. 35 DPIA process, DPIA triggers, risk treatment, residual risk sign-off); privacy by design and technical controls (ISO 27701 §6, Annex B — PbD in SDLC, data minimisation at collection, pseudonymisation, encryption at rest/transit, access controls, retention schedules, PETs); governance, audit and certification (§5.8, 9–10 — DPO designation, PIMS internal audit, management review, corrective action, staff training, documentation, ISO 27701 certification readiness). For DPOs, CISOs, privacy counsel, ISO 27001-certified orgs adding the 27701 privacy extension.

ISO 27701PIMSISO 27001GDPRPrivacy by DesignDPODPIAArt. 28PII ControllerPII Processor
Generate free →
🏛️

NIST CSF 2.0 Tier Assessment

~12 min

42-item NIST Cybersecurity Framework 2.0 Tier Assessment across all six CSF 2.0 functions: GOVERN function (new in CSF 2.0 — GV: cybersecurity risk strategy board approval, roles and responsibilities, risk tolerance and appetite, policy review cycle, legal/regulatory requirements tracking, supply chain cybersecurity policy GV.SC, board reporting metrics GV.OV); IDENTIFY function (ID: asset inventory hardware/software/data, business environment and critical functions, risk assessment process, supply chain third-party risk assessment, vulnerability management, risk register, dependency mapping); PROTECT function (PR: IAM and MFA and RBAC, data security encryption and DLP, secure configuration baselines, security awareness training, EDR/SIEM/WAF protective technology, software supply chain security SBOM, patch management SLAs); DETECT function (DE: continuous network/cloud monitoring, centralised SIEM logging, anomaly detection with escalation, detection testing red/purple team, threat intelligence IOC integration, cloud detection coverage, insider threat monitoring); RESPOND function (RS: incident response plan tested annually, incident classification and severity, communication plan internal/regulatory/public, containment and eradication procedures, lessons learned process, external CERT/MSSP coordination, breach notification timelines GDPR/NIS2/HIPAA); RECOVER function (RC: recovery plan and BCP alignment, RTO/RPO for critical systems, backup strategy and testing, recovery integration with IRP, post-recovery review, stakeholder communications, continuous improvement). Determines Tier 1–4 with gap analysis and Tier progression roadmap. For CISOs, CROs, boards, and organisations needing SEC cybersecurity disclosure support.

NIST CSF 2.0GOVERN functionTier assessmentCybersecurity maturitySupply chain riskBoard reportingSEC disclosureNIS2DORA
Generate free →
🍊

~12 min

42-item EU ePrivacy Regulation readiness assessment covering cookie & tracker consent (Art. 5(3) / Reg. Art. 8), electronic direct marketing (Art. 13/16), communications confidentiality, machine-to-machine & IoT, tracking technologies, and governance. Aligned with ePrivacy Directive 2002/58/EC and draft Regulation COM(2017) 10. For DPOs, privacy counsel, product teams, and marketing teams.

ePrivacy RegulationCookie consentePrivacy DirectiveDirect marketingCMPTracking technologiesM2MIoTGDPR
Generate free →
⚖️

~12 min

42-item AI fairness and algorithmic bias audit covering training data governance (EU AI Act Art. 10), fairness metrics (demographic parity, equalised odds, intersectional testing), model transparency (Art. 13), human oversight & contestability (Art. 14), ongoing fairness monitoring & drift detection (Art. 72), and accountability governance including FRIA. For AI/ML teams, Responsible AI leads, and compliance teams in high-risk AI domains.

AI fairnessAlgorithmic biasEU AI Act Art. 10Demographic parityEqualised oddsIEEE 7003NIST AI RMFFRIAResponsible AI
Generate free →
🛡️

~12 min

42-item CMMC 2.0 Level 2 gap assessment covering all key NIST 800-171 practice domains — access control, MFA & authentication, configuration management, incident response & audit logging, system & communications protection (FIPS 140-2/3 encryption for CUI), and awareness & supply chain risk. Includes DFARS 252.204-7012 cyber incident reporting deep dive. For DoD contractors, subcontractors, and teams preparing for C3PAO assessment.

CMMC 2.0NIST 800-171DFARS 252.204-7012C3PAOCUIDoD contractorsSPRSSSPPOAM
Generate free →
🏛️

~12 min

42-item DMA compliance checklist covering gatekeeper designation thresholds (Art. 3), absolute obligations including data combination prohibition & parity clauses (Art. 5), fair conduct including self-preferencing prohibition & alternative app stores (Art. 6), messaging interoperability (Art. 7), transparency & audit obligations, and governance programme. For designated and potential gatekeepers and their legal/policy teams.

Digital Markets ActDMAGatekeeperArt. 5Art. 6Self-preferencingInteroperabilityData portabilityEU competition
Generate free →

More coming soon

SOC 2 policy pack and EU AI Act documentation are on the roadmap.

Join waitlist for more frameworks →

All outputs are AI-generated draft templates, not legal advice. ComplyKit is not a law firm and does not provide legal services. Have any document reviewed by a qualified lawyer admitted in your jurisdiction before publishing.