Free Compliance Document Generators

Generate a GDPR & CCPA compliant privacy policy tailored to your SaaS. Covers data collection, subprocessors, retention, international transfers, and user rights.

Generate a plain-English Terms of Service covering acceptable use, payment & subscriptions, user-generated content, IP ownership, liability cap, and governing law.

Generate a Cookie Policy with a category table, specific tool disclosures, opt-out instructions, and ePrivacy Directive notes — matched to your actual analytics and ad stack.

Generate a Refund & Cancellation Policy for your SaaS. Covers subscription cancellation, pro-rata refunds, free trial terms, EU 14-day cooling-off rights, and governing law.

Generate an Acceptable Use Policy defining what users can and cannot do on your platform. Covers prohibited uses, enforcement actions, user obligations, and IP rights.

Generate a complete Article 28 DPA — sub-processor list, technical & organisational measures, breach notification, international transfer clauses, and audit rights. Send to your B2B customers.

Generate a HIPAA BAA for your SaaS. Covers ePHI safeguards, breach notification (45 CFR § 164.410), sub-contractor BAA chain requirements, and state-specific addenda. Required for any SaaS handling patient data.

Generate a Mutual or One-Way Non-Disclosure Agreement in minutes. Optional non-solicitation, non-compete, and liquidated damages clauses. Jurisdiction-specific governing law. For contractors, investors, partnerships, and employees.

Generate a SOC 2–aligned Information Security Policy covering access control, encryption, incident response, vulnerability management, and vendor risk. Tailored to your stack and compliance targets.

Generate a complete NIST SP 800-61 Incident Response Plan. Covers severity classification (P1–P4), CSIRT roles, containment playbooks by incident type, GDPR 72-hour breach notification, HIPAA BNR, evidence handling, and post-incident review.

Generate a GDPR Article 35 Data Protection Impact Assessment. Covers necessity & proportionality test, risk assessment table with residual risk ratings, safeguards map, and prior DPA consultation check (Art. 36). Required for high-risk processing.

Generate a GDPR-compliant Data Retention Policy with per-category retention schedules, deletion procedures, legal basis table, backup retention, log retention, employee data section, and optional legal hold process.

Generate your complete CCPA/CPRA compliance pack: Notice at Collection (required at point of data collection), 'Do Not Sell or Share My Personal Information' opt-out page, and California Consumer Privacy Rights summary. GPC signal, SPI categories, and Delete Act support included.

Generate a GDPR Art. 28(4) public sub-processor list ready to publish on your website. 40+ pre-loaded vendors (AWS, Stripe, OpenAI, Sentry, HubSpot, and more) with legal entities, processing countries, transfer mechanisms, and DPA links. Includes authorisation approach, change notification process, and objection procedure.

Generate a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering RTO/RPO objectives, recovery playbooks for up to 12 disaster scenarios, SOC 2 A1 criteria, ISO 27001 A.17, and GDPR Art. 32 availability requirements. Includes BIA table, backup architecture, roles, communication plan, and testing schedule.

Generate a complete vendor security questionnaire to send to new SaaS vendors before onboarding. Covers 14 assessment sections including data security, access controls, encryption, business continuity, incident response, and compliance certifications. Configurable by risk tier (Critical / High / Medium / Low) and data categories.

Generate GDPR-compliant response letters for Data Subject Requests — covering all 8 rights: access, erasure, portability, rectification, restriction, objection, direct marketing opt-out, and automated decision-making. Handles fulfilled, partial, extended, refused, and identity-unverified outcomes.

Generate a GDPR Article 13/14 compliant Employee Privacy Notice for staff, contractors, and job applicants. Covers HR data categories, lawful bases, workplace monitoring, data recipients, international transfers, retention schedules, and all 8 data subject rights. Country-specific notes for Germany, France, Netherlands, UK, and more.

Form-based Records of Processing Activities (RoPA) builder compliant with GDPR Article 30. Add each processing activity with data subjects, lawful basis, recipients, international transfers, retention periods, and technical & organisational measures. Generates a complete, audit-ready RoPA document.

Evaluate your current security controls against SOC 2 Trust Service Criteria (CC / A / C / PI / P). Answer control questions, see where you stand, and get a prioritised remediation roadmap with policy document checklist before hiring an auditor.

Assess your readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls in 14 domains. Answer control questions, get a readiness score, and receive a phased remediation roadmap with policy documents checklist before engaging a certification body.

Generate an EU AI Act Art. 50 transparency notice and provider/deployer compliance documentation pack for your AI system under Regulation (EU) 2024/1689. Covers risk classification, GPAI obligations, GDPR Art. 22 intersection, and prohibited practices confirmation.

Assess your organisation against all 10 NIS2 Art. 21 cybersecurity requirements. Get a scored gap report with prioritised remediation roadmap. For EU SaaS platforms, managed service providers, and digital service providers.

Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards (45 CFR Part 164). Required for all covered entities and business associates. Includes ePHI inventory, threat/vulnerability assessment, risk levels, and remediation roadmap.

Generate a Schrems II-compliant GDPR Transfer Impact Assessment (TIA) for all your international data transfers. Covers EU-US Data Privacy Framework, Standard Contractual Clauses (2021 SCCs), UK IDTA, BCRs, country-level legal risk analysis, and supplementary measures.

Generate a PCI DSS v4.0 Self-Assessment Questionnaire (SAQ) for your payment card environment. Covers SAQ A (fully outsourced), SAQ A-EP (e-commerce), SAQ C, and SAQ D (all merchants/service providers). Includes gap analysis, remediation priorities, and v4.0 new requirements.

Generate a LGPD-compliant Aviso de Coleta (Notice at Collection), Data Subject Rights Summary, and Privacy Policy addendum for Brazil's Lei Geral de Proteção de Dados. Covers all 10 lawful bases, 9 Art. 18 rights, sensitive data, and ANPD compliance.

Generate a complete internal TPRM policy with vendor tiers, due diligence matrix, contract requirements, ongoing monitoring frequency, incident response, and offboarding controls. Maps to ISO 27001 A.15, SOC 2 CC9.2, GDPR Art. 28, and NIS2 Art. 21(d).

Audit your cookie consent setup against GDPR, ePrivacy Directive, UK PECR, and CCPA. Check CMP configuration, banner design, consent records, withdrawal mechanisms, and Google Consent Mode v2 compliance. 18-control assessment with prioritised remediation checklist.

Generate a documented Legitimate Interests Assessment under GDPR Art. 6(1)(f). 3-step balancing test: purpose test (is there a legitimate interest?), necessity test (is it the minimum necessary?), and balancing test (do data subject rights override?). Includes privacy notice guidance and Art. 21 objection rights.

Generate a comprehensive AI/ML Model Card for EU AI Act compliance. Covers GPAI technical documentation (Art. 53 Annex XI/XII), risk classification, training data governance (Art. 10), performance evaluation, bias assessment, safety measures, human oversight (Art. 14), and environmental impact.

Generate a Whistleblower (Speak Up) Policy compliant with EU Directive 2019/1937 and UK PIDA. Covers reporting channels, protected disclosures, anti-retaliation protections, investigation timelines, GDPR-compliant data handling, and country-specific competent authority references.

Generate an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act obligations, prohibited AI input content, prohibited output uses, bias and accuracy disclosures, human oversight levels, data-training transparency, content moderation approach, and enforcement mechanisms.

Generate a COPPA-compliant and GDPR Article 8 Children's Privacy Notice. Covers parental consent verification methods, age thresholds by jurisdiction, data minimisation for children, UK ICO Children's Code obligations, third-party restrictions, and parental rights to review, correct, and delete child data.

Generate a GDPR Article 33 supervisory authority breach notification form, an Article 34 plain-language individual notification letter, and an Article 33(5) internal breach register entry. Covers all mandatory disclosure elements with 72-hour deadline guidance.

Get a personalised SOC 2 evidence collection checklist organised by Trust Service Criteria control area. Covers exact evidence items, what auditors sample, how to collect from AWS/GitHub/GCP, PBC folder structure, and gap remediation for Type I and Type II audits.

Generate a complete security & compliance Trust Centre page for your SaaS website. Covers certifications, infrastructure, data regions, encryption, pen testing, bug bounty/disclosure, authentication, sub-processors, privacy compliance summary, and a pre-filled security FAQ for enterprise prospects.

Generate a GDPR Article 35 DPIA specifically for AI systems. Covers EU AI Act risk classification (Annex III), automated decision-making obligations (GDPR Art. 22), bias and fairness assessment, human oversight requirements, training data governance, and DPA prior consultation analysis (Art. 36).

Assess your readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls across 8 domains, Annex A (controllers) + Annex B (processors). Includes ISO 27701 ↔ GDPR alignment table, certification roadmap, and gap remediation priorities.

Generate a complete Security Awareness Training Policy for your SaaS. Covers training schedule, curriculum, phishing simulation programme, completion tracking, and graduated consequences. Mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6, and GDPR Art. 32.

Generate a complete internal DSAR (Data Subject Access Request) policy and procedure. Covers all 8 GDPR data subject rights, identity verification methods, per-right procedures, response timelines, refusal grounds, DSR register template, escalation paths, and audit logging requirements.

Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22 automated decision-making risks, algorithmic bias, prompt injection, model drift, third-party AI supply chain risks, and ISO 42001 alignment — with inherent risk scores, mitigation plans, and monitoring KPIs.