Answer a few questions. Get an AI-drafted starting-point document your lawyer can finalize. All free. 110 generators, no account required.
⚠️ AI-generated drafts. Not legal advice. ComplyKit is not a law firm.
Generate a GDPR & CCPA compliant privacy policy tailored to your SaaS. Covers data collection, subprocessors, retention, international transfers, and user rights.
Generate a plain-English Terms of Service covering acceptable use, payment & subscriptions, user-generated content, IP ownership, liability cap, and governing law.
Generate a Cookie Policy with a category table, specific tool disclosures, opt-out instructions, and ePrivacy Directive notes — matched to your actual analytics and ad stack.
Generate a Refund & Cancellation Policy for your SaaS. Covers subscription cancellation, pro-rata refunds, free trial terms, EU 14-day cooling-off rights, and governing law.
Generate an Acceptable Use Policy defining what users can and cannot do on your platform. Covers prohibited uses, enforcement actions, user obligations, and IP rights.
Generate a complete Article 28 DPA — sub-processor list, technical & organisational measures, breach notification, international transfer clauses, and audit rights. Send to your B2B customers.
Generate a HIPAA BAA for your SaaS. Covers ePHI safeguards, breach notification (45 CFR § 164.410), sub-contractor BAA chain requirements, and state-specific addenda. Required for any SaaS handling patient data.
Generate a Mutual or One-Way Non-Disclosure Agreement in minutes. Optional non-solicitation, non-compete, and liquidated damages clauses. Jurisdiction-specific governing law. For contractors, investors, partnerships, and employees.
Generate a SOC 2–aligned Information Security Policy covering access control, encryption, incident response, vulnerability management, and vendor risk. Tailored to your stack and compliance targets.
Generate a complete NIST SP 800-61 Incident Response Plan. Covers severity classification (P1–P4), CSIRT roles, containment playbooks by incident type, GDPR 72-hour breach notification, HIPAA BNR, evidence handling, and post-incident review.
Generate a GDPR Article 35 Data Protection Impact Assessment. Covers necessity & proportionality test, risk assessment table with residual risk ratings, safeguards map, and prior DPA consultation check (Art. 36). Required for high-risk processing.
Generate a GDPR-compliant Data Retention Policy with per-category retention schedules, deletion procedures, legal basis table, backup retention, log retention, employee data section, and optional legal hold process.
Generate your complete CCPA/CPRA compliance pack: Notice at Collection (required at point of data collection), 'Do Not Sell or Share My Personal Information' opt-out page, and California Consumer Privacy Rights summary. GPC signal, SPI categories, and Delete Act support included.
Generate a GDPR Art. 28(4) public sub-processor list ready to publish on your website. 40+ pre-loaded vendors (AWS, Stripe, OpenAI, Sentry, HubSpot, and more) with legal entities, processing countries, transfer mechanisms, and DPA links. Includes authorisation approach, change notification process, and objection procedure.
Generate a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering RTO/RPO objectives, recovery playbooks for up to 12 disaster scenarios, SOC 2 A1 criteria, ISO 27001 A.17, and GDPR Art. 32 availability requirements. Includes BIA table, backup architecture, roles, communication plan, and testing schedule.
Generate a complete vendor security questionnaire to send to new SaaS vendors before onboarding. Covers 14 assessment sections including data security, access controls, encryption, business continuity, incident response, and compliance certifications. Configurable by risk tier (Critical / High / Medium / Low) and data categories.
Generate GDPR-compliant response letters for Data Subject Requests — covering all 8 rights: access, erasure, portability, rectification, restriction, objection, direct marketing opt-out, and automated decision-making. Handles fulfilled, partial, extended, refused, and identity-unverified outcomes.
Generate a GDPR Article 13/14 compliant Employee Privacy Notice for staff, contractors, and job applicants. Covers HR data categories, lawful bases, workplace monitoring, data recipients, international transfers, retention schedules, and all 8 data subject rights. Country-specific notes for Germany, France, Netherlands, UK, and more.
Form-based Records of Processing Activities (RoPA) builder compliant with GDPR Article 30. Add each processing activity with data subjects, lawful basis, recipients, international transfers, retention periods, and technical & organisational measures. Generates a complete, audit-ready RoPA document.
Evaluate your current security controls against SOC 2 Trust Service Criteria (CC / A / C / PI / P). Answer control questions, see where you stand, and get a prioritised remediation roadmap with policy document checklist before hiring an auditor.
Assess your readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls in 14 domains. Answer control questions, get a readiness score, and receive a phased remediation roadmap with policy documents checklist before engaging a certification body.
Generate an EU AI Act Art. 50 transparency notice and provider/deployer compliance documentation pack for your AI system under Regulation (EU) 2024/1689. Covers risk classification, GPAI obligations, GDPR Art. 22 intersection, and prohibited practices confirmation.
Assess your organisation against all 10 NIS2 Art. 21 cybersecurity requirements. Get a scored gap report with prioritised remediation roadmap. For EU SaaS platforms, managed service providers, and digital service providers.
Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards (45 CFR Part 164). Required for all covered entities and business associates. Includes ePHI inventory, threat/vulnerability assessment, risk levels, and remediation roadmap.
Generate a Schrems II-compliant GDPR Transfer Impact Assessment (TIA) for all your international data transfers. Covers EU-US Data Privacy Framework, Standard Contractual Clauses (2021 SCCs), UK IDTA, BCRs, country-level legal risk analysis, and supplementary measures.
Generate a PCI DSS v4.0 Self-Assessment Questionnaire (SAQ) for your payment card environment. Covers SAQ A (fully outsourced), SAQ A-EP (e-commerce), SAQ C, and SAQ D (all merchants/service providers). Includes gap analysis, remediation priorities, and v4.0 new requirements.
Generate a LGPD-compliant Aviso de Coleta (Notice at Collection), Data Subject Rights Summary, and Privacy Policy addendum for Brazil's Lei Geral de Proteção de Dados. Covers all 10 lawful bases, 9 Art. 18 rights, sensitive data, and ANPD compliance.
Generate a complete internal TPRM policy with vendor tiers, due diligence matrix, contract requirements, ongoing monitoring frequency, incident response, and offboarding controls. Maps to ISO 27001 A.15, SOC 2 CC9.2, GDPR Art. 28, and NIS2 Art. 21(d).
Audit your cookie consent setup against GDPR, ePrivacy Directive, UK PECR, and CCPA. Check CMP configuration, banner design, consent records, withdrawal mechanisms, and Google Consent Mode v2 compliance. 18-control assessment with prioritised remediation checklist.
Generate a documented Legitimate Interests Assessment under GDPR Art. 6(1)(f). 3-step balancing test: purpose test (is there a legitimate interest?), necessity test (is it the minimum necessary?), and balancing test (do data subject rights override?). Includes privacy notice guidance and Art. 21 objection rights.
Generate a comprehensive AI/ML Model Card for EU AI Act compliance. Covers GPAI technical documentation (Art. 53 Annex XI/XII), risk classification, training data governance (Art. 10), performance evaluation, bias assessment, safety measures, human oversight (Art. 14), and environmental impact.
Generate a Whistleblower (Speak Up) Policy compliant with EU Directive 2019/1937 and UK PIDA. Covers reporting channels, protected disclosures, anti-retaliation protections, investigation timelines, GDPR-compliant data handling, and country-specific competent authority references.
Generate an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act obligations, prohibited AI input content, prohibited output uses, bias and accuracy disclosures, human oversight levels, data-training transparency, content moderation approach, and enforcement mechanisms.
Generate a COPPA-compliant and GDPR Article 8 Children's Privacy Notice. Covers parental consent verification methods, age thresholds by jurisdiction, data minimisation for children, UK ICO Children's Code obligations, third-party restrictions, and parental rights to review, correct, and delete child data.
Generate a GDPR Article 33 supervisory authority breach notification form, an Article 34 plain-language individual notification letter, and an Article 33(5) internal breach register entry. Covers all mandatory disclosure elements with 72-hour deadline guidance.
Get a personalised SOC 2 evidence collection checklist organised by Trust Service Criteria control area. Covers exact evidence items, what auditors sample, how to collect from AWS/GitHub/GCP, PBC folder structure, and gap remediation for Type I and Type II audits.
Generate a complete security & compliance Trust Centre page for your SaaS website. Covers certifications, infrastructure, data regions, encryption, pen testing, bug bounty/disclosure, authentication, sub-processors, privacy compliance summary, and a pre-filled security FAQ for enterprise prospects.
Generate a GDPR Article 35 DPIA specifically for AI systems. Covers EU AI Act risk classification (Annex III), automated decision-making obligations (GDPR Art. 22), bias and fairness assessment, human oversight requirements, training data governance, and DPA prior consultation analysis (Art. 36).
Assess your readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls across 8 domains, Annex A (controllers) + Annex B (processors). Includes ISO 27701 ↔ GDPR alignment table, certification roadmap, and gap remediation priorities.
Generate a complete Security Awareness Training Policy for your SaaS. Covers training schedule, curriculum, phishing simulation programme, completion tracking, and graduated consequences. Mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6, and GDPR Art. 32.
Generate a complete internal DSAR (Data Subject Access Request) policy and procedure. Covers all 8 GDPR data subject rights, identity verification methods, per-right procedures, response timelines, refusal grounds, DSR register template, escalation paths, and audit logging requirements.
Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22 automated decision-making risks, algorithmic bias, prompt injection, model drift, third-party AI supply chain risks, and ISO 42001 alignment — with inherent risk scores, mitigation plans, and monitoring KPIs.
Generate Art. 28(3)(c) TOMs documentation for data processors. Covers encryption, access control, network security, application security, monitoring, HR controls, incident response (72-hour breach notification to controller), business continuity, audit rights, and sub-processor obligations — audit-ready for enterprise customers.
Generate an Internal IT Acceptable Use and BYOD Policy for your SaaS team. Covers device controls, network access, cloud apps, acceptable use, data handling, remote work security, monitoring disclosure (GDPR Art. 6(1)(f) legitimate interests), enforcement, and alignment to SOC 2 CC6.7, ISO 27001 A.6.2 / A.8, GDPR Art. 32, HIPAA, and PCI DSS Req. 12.
Generate a complete Access Control Policy for your SaaS company covering RBAC, least privilege, MFA requirements, privileged access management (PAM), user provisioning and deprovisioning, access reviews, remote access controls, and data access governance. Maps to SOC 2 CC6, ISO 27001 Annex A.9, HIPAA §164.312, PCI DSS Req 7 & 8, and GDPR Art. 32.
Generate a Data Classification Policy with a tiered classification scheme (Public / Internal / Confidential / Restricted), data type examples per tier, handling standards, storage controls, labelling guidance, and secure disposal procedures. Maps to ISO 27001 Annex A.8, SOC 2 C1, GDPR Art. 5/25/32, HIPAA, and PCI DSS Req 3 & 9.
Generate a Vulnerability Management & Patch Management Policy covering scanning cadence, CVSS severity classification, remediation timelines by severity, exception and risk acceptance process, tracking tools, and compliance mappings for SOC 2 CC7.1, ISO 27001 A.8.8, PCI DSS Req 6, NIS2 Art. 21(2)(e), NIST SP 800-40, and GDPR Art. 32.
Generate a Cryptography & Encryption Policy covering approved and prohibited algorithms, encryption at rest and in transit, key management lifecycle (generation, storage, rotation, destruction), TLS standards, secrets management requirements, and compliance mappings for ISO 27001 A.10, SOC 2 CC6.7, GDPR Art. 32, HIPAA, PCI DSS, and NIS2 Art. 21(2)(h).
Generate a Secure Software Development Lifecycle (SDLC) Policy covering code review requirements, branch protection, CI/CD security scanning (SAST, SCA, secrets detection), secrets management, environment separation, deployment authorisation, and dependency vulnerability management. Maps to SOC 2 CC8.1, ISO 27001 A.8.25/A.8.32, PCI DSS Req 6, and NIS2.
Generate a DORA-compliant ICT Risk Management Policy (EU Regulation 2022/2554) covering all five pillars: identification & risk assessment, protection & prevention, detection, response & recovery, and resilience testing. For financial entities, ICT third-party service providers, and SaaS vendors selling to EU financial institutions.
Generate a Log Management and Monitoring Policy for SaaS covering SIEM tool configuration, mandatory log sources (authentication, cloud infra, DB, admin access), log retention schedules, alerting thresholds, log integrity controls (immutable storage, NTP clock sync), and compliance evidence for SOC 2 CC7.2, ISO 27001 A.8.15/A.8.16/A.8.17, NIS2 Art. 21, HIPAA §164.312(b), and PCI DSS Req 10.
Generate an Email Security Policy covering DMARC/DKIM/SPF authentication (with DMARC policy progression from p=none to p=reject), anti-phishing controls, business email compromise (BEC) prevention, DLP rules for outbound PII/PHI/PCI data, email encryption requirements, archiving and retention, phishing simulation programme, and incident response. Maps to ISO 27001 A.8.23/A.8.7, SOC 2 CC6.7, NIS2 Art. 21(2)(g), HIPAA, PCI DSS Req 5, and GDPR Art. 32.
Generate a Password & Authentication Policy covering password complexity and length requirements, MFA enforcement scope, approved MFA methods (FIDO2/passkeys/TOTP), password manager policy, service account controls, privileged account management, SSO approach, account lockout, and session timeout. Maps to SOC 2 CC6.1/CC6.3, ISO 27001 A.8.5/A.8.2, PCI DSS v4.0 Req 8 (12-char minimum from March 2025), NIST SP 800-63B, NIS2 Art. 21(2)(j), and HIPAA §164.312(a).
Generate a Remote Work & Teleworking Security Policy covering device security controls (encryption, EDR, MDM), VPN and network requirements, home network security standards, data handling rules, cloud application controls, physical security at remote locations, GDPR-compliant employee monitoring disclosure, and incident reporting. Maps to ISO 27001 A.6.7/A.8.1, SOC 2 CC6.6/CC6.7, GDPR Art. 32, HIPAA §164.310/312, NIS2 Art. 21, PCI DSS Req 8.4.3, and NIST SP 800-46.
Generate a complete Network Security Policy covering firewall architecture, network segmentation, remote access controls (VPN/ZTNA), intrusion detection, DDoS protection, DNS security, and network monitoring. Maps to ISO 27001 A.8.20–A.8.23 (network security controls), SOC 2 CC6.6/CC6.7 (logical access from external boundaries; transmission of confidential information), PCI DSS v4.0 Req 1–2 (network security controls and secure configurations), NIS2 Art. 21, and HIPAA §164.312.
Generate a complete Asset Management Policy covering hardware, software, cloud infrastructure, data assets, and secrets inventory. Covers asset lifecycle (procurement → active → decommissioning → disposal), NIST 800-88 disposal methods, cloud resource tagging policy, secrets management, and MDM requirements. Maps to ISO 27001 A.5.9/5.10/5.11/8.1, SOC 2 CC6.1/CC6.7, CIS Controls v8 (Control 1/2), PCI DSS Req 2/12.3, NIST SP 800-171, and HIPAA §164.310(d).
Generate a Human Resources Security Policy covering pre-employment screening, employment contract security clauses, security awareness training requirements (annual, onboarding, phishing simulation), offboarding checklists with access revocation SLAs, remote working controls, and disciplinary process tiers. Maps to ISO 27001 A.6.1–A.6.7, SOC 2 CC1.1/CC1.4/CC6.2/CC6.3, NIS2 Art. 21(2)(g), and HIPAA §164.308(a)(3)/(5).
Generate a Change Management Policy covering environment separation (dev/staging/prod), code review requirements and branch protection configuration, deployment authorisation models (auto-deploy / manual / release manager), change documentation (PR-as-change-record), emergency change procedures with retroactive review, infrastructure change controls (IaC-only for production), security patch timelines, and CI/CD evidence collection. Maps to SOC 2 CC8.1, ISO 27001 A.8.32/A.8.8/A.8.25, HIPAA §164.308(a)(5), PCI DSS Req 6.3–6.5, and NIS2 Art. 21(2)(e).
Generate the Management Assertion Letter required before every SOC 2 audit. Covers the three AICPA-required assertions (system description fairly presented, controls suitably designed, controls operating effectively), trust service category scope, system component inventory, controls summary, and signature block. Supports Type I, Type II, and Bridge Letters. AICPA AT-C §205 compliant.
Assess your readiness for UK Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification. 22-control interactive checklist across all 5 CE areas: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. Generates a personalised gap report with prioritised remediation steps, certifying body guidance, and a 30-day remediation checklist.
Draft Section 3 of your SOC 2 report — the System Description — covering all 9 AICPA DC Section 200 required elements: infrastructure components, software, data, personnel, procedures, COSO control environment (all 5 components), subservice organisations with carve-out or inclusive treatment, Complementary User Entity Controls (CUECs), and management declaration placeholder. For Type I, Type II, and Bridge Letters.
Assess your cybersecurity posture against the NIST Cybersecurity Framework 2.0 (published February 2024). 37-subcategory interactive checklist across all 6 functions including the new GOVERN function (risk strategy, supply chain security, leadership accountability). Generates a scored gap report with prioritised remediation, implementation tier analysis, and framework crosswalk (SOC 2, ISO 27001, NIS2 Art. 21).
Generate your ISO 27001:2022 Statement of Applicability (SoA) — all 93 Annex A controls across 4 themes (Organisational/People/Physical/Technological). Applicability decisions pre-populated by company profile (cloud-native SaaS, SaaS with office, hybrid, on-prem). Per-control justifications for exclusions and implementation status (Planned/Partial/Implemented/Reviewed). Mandatory ISMS document for ISO 27001 certification (clause 6.1.3(d)).
Generate a pre-filled Vendor Security Questionnaire (DDQ) response — the document enterprise customers send before signing. Covers all 12 standard categories: security certifications (SOC 2, ISO 27001), encryption, access controls, MFA, network security, incident response, pen testing, availability SLA, sub-processors, data retention, audit logging, and compliance frameworks supported. Reduces enterprise deal cycle time by days.
Generate a clause 6.1.2 ISO 27001:2022 information security risk assessment — pre-loaded with 20 common SaaS risks across 8 categories, 5×5 risk matrix, threat and vulnerability analysis, risk scoring, treatment decisions (Mitigate/Transfer/Avoid/Accept), and Annex A control mappings. Required before ISO 27001 certification and pairs with the Statement of Applicability.
Assess your organisation's security posture against all 18 CIS Controls v8 safeguards across IG1, IG2, and IG3 implementation groups. Get a scored gap report (0–100%) with per-control status, critical gap prioritisation, SOC 2 / ISO 27001 / NIST CSF 2.0 crosswalk, and a phased remediation roadmap. Ideal for US SMBs, security programme baseline, and SOC 2 / ISO 27001 preparation.
Step-by-step EU AI Act obligations checklist for AI providers and deployers. Covers prohibited practices (Art. 5), transparency (Art. 50), high-risk AI requirements (Art. 9–15 — risk management, data governance, technical documentation, logging, human oversight, accuracy), conformity assessment, GPAI model obligations (Art. 53–55), and AI literacy (Art. 4). Scored by risk tier.
Comprehensive GDPR compliance audit across all key obligations — lawful basis (Art. 6), special category data (Art. 9), transparency (Art. 12–14), data subject rights (Art. 15–22), records of processing (Art. 30), processor agreements (Art. 28), security (Art. 32), breach notification (Art. 33–34), DPIAs (Art. 35), international transfers (Art. 44–49), and accountability (Art. 5(2)). Score your compliance posture and get a prioritised remediation report.
Generate a complete ISO 27001:2022 Clause 6.1.3 Risk Treatment Plan — the mandatory document that links your risk register to Annex A controls and your Statement of Applicability. Pre-loaded with 10 common SaaS risks across 8 categories. Covers treatment decisions (Mitigate/Transfer/Avoid/Accept), Annex A control selection, risk owners, implementation timelines, residual risk scoring, and formal risk acceptance register. Required before ISO 27001 certification and pairs with the Risk Assessment (Clause 6.1.2) and SoA (Clause 6.1.3(d)).
Generate a complete GDPR Art. 7 Consent Management Policy covering all consent types collected (marketing email, analytics cookies, advertising cookies, profiling, third-party sharing, special category, children's data, AI training), collection mechanisms (opt-in, double opt-in, cookie banner), withdrawal processes (Art. 7(3)), record-keeping for accountability (Art. 5(2)), children's consent (Art. 8 — under 16), ePrivacy cookie consent requirements, and consent chain documentation for third-party sharing.
Generate a Clause 9.2 ISO 27001:2022 internal audit checklist covering all mandatory ISMS clauses (4–10) and 14 key Annex A control areas: access control (A.5.15–A.8.5), asset management, cryptography (A.8.24), supplier security (A.5.19–21), incident management (A.5.24–26), vulnerability management (A.8.8), change management (A.8.32), and business continuity (A.5.29, A.8.13). Per-control status (Conforms/Partially Conforms/Nonconformity/N/A) with evidence and finding fields. Generates a formal internal audit report for certification preparation, surveillance audits, and Clause 9.2 compliance.
Generate a NIS2 Article 21 cybersecurity risk assessment for Essential and Important Entities. Covers all 10 Art. 21(2) mandatory measure categories: risk analysis policies (a), incident handling (b), business continuity/backup (c), supply chain security (d), secure development/vulnerability management (e), effectiveness assessment/pen testing (f), cyber hygiene/training (g), cryptography (h), access control/asset management (i), and MFA/secure communications (j). Risk register with likelihood, impact, treatment decision, owner, and notes. Art. 20 management body accountability guidance. Generates a full NIS2 risk assessment report with Art. 21 compliance gap table and phased remediation roadmap.
Assess your organisation’s readiness against ISO/IEC 42001:2023 — the international standard for AI Management Systems (AIMS). Covers all mandatory clauses: Cl. 4 (context), Cl. 5 (leadership + AI Policy), Cl. 6 (planning + AI risk assessment + SoA), Cl. 7 (support + competence), Cl. 8 (operation: AI risk assessment, AI Impact Assessment, lifecycle controls, data governance, decommissioning), Cl. 9 (performance evaluation + internal audit), and Annex A controls (transparency, explainability, human oversight, data governance, third-party AI). Generates a gap assessment report with AIMS maturity score, critical gaps, certification roadmap, and EU AI Act alignment notes.
Assess your organisation’s compliance with Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) and prepare for Bill C-27 (Consumer Privacy Protection Act / CPPA). Covers all 10 PIPEDA Fair Information Principles: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Also covers Bill C-27 upcoming obligations: mandatory privacy compliance program, automated decision-making transparency (s.55/62), right to explanation, data portability (s.63), PIAs for high-risk activities, de-identification standard, and enhanced children’s privacy. Province-specific context: Alberta PIPA, BC PIPA, Quebec Law 25.
Assess your organisation’s readiness against PCI DSS v4.0 across all 12 requirement groups — from network security controls (Req 1) and stored account data protection (Req 3) to access management (Req 7-8), logging (Req 10), vulnerability management (Req 11), and information security policy (Req 12). Includes the four new v4.0 requirements: Req 5.4 (phishing protection), Req 6.4.3 (payment page script management), Req 8.4 (expanded MFA to all CDE access), and Req 11.6.1 (payment page change/tamper detection). Entity-type context: Merchant (Level 1-4), Service Provider, or SaaS vendor. Generates a gap assessment report with QSA-ready evidence guidance and phased remediation roadmap.
Generate a HIPAA Security Rule §164.308(a)(1) Security Risk Assessment covering all administrative, physical, and technical safeguards. Identifies ePHI risks across 18 HIPAA Security Rule safeguard areas: workforce training, access management, workstation controls, device media controls, audit controls, transmission security, and more. Includes risk scoring, vulnerability identification, and recommended safeguards aligned to HHS guidance and NIST SP 800-66r2. For covered entities (healthcare providers, health plans, clearinghouses) and business associates.
Track SOC 2 control remediation across CC1-CC9, A1, and C1. Assign owners, set due dates, mark evidence collected, and generate a full remediation & evidence collection plan with PBC list. The essential next step after your SOC 2 gap assessment.
FERPA compliance checklist for EdTech SaaS companies and educational institutions. Covers the school official exception (34 CFR §99.31(a)(1)), student data restrictions, COPPA overlap for under-13 students, and state student privacy laws (California SOPIPA, New York §2-d, SDPC NDPA).
Interactive CCPA and CPRA compliance assessment for businesses collecting personal information from California residents. Covers all consumer rights, Do Not Sell or Share link, GPC signal, sensitive PI controls, data minimisation and retention (CPRA), service provider contracts, and security requirements. Generates a full compliance gap analysis report.
Assess NIST SP 800-171 compliance mapped to CMMC 2.0 Level 2 for organisations handling Controlled Unclassified Information (CUI) under DoD contracts. Covers all 14 security families: access control, MFA, encryption, incident response (72-hour DIBNet reporting), risk assessment, and configuration management. Generates an SSP framework and pre-populated POA&M for SPRS upload.
Generate a penetration testing policy covering scope, methodology, testing frequency, provider qualifications, CVSS-based finding classification, remediation timelines (Critical 7d / High 30d / Medium 90d), report handling, retesting, and responsible disclosure. Covers SOC 2 CC4.1, ISO 27001 A.8.8, PCI DSS Req 11, NIS2 Art. 21(2)(e), and HIPAA.
Assess your security posture against the controls cyber insurers evaluate during underwriting. Covers all Big-5 underwriting factors: MFA (remote access/email/admin), EDR deployment, immutable backup, patch management, and incident response. Also covers email security, network controls, and data protection. Generates a gap report and 30-day action plan.
Generate a FedRAMP Authorization Roadmap covering control readiness across all key NIST SP 800-53 families, SSP requirements, 3PAO assessment prep, and continuous monitoring obligations. Covers FedRAMP Low, Moderate, and High impact levels via Agency or JAB authorization path.
Assess your readiness for HITRUST CSF certification across all three levels — e1 (44 controls), i1 (182 controls), and r2 (375+ controls). Built for healthcare SaaS, digital health, and health IT vendors. Covers HIPAA alignment, BAAs, access control, encryption, risk analysis, incident response, and breach notification.
Generate a complete ISO/IEC 27001:2022 Clause 9.3 management review record covering all 7 mandatory inputs and 3 mandatory outputs for certification bodies.
Generate a GDPR Article 25 Privacy by Design and by Default assessment covering all 7 PbD principles, technical measures, DPIA triggers, and an implementation roadmap.
Assess your compliance with APRA Prudential Standard CPS 234 Information Security. Covers all 8 requirement areas: capability, policy, asset classification, controls, incident management, testing, internal audit, and APRA notification obligations (72h incidents, 10-day weaknesses, annual self-assessment).
Assess your compliance with the EU Digital Operational Resilience Act (DORA) Regulatory Technical Standards, effective January 2025. Covers ICT risk management, major incident reporting (4h/72h/1 month), resilience testing, and third-party ICT risk register. For EU financial entities.
Generate a comprehensive Supplier Code of Conduct aligned with CSDDD (EU Corporate Sustainability Due Diligence Directive), German Supply Chain Act (LkSG), UK Modern Slavery Act, and ILO Core Labour Standards. Covers forced labour, child labour, environmental standards, anti-corruption, audit rights, and cascading obligations to sub-suppliers.
Assess your EU investment firm's compliance across 8 MiFID II pillars: authorisation and governance, client suitability (including ESG preferences per Del. Reg. 2021/1253), costs and charges disclosure, best execution, transaction reporting (MiFIR Art. 25, 65 data fields), product governance, conflicts of interest, and MAR market abuse surveillance.
Assess your high-risk AI system against all Art. 9–15 EU AI Act obligations. Covers: risk management system (Art. 9), data governance (Art. 10), technical documentation (Annex IV), human oversight with automation bias controls (Art. 14), accuracy and robustness (Art. 15), QMS, EU AI database registration, post-market monitoring, and EU Declaration of Conformity. For providers of Annex III AI systems.
Assess your company's CSRD readiness across all European Sustainability Reporting Standards (ESRS). Covers ESRS 1 double materiality assessment, ESRS 2 governance disclosures, ESRS E1 climate (GHG Scope 1/2/3, transition plan, physical risks), ESRS S1 workforce metrics and gender pay gap, ESRS S2–S4 value chain and social, and ESRS G1 anti-corruption. For Phase 2 reporters (FY2025) and beyond.
Assess your product's compliance with the EU Cyber Resilience Act (Regulation 2024/2847). Covers all Annex I Part I product security requirements (secure by design/default, authentication, encryption, integrity, logging, DoS resilience, updateability), Annex I Part II vulnerability handling obligations (CVD policy, ENISA 24h reporting, free security updates), Annex VII technical documentation and SBOM, and conformity assessment + CE marking. For manufacturers and importers of connected hardware and software products.
Assess your organisation's compliance with EU Directive 2019/1937 on whistleblower protection. Covers internal reporting channel requirements (Art. 8-9 — written, oral, in-person), 7-day acknowledgment and 3-month diligent follow-up (Art. 11), confidentiality obligations (Art. 16), GDPR intersection (DPIA, Art. 13-14 notices, data retention), anti-retaliation protection (Art. 19 — reversed burden of proof), policy communication, manager training, and record-keeping. Required for companies with 50+ employees and all financial sector firms.
Assess all ISO 27001:2022 Annex A controls across four themes: Organisational (A.5 — 37 controls including threat intelligence A.5.7, cloud A.5.23, ICT readiness A.5.30), People (A.6 — 8 controls including remote working A.6.7), Physical (A.7 — 14 controls), and Technological (A.8 — 34 controls including configuration management A.8.9, data masking A.8.11, DLP A.8.12, secure coding A.8.28). Generate a detailed gap analysis with prioritised remediation roadmap and certification journey timeline for ISO 27001:2022 certification.
Classify ICT-related incidents under DORA Regulation (EU) 2022/2554 (applicable 17 January 2025). Evaluate all Art. 19 classification criteria per Commission Delegated Regulation (EU) 2024/1772: client threshold (>10% or 50,000 clients), transaction threshold (>10% or €5M), reputational impact, duration (≥4h for critical functions), geographic spread, data loss/integrity, and critical function impact. Generates classification report with 24h early warning / 72h intermediate / 1-month final reporting timelines, RTO/RPO analysis, parallel GDPR/NIS2 obligations, and competent authority contacts. For EU financial entities: banks, payment institutions, investment firms, insurers, CCPs, crypto-asset service providers.
Assess your organisation's AI governance maturity against the NIST AI Risk Management Framework 1.0 (published January 2023 by NIST). Evaluate 48 items across all four core functions — GOVERN (14 items: risk policy, tolerance, roles, human oversight, vendor risk), MAP (12 items: AI system inventory, high-risk use cases, bias assessment, risk categorisation), MEASURE (12 items: performance and fairness metrics, red-teaming, robustness/security/privacy testing, drift monitoring), and MANAGE (10 items: risk treatment, model rollback, incident logging, continuous improvement). Generates a scored gap assessment report with maturity rating (AI RMF Leader / Progressing Well / Foundation Stage / Significant Gaps), critical and high-priority gap cards, GOVERN/MAP/MEASURE/MANAGE deep dives, framework crosswalk (EU AI Act, ISO 42001), and a phased 0-12 month remediation roadmap. For AI developers, deployers, AI product companies, and enterprises using AI.
Assess compliance with Regulation (EU) 2023/2854 (EU Data Act, applicable September 2025). Covers user data access rights (Art. 3-8 — real-time access, machine-readable format, third-party sharing, prohibition on contractual restrictions), B2B data sharing contracts (Art. 9-13 — mandatory clauses, unfair clause blacklist), B2G data requests (Art. 14-26 — exceptional necessity, purpose limitation, data deletion), and cloud switching obligations (Art. 23-31 — 30-day maximum transition period, zero egress fees from 2027, interoperability APIs). Generates a compliance gap report with remediation roadmap for IoT manufacturers, cloud providers, SaaS companies, and data holders.
Assess your AI governance maturity against the NIST AI Risk Management Framework 1.0 (January 2023). Evaluate 48 items across all four core functions: GOVERN (14 items — AI risk policy, human oversight, third-party AI vendor risk, legal review), MAP (12 items — AI system inventory, risk categorisation, bias assessment, affected population documentation), MEASURE (12 items — performance metrics, fairness testing, red-teaming, post-deployment monitoring, explainability), and MANAGE (10 items — risk treatment plans, emergency shutdown, incident response, model versioning). Generates a maturity gap report with function-level scoring and a three-phase remediation roadmap. For AI developers, deployers, and enterprises using AI.
Assess your Strong Customer Authentication (SCA) implementation and PSD3 readiness under PSD2 (Directive 2015/2366) and EBA RTS on SCA (Delegated Regulation (EU) 2018/389). 40 items across SCA requirements (dynamic linking, Art. 5 authentication codes, TRA exemption monitoring), open banking APIs (eIDAS certificate validation, API uptime SLA, TPP onboarding rules), PSD3/PSR transition (COM(2023) 366 — IBAN/name verification, open finance, APP fraud liability), consumer rights (Art. 73-74 refund obligations), and fraud prevention (EBA fraud rate reporting, PCI DSS). Generates SCA compliance report with gap cards and remediation roadmap for PSPs, TPPs, banks, fintechs, and e-money institutions.
Step-by-step NIS2 Art. 23 incident reporting readiness playbook for essential and important entities. 42 items across incident detection & classification, 24-hour early warning (Art. 23(1)(a)), 72-hour intermediate notification (Art. 23(1)(b) with IoC package and impact assessment), CSIRT coordination and NCA engagement (Art. 11-14), 1-month final report with full root cause analysis (Art. 23(1)(c)), and post-incident review with evidence retention. Covers significant-incident classification thresholds, parallel GDPR Art. 33 obligations, EU-CyCLONe escalation, and CSIRT directory for EU Member States. Generates a complete incident reporting playbook with NIS2 notification templates, timeline checklist, and gap remediation plan. Penalties: EE up to €10M / 2% global turnover; IE up to €7M / 1.4%.
42-item FCA Consumer Duty (PRIN 2A / PS22/9) gap assessment covering all four outcomes: Products & Services (target market, product governance, foreseeable harm), Price & Value (fair value assessment, value chain analysis, add-on products, renewal pricing PS21/5), Consumer Understanding (comprehension testing, digital dark patterns, vulnerable customers FG21/1), Consumer Support (exit processes, claims outcomes, financial difficulty). Includes governance (annual board attestation PRIN 2A.2.18R, SM&CR champion, MI framework), distributor/manufacturer information sharing obligations, and monitoring programme. Generates full compliance assessment report with per-outcome scorecard, critical gap remediation plan, and fair value assessment framework.
42-item SOC 2 Type II audit readiness assessment for the observation period — evidence collection planning (population lists, automated evidence, AICPA sampling methodology), access controls and quarterly reviews (CC6 — JML process within 24-48h SLA, PAM, MFA enforcement, service account rotation), change management (CC8 — approval tickets for every production deployment, branch protection, SAST/DAST in CI/CD), continuous monitoring (CC7 — SIEM operations, monthly vulnerability scans, annual pen test timing, backup restore tests), risk management (CC3/CC9 — sub-service org CUEC mapping for AWS/GCP/Azure, vendor SOC 2 review, BCP/DR tabletop), and policies (CC1/CC2 — policy review cycle, 100% acknowledgement records). Generates Type II readiness report with AICPA sampling windows, evidence gap analysis, and T-6 month audit preparation timeline.
42-item EU AI Liability Directive (COM(2022) 496) readiness assessment across 6 categories: scope and coverage (EU AI Act Annex III classification, territorial scope, provider/deployer role), strict liability readiness for high-risk AI (Art. 4 — no-fault exposure, insurance coverage, disclosure obligations, harm causation chain), fault-based liability and rebuttable presumption (Art. 3 — duty of care standard, court-ordered disclosure, logging requirements, contributory negligence framework), transparency and evidence obligations (EU AI Act Art. 13/72/73, Annex IV technical docs, human oversight), AI governance (ISO 42001, AI risk register, FRIA under EU AI Act Art. 27, CAIO designation, ERM), and claims readiness (legal hold procedure, supply chain indemnification, GPAI catastrophic risk). Timely as EU AI Act reaches full applicability August 2026. Generates report referencing specific COM(2022) 496 articles and EU AI Act provisions.
42-item DORA Art. 28 ICT third-party register compliance assessment across 6 categories: register structure and mandatory RTS fields (LEI, data locations, sub-contractor chain, NCA submission format), criticality assessment and CTPP designation (Art. 28(4) criteria — substitutability, concentration risk, systemic importance, exit strategy per Art. 28(8)), Art. 30 mandatory contractual provisions (all 11 elements: service description, data locations, applicable law, performance monitoring, audit/inspection rights, incident reporting, BCP obligations, data portability, sub-contractor change notification, DORA termination rights, exit assistance), ongoing monitoring and due diligence (continuous monitoring, annual reviews, TLPT scope, CTPP oversight), ICT resilience integration (BCP/DRP TPSP dependencies, BIA, RTO/RPO testing, DORA Art. 17–23 incident reporting), and governance and NCA reporting (management body approval, annual register submission, legacy contract remediation). For EU financial entities: banks, payment institutions, investment firms, insurance undertakings.
42-item ISO/IEC 27701 Privacy Information Management System gap assessment across 6 domains: PIMS scope and ISO 27001 integration (§4–5 — scope statement, PII role determination as controller/processor, management commitment, privacy objectives); PII controller controls (§7 — lawful basis per GDPR Art. 6, privacy notices Art. 13/14, consent management and withdrawal, data subject rights: access/erasure/portability/objection Art. 15–21, PII minimisation, purpose limitation, third-party sharing); PII processor controls (§8 — Art. 28 GDPR DPAs with all mandatory provisions, controller instruction compliance, sub-processor list and notification, return/deletion on termination, audit facilitation, breach notification to controllers, international transfer safeguards); privacy risk management and DPIA (ISO 27701 §5, 6.3 — privacy risk assessment integrated with ISO 27001, Art. 35 DPIA process, DPIA triggers, risk treatment, residual risk sign-off); privacy by design and technical controls (ISO 27701 §6, Annex B — PbD in SDLC, data minimisation at collection, pseudonymisation, encryption at rest/transit, access controls, retention schedules, PETs); governance, audit and certification (§5.8, 9–10 — DPO designation, PIMS internal audit, management review, corrective action, staff training, documentation, ISO 27701 certification readiness). For DPOs, CISOs, privacy counsel, ISO 27001-certified orgs adding the 27701 privacy extension.
42-item NIST Cybersecurity Framework 2.0 Tier Assessment across all six CSF 2.0 functions: GOVERN function (new in CSF 2.0 — GV: cybersecurity risk strategy board approval, roles and responsibilities, risk tolerance and appetite, policy review cycle, legal/regulatory requirements tracking, supply chain cybersecurity policy GV.SC, board reporting metrics GV.OV); IDENTIFY function (ID: asset inventory hardware/software/data, business environment and critical functions, risk assessment process, supply chain third-party risk assessment, vulnerability management, risk register, dependency mapping); PROTECT function (PR: IAM and MFA and RBAC, data security encryption and DLP, secure configuration baselines, security awareness training, EDR/SIEM/WAF protective technology, software supply chain security SBOM, patch management SLAs); DETECT function (DE: continuous network/cloud monitoring, centralised SIEM logging, anomaly detection with escalation, detection testing red/purple team, threat intelligence IOC integration, cloud detection coverage, insider threat monitoring); RESPOND function (RS: incident response plan tested annually, incident classification and severity, communication plan internal/regulatory/public, containment and eradication procedures, lessons learned process, external CERT/MSSP coordination, breach notification timelines GDPR/NIS2/HIPAA); RECOVER function (RC: recovery plan and BCP alignment, RTO/RPO for critical systems, backup strategy and testing, recovery integration with IRP, post-recovery review, stakeholder communications, continuous improvement). Determines Tier 1–4 with gap analysis and Tier progression roadmap. For CISOs, CROs, boards, and organisations needing SEC cybersecurity disclosure support.
42-item EU ePrivacy Regulation readiness assessment covering cookie & tracker consent (Art. 5(3) / Reg. Art. 8), electronic direct marketing (Art. 13/16), communications confidentiality, machine-to-machine & IoT, tracking technologies, and governance. Aligned with ePrivacy Directive 2002/58/EC and draft Regulation COM(2017) 10. For DPOs, privacy counsel, product teams, and marketing teams.
42-item AI fairness and algorithmic bias audit covering training data governance (EU AI Act Art. 10), fairness metrics (demographic parity, equalised odds, intersectional testing), model transparency (Art. 13), human oversight & contestability (Art. 14), ongoing fairness monitoring & drift detection (Art. 72), and accountability governance including FRIA. For AI/ML teams, Responsible AI leads, and compliance teams in high-risk AI domains.
42-item CMMC 2.0 Level 2 gap assessment covering all key NIST 800-171 practice domains — access control, MFA & authentication, configuration management, incident response & audit logging, system & communications protection (FIPS 140-2/3 encryption for CUI), and awareness & supply chain risk. Includes DFARS 252.204-7012 cyber incident reporting deep dive. For DoD contractors, subcontractors, and teams preparing for C3PAO assessment.
42-item DMA compliance checklist covering gatekeeper designation thresholds (Art. 3), absolute obligations including data combination prohibition & parity clauses (Art. 5), fair conduct including self-preferencing prohibition & alternative app stores (Art. 6), messaging interoperability (Art. 7), transparency & audit obligations, and governance programme. For designated and potential gatekeepers and their legal/policy teams.
SOC 2 policy pack and EU AI Act documentation are on the roadmap.
Join waitlist for more frameworks →All outputs are AI-generated draft templates, not legal advice. ComplyKit is not a law firm and does not provide legal services. Have any document reviewed by a qualified lawyer admitted in your jurisdiction before publishing.