Generate a complete SOC 2 Management Assertion Letter — the formal document management must sign before every SOC 2 audit. Covers system description assertion, control design (Type I) or operating effectiveness (Type II) assertions, and trust service category scope.
What is a Management Assertion Letter? Before issuing a SOC 2 report, your auditor requires management to formally assert that: (1) the system description is fairly presented, (2) the controls described are suitably designed (Type I), and (3) the controls operated effectively throughout the period (Type II). This document is signed by management and included in the final SOC 2 report. It is not optional.
The name of the system covered by this SOC 2 audit (e.g. "Acme SaaS Platform", "Acme Data Processing Service")
Briefly describe what the system does, who uses it, and what customer data it processes
Type I covers design at a point in time. Type II covers operating effectiveness over a period.
The date management signs the assertion (usually at or just after the audit period end)
Security (CC) is always required. Add additional categories if your audit scope includes them.
Generate all the documents your SaaS needs.
Privacy Policy
GDPR, CCPA & global-compliant privacy policy for your SaaS.
Terms of Service
Limit liability, define usage rules, protect your IP.
Cookie Policy
ePrivacy & GDPR compliant cookie disclosure.
Refund Policy
Clear refund rules that reduce chargebacks & disputes.
Acceptable Use Policy
Prohibit abuse, define enforcement, meet DSA requirements.
GDPR Data Processing Agreement
Article 28 DPA for your processor relationships.
HIPAA Business Associate Agreement
Required before handling PHI on behalf of covered entities.
NDA Generator
Mutual or one-way NDAs for contractors, investors & partnerships.
Information Security Policy
SOC 2–ready InfoSec policy covering access control, encryption, and incident response.
Incident Response Plan
NIST-structured IRP with severity playbooks, CSIRT roles, and GDPR 72-hour breach notification.
DPIA Template Generator
GDPR Art. 35 Data Protection Impact Assessment with risk table and necessity test.
Data Retention Policy
GDPR-compliant retention schedule with per-category periods, deletion procedures, and legal basis table.
CCPA / CPRA Compliance Pack
Notice at Collection, Do Not Sell or Share opt-out page, and California Consumer Privacy Rights summary.
Sub-Processor List
GDPR Art. 28(4) public sub-processor list with 40+ pre-loaded vendors, transfer mechanisms, and DPA links.
BCP / DRP Plan
Business Continuity & Disaster Recovery Plan covering RTO/RPO, SOC 2 A1, GDPR Art. 32, and recovery playbooks.
Vendor Risk Assessment
Security questionnaire to send to new SaaS vendors before onboarding — covers data security, privacy, and compliance.
DSR Response Template
GDPR-compliant response letters for Data Subject Requests — access, erasure, portability, rectification, restriction, and objection.
Employee Privacy Notice
GDPR Art. 13 compliant privacy notice for employees, contractors, and job applicants — covering HR data and lawful bases.
GDPR Article 30 RoPA
Form-based Records of Processing Activities builder. Document each processing activity with lawful basis, retention, recipients, and transfers.
SOC 2 Gap Assessment
Evaluate your security controls against SOC 2 Trust Service Criteria. Get a gap report with prioritised remediation roadmap.
ISO 27001 Gap Assessment
Assess your readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls. Gap report + remediation roadmap.
EU AI Act Declaration
Generate an Art. 50 transparency declaration and provider/deployer compliance documentation for your AI system.
NIS2 Compliance Checklist
Assess all 10 NIS2 Art. 21 cybersecurity requirements and get a scored gap report for EU digital service providers.
HIPAA Security Risk Assessment
Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards. Required for CEs and BAs.
GDPR Transfer Impact Assessment (TIA)
Generate a Schrems II-compliant TIA for international data transfers. Covers SCCs, DPF, UK IDTA, and country risk analysis.
PCI DSS SAQ Generator
Generate a PCI DSS v4.0 Self-Assessment Questionnaire. Covers SAQ A, SAQ A-EP, SAQ C, and SAQ D.
LGPD (Brazil) Compliance Pack
Generate Aviso de Coleta, Data Subject Rights Summary, and LGPD Privacy Policy addendum for Brazil compliance.
TPRM Policy Generator
Generate a complete Third-Party Risk Management policy with vendor tiers, due diligence, and monitoring controls.
Cookie Consent Audit
Audit your CMP configuration, cookie banner design, consent records, and Google Consent Mode v2 against GDPR and ePrivacy requirements.
GDPR LIA Generator
Generate a documented Legitimate Interests Assessment (LIA) for GDPR Art. 6(1)(f) processing activities. 3-step balancing test.
AI/ML Model Card Generator
Generate an EU AI Act Art. 53 Model Card for your AI system. Covers GPAI documentation, risk classification, bias evaluation, and safety measures.
Whistleblower Policy Generator
Generate a Whistleblower Policy compliant with EU Directive 2019/1937 and UK PIDA. Anti-retaliation protections, reporting channels, GDPR data handling.
AI Acceptable Use Policy
Generate an AI AUP covering EU AI Act obligations, prohibited inputs/outputs, bias disclosures, human oversight levels, and enforcement mechanisms.
Children's Privacy Policy
COPPA & GDPR Art. 8 children's privacy notice with parental consent framework, age verification, data minimisation, and UK Children's Code compliance.
GDPR Breach Notification
Generate an Art. 33 DPA supervisory authority notification form, Art. 34 individual notification letter, and Art. 33(5) breach register entry.
SOC 2 Evidence Pack
Personalised SOC 2 evidence collection checklist by Trust Service Criteria control area — with exact evidence items, auditor expectations, and how to collect using AWS, GitHub, and common SaaS tools.
Trust Centre Page
Generate a complete security & compliance Trust Centre page for your SaaS website — certifications, infrastructure, encryption, pen testing, privacy, and a security FAQ for enterprise prospects.
AI Privacy Impact Assessment
Generate a GDPR Art. 35 DPIA specifically for AI systems — EU AI Act risk classification, automated decision-making analysis (Art. 22), bias assessment, and human oversight documentation.
ISO 27701 PIMS Gap Assessment
Assess readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls, Annex A (controller) + Annex B (processor), GDPR alignment map.
Security Awareness Training Policy
Generate a complete Security Awareness Training Policy mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6 — training schedule, phishing simulation, tracking, consequences.
DSAR Policy & Procedure
Generate an internal GDPR data subject access request policy — intake channels, identity verification, per-right procedures, timelines, refusal grounds, DSR register, escalation, and audit logging.
AI Risk Register
Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22, algorithmic bias, prompt injection, model drift, and ISO 42001 — with inherent risk scores and mitigation plans.
GDPR Processor Security Policy
Generate Art. 28(3)(c) TOMs documentation for data processors. Covers encryption, access control, incident response, audit rights, and sub-processor obligations.
Internal IT & BYOD Policy
Generate an Internal IT Acceptable Use and BYOD Policy. Covers device controls, network access, cloud apps, remote work, monitoring disclosure, and SOC 2 / ISO 27001 compliance.
Access Control Policy
Generate a complete Access Control Policy covering RBAC, least privilege, MFA, privileged access management, user provisioning/deprovisioning, access reviews, and remote access controls.
Data Classification Policy
Generate a Data Classification Policy with tiered classification levels (Public/Internal/Confidential/Restricted), handling standards, storage controls, labelling guidance, and disposal procedures.
Vulnerability Management Policy
Generate a Vulnerability Management & Patch Management Policy with scanning cadence, CVSS severity classification, remediation timelines, exception handling, and compliance framework mappings (SOC 2 CC7.1, ISO 27001 A.8.8, PCI DSS, NIS2).
Cryptography & Encryption Policy
Generate a Cryptography & Encryption Policy with approved algorithms, encryption at rest and in transit, key management lifecycle, TLS standards, and compliance mappings (ISO 27001 A.10, SOC 2 CC6.7, GDPR Art. 32, HIPAA, PCI DSS).
Secure SDLC Policy
Generate a Secure Software Development Lifecycle (SDLC) Policy covering code review requirements, CI/CD security scanning, secrets management, environment separation, and deployment authorisation controls.
DORA ICT Risk Management Policy
Generate a DORA-compliant ICT Risk Management Policy covering identification, protection, detection, response, recovery, and resilience testing for financial entities and ICT third-party service providers.
Log Management & Monitoring Policy
Generate a Log Management and Monitoring Policy covering SIEM configuration, log sources, retention requirements, alert thresholds, and compliance with SOC 2 CC7.2 and ISO 27001 A.8.15/A.8.16.
Email Security Policy
Generate an Email Security Policy covering DMARC/DKIM/SPF authentication, anti-phishing controls, BEC prevention, DLP rules, email encryption, and compliance with ISO 27001 A.8.23 and SOC 2.
Password & Authentication Policy
Generate a Password & Authentication Policy covering password complexity, MFA enforcement, service account controls, privileged access management, and SSO. Maps to SOC 2 CC6.1/CC6.3, ISO 27001 A.8.5, PCI DSS Req 8, and NIST SP 800-63B.
Remote Work Security Policy
Generate a Remote Work & Teleworking Security Policy covering device controls, VPN requirements, home network security, data handling, cloud app controls, and physical security. Maps to ISO 27001 A.6.7, SOC 2 CC6.6, and GDPR Art. 32.
Network Security Policy
Generate a Network Security Policy covering firewall architecture, network segmentation, remote access (VPN/ZTNA), DNS security, DDoS protection, and network monitoring. Maps to ISO 27001 A.8.20–A.8.23, SOC 2 CC6.6/CC6.7, PCI DSS Req 1, and NIS2 Art. 21.
Asset Management Policy
Generate an Asset Management Policy covering hardware, software, cloud infrastructure, and secrets inventory, with NIST 800-88 disposal procedures and cloud resource tagging policy. Maps to ISO 27001 A.5.9/5.10/5.11, SOC 2 CC6.1, and CIS Controls 1/2.
HR Security Policy
Generate an HR Security Policy covering pre-employment screening, employment contract security clauses, security awareness training requirements, offboarding checklists, and disciplinary process. Maps to ISO 27001 A.6, SOC 2 CC1.1/CC6.2/CC6.3, NIS2 Art. 21(2)(g), and HIPAA §164.308(a)(3).
Change Management Policy
Generate a Change Management Policy covering code review requirements, environment separation, deployment authorisation models, emergency change procedures, and CI/CD evidence collection. Maps to SOC 2 CC8.1, ISO 27001 A.8.32, PCI DSS Req 6, and NIS2 Art. 21(2)(e).
Cyber Essentials Compliance Checklist
Assess your readiness for UK Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification. 22-control checklist across all 5 CE areas: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. Includes gap report with remediation steps.
SOC 2 System Description Generator
Draft Section 3 of your SOC 2 report — the System Description. Covers all 9 AICPA DC Section 200 required elements: infrastructure components, software, data, personnel, procedures, COSO control environment, subservice organisations (carve-out/inclusive), CUECs, and management declaration. For Type I, Type II, and Bridge Letters.
NIST CSF 2.0 Gap Assessment
Assess your cybersecurity posture against NIST Cybersecurity Framework 2.0 (published February 2024). 37-subcategory checklist across all 6 functions including the new GOVERN function. Includes readiness score, prioritised gap report, framework crosswalk (SOC 2, ISO 27001, NIS2), and tier progression plan.
SOC 2 Management Assertion Letter Guide
What AICPA AT-C §205 requires, the three assertions, and what goes wrong.
10 min read
SOC 2SOC 2 Type I vs Type II: Management Assertion & Evidence Differences
What changes in the assertion, evidence requirements, and audit timeline.
9 min read
SOC 2SOC 2 Gap Analysis: How to Assess Readiness Before Hiring an Auditor
Self-assessment methodology, remediation effort estimates, and when you're ready.
9 min read
SOC 2SOC 2 Evidence Collection: What Auditors Actually Need to See
How auditors sample and what evidence they need by control area.
10 min read