Answer a few questions. Get an AI-drafted starting-point document your lawyer can finalize. All free. 54 generators, no account required.
⚠️ AI-generated drafts. Not legal advice. ComplyKit is not a law firm.
Generate a GDPR & CCPA compliant privacy policy tailored to your SaaS. Covers data collection, subprocessors, retention, international transfers, and user rights.
Generate a plain-English Terms of Service covering acceptable use, payment & subscriptions, user-generated content, IP ownership, liability cap, and governing law.
Generate a Cookie Policy with a category table, specific tool disclosures, opt-out instructions, and ePrivacy Directive notes — matched to your actual analytics and ad stack.
Generate a Refund & Cancellation Policy for your SaaS. Covers subscription cancellation, pro-rata refunds, free trial terms, EU 14-day cooling-off rights, and governing law.
Generate an Acceptable Use Policy defining what users can and cannot do on your platform. Covers prohibited uses, enforcement actions, user obligations, and IP rights.
Generate a complete Article 28 DPA — sub-processor list, technical & organisational measures, breach notification, international transfer clauses, and audit rights. Send to your B2B customers.
Generate a HIPAA BAA for your SaaS. Covers ePHI safeguards, breach notification (45 CFR § 164.410), sub-contractor BAA chain requirements, and state-specific addenda. Required for any SaaS handling patient data.
Generate a Mutual or One-Way Non-Disclosure Agreement in minutes. Optional non-solicitation, non-compete, and liquidated damages clauses. Jurisdiction-specific governing law. For contractors, investors, partnerships, and employees.
Generate a SOC 2–aligned Information Security Policy covering access control, encryption, incident response, vulnerability management, and vendor risk. Tailored to your stack and compliance targets.
Generate a complete NIST SP 800-61 Incident Response Plan. Covers severity classification (P1–P4), CSIRT roles, containment playbooks by incident type, GDPR 72-hour breach notification, HIPAA BNR, evidence handling, and post-incident review.
Generate a GDPR Article 35 Data Protection Impact Assessment. Covers necessity & proportionality test, risk assessment table with residual risk ratings, safeguards map, and prior DPA consultation check (Art. 36). Required for high-risk processing.
Generate a GDPR-compliant Data Retention Policy with per-category retention schedules, deletion procedures, legal basis table, backup retention, log retention, employee data section, and optional legal hold process.
Generate your complete CCPA/CPRA compliance pack: Notice at Collection (required at point of data collection), 'Do Not Sell or Share My Personal Information' opt-out page, and California Consumer Privacy Rights summary. GPC signal, SPI categories, and Delete Act support included.
Generate a GDPR Art. 28(4) public sub-processor list ready to publish on your website. 40+ pre-loaded vendors (AWS, Stripe, OpenAI, Sentry, HubSpot, and more) with legal entities, processing countries, transfer mechanisms, and DPA links. Includes authorisation approach, change notification process, and objection procedure.
Generate a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering RTO/RPO objectives, recovery playbooks for up to 12 disaster scenarios, SOC 2 A1 criteria, ISO 27001 A.17, and GDPR Art. 32 availability requirements. Includes BIA table, backup architecture, roles, communication plan, and testing schedule.
Generate a complete vendor security questionnaire to send to new SaaS vendors before onboarding. Covers 14 assessment sections including data security, access controls, encryption, business continuity, incident response, and compliance certifications. Configurable by risk tier (Critical / High / Medium / Low) and data categories.
Generate GDPR-compliant response letters for Data Subject Requests — covering all 8 rights: access, erasure, portability, rectification, restriction, objection, direct marketing opt-out, and automated decision-making. Handles fulfilled, partial, extended, refused, and identity-unverified outcomes.
Generate a GDPR Article 13/14 compliant Employee Privacy Notice for staff, contractors, and job applicants. Covers HR data categories, lawful bases, workplace monitoring, data recipients, international transfers, retention schedules, and all 8 data subject rights. Country-specific notes for Germany, France, Netherlands, UK, and more.
Form-based Records of Processing Activities (RoPA) builder compliant with GDPR Article 30. Add each processing activity with data subjects, lawful basis, recipients, international transfers, retention periods, and technical & organisational measures. Generates a complete, audit-ready RoPA document.
Evaluate your current security controls against SOC 2 Trust Service Criteria (CC / A / C / PI / P). Answer control questions, see where you stand, and get a prioritised remediation roadmap with policy document checklist before hiring an auditor.
Assess your readiness for ISO/IEC 27001:2022 certification across 28 Annex A controls in 14 domains. Answer control questions, get a readiness score, and receive a phased remediation roadmap with policy documents checklist before engaging a certification body.
Generate an EU AI Act Art. 50 transparency notice and provider/deployer compliance documentation pack for your AI system under Regulation (EU) 2024/1689. Covers risk classification, GPAI obligations, GDPR Art. 22 intersection, and prohibited practices confirmation.
Assess your organisation against all 10 NIS2 Art. 21 cybersecurity requirements. Get a scored gap report with prioritised remediation roadmap. For EU SaaS platforms, managed service providers, and digital service providers.
Generate a HIPAA SRA covering all Administrative, Technical, and Physical Safeguards (45 CFR Part 164). Required for all covered entities and business associates. Includes ePHI inventory, threat/vulnerability assessment, risk levels, and remediation roadmap.
Generate a Schrems II-compliant GDPR Transfer Impact Assessment (TIA) for all your international data transfers. Covers EU-US Data Privacy Framework, Standard Contractual Clauses (2021 SCCs), UK IDTA, BCRs, country-level legal risk analysis, and supplementary measures.
Generate a PCI DSS v4.0 Self-Assessment Questionnaire (SAQ) for your payment card environment. Covers SAQ A (fully outsourced), SAQ A-EP (e-commerce), SAQ C, and SAQ D (all merchants/service providers). Includes gap analysis, remediation priorities, and v4.0 new requirements.
Generate a LGPD-compliant Aviso de Coleta (Notice at Collection), Data Subject Rights Summary, and Privacy Policy addendum for Brazil's Lei Geral de Proteção de Dados. Covers all 10 lawful bases, 9 Art. 18 rights, sensitive data, and ANPD compliance.
Generate a complete internal TPRM policy with vendor tiers, due diligence matrix, contract requirements, ongoing monitoring frequency, incident response, and offboarding controls. Maps to ISO 27001 A.15, SOC 2 CC9.2, GDPR Art. 28, and NIS2 Art. 21(d).
Audit your cookie consent setup against GDPR, ePrivacy Directive, UK PECR, and CCPA. Check CMP configuration, banner design, consent records, withdrawal mechanisms, and Google Consent Mode v2 compliance. 18-control assessment with prioritised remediation checklist.
Generate a documented Legitimate Interests Assessment under GDPR Art. 6(1)(f). 3-step balancing test: purpose test (is there a legitimate interest?), necessity test (is it the minimum necessary?), and balancing test (do data subject rights override?). Includes privacy notice guidance and Art. 21 objection rights.
Generate a comprehensive AI/ML Model Card for EU AI Act compliance. Covers GPAI technical documentation (Art. 53 Annex XI/XII), risk classification, training data governance (Art. 10), performance evaluation, bias assessment, safety measures, human oversight (Art. 14), and environmental impact.
Generate a Whistleblower (Speak Up) Policy compliant with EU Directive 2019/1937 and UK PIDA. Covers reporting channels, protected disclosures, anti-retaliation protections, investigation timelines, GDPR-compliant data handling, and country-specific competent authority references.
Generate an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act obligations, prohibited AI input content, prohibited output uses, bias and accuracy disclosures, human oversight levels, data-training transparency, content moderation approach, and enforcement mechanisms.
Generate a COPPA-compliant and GDPR Article 8 Children's Privacy Notice. Covers parental consent verification methods, age thresholds by jurisdiction, data minimisation for children, UK ICO Children's Code obligations, third-party restrictions, and parental rights to review, correct, and delete child data.
Generate a GDPR Article 33 supervisory authority breach notification form, an Article 34 plain-language individual notification letter, and an Article 33(5) internal breach register entry. Covers all mandatory disclosure elements with 72-hour deadline guidance.
Get a personalised SOC 2 evidence collection checklist organised by Trust Service Criteria control area. Covers exact evidence items, what auditors sample, how to collect from AWS/GitHub/GCP, PBC folder structure, and gap remediation for Type I and Type II audits.
Generate a complete security & compliance Trust Centre page for your SaaS website. Covers certifications, infrastructure, data regions, encryption, pen testing, bug bounty/disclosure, authentication, sub-processors, privacy compliance summary, and a pre-filled security FAQ for enterprise prospects.
Generate a GDPR Article 35 DPIA specifically for AI systems. Covers EU AI Act risk classification (Annex III), automated decision-making obligations (GDPR Art. 22), bias and fairness assessment, human oversight requirements, training data governance, and DPA prior consultation analysis (Art. 36).
Assess your readiness for ISO/IEC 27701:2019 PIMS certification — the privacy extension to ISO 27001. 26 controls across 8 domains, Annex A (controllers) + Annex B (processors). Includes ISO 27701 ↔ GDPR alignment table, certification roadmap, and gap remediation priorities.
Generate a complete Security Awareness Training Policy for your SaaS. Covers training schedule, curriculum, phishing simulation programme, completion tracking, and graduated consequences. Mapped to SOC 2 CC1.4, ISO 27001 A.6.3, HIPAA §164.308(a)(5), NIS2 Art. 21(2)(g), PCI DSS Req 12.6, and GDPR Art. 32.
Generate a complete internal DSAR (Data Subject Access Request) policy and procedure. Covers all 8 GDPR data subject rights, identity verification methods, per-right procedures, response timelines, refusal grounds, DSR register template, escalation paths, and audit logging requirements.
Generate a comprehensive AI risk register covering EU AI Act compliance, GDPR Art. 22 automated decision-making risks, algorithmic bias, prompt injection, model drift, third-party AI supply chain risks, and ISO 42001 alignment — with inherent risk scores, mitigation plans, and monitoring KPIs.
Generate Art. 28(3)(c) TOMs documentation for data processors. Covers encryption, access control, network security, application security, monitoring, HR controls, incident response (72-hour breach notification to controller), business continuity, audit rights, and sub-processor obligations — audit-ready for enterprise customers.
Generate an Internal IT Acceptable Use and BYOD Policy for your SaaS team. Covers device controls, network access, cloud apps, acceptable use, data handling, remote work security, monitoring disclosure (GDPR Art. 6(1)(f) legitimate interests), enforcement, and alignment to SOC 2 CC6.7, ISO 27001 A.6.2 / A.8, GDPR Art. 32, HIPAA, and PCI DSS Req. 12.
Generate a complete Access Control Policy for your SaaS company covering RBAC, least privilege, MFA requirements, privileged access management (PAM), user provisioning and deprovisioning, access reviews, remote access controls, and data access governance. Maps to SOC 2 CC6, ISO 27001 Annex A.9, HIPAA §164.312, PCI DSS Req 7 & 8, and GDPR Art. 32.
Generate a Data Classification Policy with a tiered classification scheme (Public / Internal / Confidential / Restricted), data type examples per tier, handling standards, storage controls, labelling guidance, and secure disposal procedures. Maps to ISO 27001 Annex A.8, SOC 2 C1, GDPR Art. 5/25/32, HIPAA, and PCI DSS Req 3 & 9.
Generate a Vulnerability Management & Patch Management Policy covering scanning cadence, CVSS severity classification, remediation timelines by severity, exception and risk acceptance process, tracking tools, and compliance mappings for SOC 2 CC7.1, ISO 27001 A.8.8, PCI DSS Req 6, NIS2 Art. 21(2)(e), NIST SP 800-40, and GDPR Art. 32.
Generate a Cryptography & Encryption Policy covering approved and prohibited algorithms, encryption at rest and in transit, key management lifecycle (generation, storage, rotation, destruction), TLS standards, secrets management requirements, and compliance mappings for ISO 27001 A.10, SOC 2 CC6.7, GDPR Art. 32, HIPAA, PCI DSS, and NIS2 Art. 21(2)(h).
Generate a Secure Software Development Lifecycle (SDLC) Policy covering code review requirements, branch protection, CI/CD security scanning (SAST, SCA, secrets detection), secrets management, environment separation, deployment authorisation, and dependency vulnerability management. Maps to SOC 2 CC8.1, ISO 27001 A.8.25/A.8.32, PCI DSS Req 6, and NIS2.
Generate a DORA-compliant ICT Risk Management Policy (EU Regulation 2022/2554) covering all five pillars: identification & risk assessment, protection & prevention, detection, response & recovery, and resilience testing. For financial entities, ICT third-party service providers, and SaaS vendors selling to EU financial institutions.
Generate a Log Management and Monitoring Policy for SaaS covering SIEM tool configuration, mandatory log sources (authentication, cloud infra, DB, admin access), log retention schedules, alerting thresholds, log integrity controls (immutable storage, NTP clock sync), and compliance evidence for SOC 2 CC7.2, ISO 27001 A.8.15/A.8.16/A.8.17, NIS2 Art. 21, HIPAA §164.312(b), and PCI DSS Req 10.
Generate an Email Security Policy covering DMARC/DKIM/SPF authentication (with DMARC policy progression from p=none to p=reject), anti-phishing controls, business email compromise (BEC) prevention, DLP rules for outbound PII/PHI/PCI data, email encryption requirements, archiving and retention, phishing simulation programme, and incident response. Maps to ISO 27001 A.8.23/A.8.7, SOC 2 CC6.7, NIS2 Art. 21(2)(g), HIPAA, PCI DSS Req 5, and GDPR Art. 32.
Generate a Password & Authentication Policy covering password complexity and length requirements, MFA enforcement scope, approved MFA methods (FIDO2/passkeys/TOTP), password manager policy, service account controls, privileged account management, SSO approach, account lockout, and session timeout. Maps to SOC 2 CC6.1/CC6.3, ISO 27001 A.8.5/A.8.2, PCI DSS v4.0 Req 8 (12-char minimum from March 2025), NIST SP 800-63B, NIS2 Art. 21(2)(j), and HIPAA §164.312(a).
Generate a Remote Work & Teleworking Security Policy covering device security controls (encryption, EDR, MDM), VPN and network requirements, home network security standards, data handling rules, cloud application controls, physical security at remote locations, GDPR-compliant employee monitoring disclosure, and incident reporting. Maps to ISO 27001 A.6.7/A.8.1, SOC 2 CC6.6/CC6.7, GDPR Art. 32, HIPAA §164.310/312, NIS2 Art. 21, PCI DSS Req 8.4.3, and NIST SP 800-46.
SOC 2 policy pack and EU AI Act documentation are on the roadmap.
Join waitlist for more frameworks →All outputs are AI-generated draft templates, not legal advice. ComplyKit is not a law firm and does not provide legal services. Have any document reviewed by a qualified lawyer admitted in your jurisdiction before publishing.