@greenarmor/ges-policy-engine 1.2.7 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.d.ts +7 -0
  2. package/dist/index.js +51 -0
  3. package/dist/packs/countries.d.ts +13 -0
  4. package/dist/packs/countries.js +156 -0
  5. package/dist/packs/privacy-africa-me.d.ts +4 -0
  6. package/dist/packs/privacy-africa-me.js +369 -0
  7. package/dist/packs/privacy-americas.d.ts +4 -0
  8. package/dist/packs/privacy-americas.js +509 -0
  9. package/dist/packs/privacy-asia.d.ts +7 -0
  10. package/dist/packs/privacy-asia.js +991 -0
  11. package/dist/packs/privacy-core.d.ts +2 -0
  12. package/dist/packs/privacy-core.js +643 -0
  13. package/dist/packs/privacy-countries.d.ts +15 -0
  14. package/dist/packs/privacy-countries.js +805 -0
  15. package/dist/packs/privacy-europe.d.ts +3 -0
  16. package/dist/packs/privacy-europe.js +372 -0
  17. package/package.json +3 -3
package/dist/packs/privacy-countries.js ADDED
@@ -0,0 +1,805 @@
1
+ // ============================================================
2
+ // EUROPE
3
+ // ============================================================
4
+ export function createUKGDPRPolicyPack() {
5
+ const controls = [
6
+ {
7
+ id: "UK-GDPR-01",
8
+ name: "UK Data Protection Act 2018 Compliance",
9
+ description: "Ensure compliance with the UK Data Protection Act 2018 and UK GDPR.",
10
+ category: "privacy-governance",
11
+ framework: "UK-GDPR",
12
+ status: "not-implemented",
13
+ severity: "critical",
14
+ implementation_guidance: "Implement UK GDPR requirements including: registering with the ICO if required, maintaining ROPA aligned with UK requirements, conducting DPIAs for high-risk processing, appointing a UK representative if processing UK data from outside the UK, and complying with ICO guidance and codes of practice.",
15
+ checks: [
16
+ { id: "UK-GDPR-01-C1", description: "ICO registration completed if required", status: "not-implemented" },
17
+ { id: "UK-GDPR-01-C2", description: "UK-specific ROPA maintained", status: "not-implemented" },
18
+ { id: "UK-GDPR-01-C3", description: "UK representative appointed if applicable", status: "not-implemented" },
19
+ ],
20
+ },
21
+ {
22
+ id: "UK-GDPR-02",
23
+ name: "UK International Transfers",
24
+ description: "Implement UK-specific international data transfer mechanisms.",
25
+ category: "cross-border-transfers",
26
+ framework: "UK-GDPR",
27
+ status: "not-implemented",
28
+ severity: "high",
29
+ implementation_guidance: "Use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs for transfers to non-adequate countries. Conduct Transfer Risk Assessments (TRAs) following ICO guidance. Monitor UK adequacy regulations for updates.",
30
+ checks: [
31
+ { id: "UK-GDPR-02-C1", description: "IDTA or UK Addendum executed for non-adequate transfers", status: "not-implemented" },
32
+ { id: "UK-GDPR-02-C2", description: "Transfer Risk Assessments conducted", status: "not-implemented" },
33
+ ],
34
+ },
35
+ {
36
+ id: "UK-GDPR-03",
37
+ name: "ICO Breach Notification",
38
+ description: "Notify the ICO of personal data breaches within 72 hours.",
39
+ category: "incident-management",
40
+ framework: "UK-GDPR",
41
+ status: "not-implemented",
42
+ severity: "critical",
43
+ implementation_guidance: "Implement procedures to notify the ICO of eligible personal data breaches within 72 hours of becoming aware. Use the ICO breach reporting service. Notify affected individuals without undue delay if high risk. Document all breach notifications.",
44
+ checks: [
45
+ { id: "UK-GDPR-03-C1", description: "ICO breach notification within 72 hours", status: "not-implemented" },
46
+ { id: "UK-GDPR-03-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" },
47
+ ],
48
+ },
49
+ ];
50
+ return {
51
+ id: "uk-gdpr",
52
+ name: "UK GDPR & Data Protection Act 2018 Pack",
53
+ description: "UK-specific privacy controls: ICO registration, UK international transfer mechanisms (IDTA/UK Addendum), and ICO breach notification procedures.",
54
+ version: "1.0.0",
55
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
56
+ controls,
57
+ frameworks: ["UK-GDPR"],
58
+ };
59
+ }
60
+ export function createSwissFADPPolicyPack() {
61
+ const controls = [
62
+ {
63
+ id: "FADP-01",
64
+ name: "FADP Compliance",
65
+ description: "Ensure compliance with the Swiss Federal Act on Data Protection (FADP, revFSDG).",
66
+ category: "privacy-governance",
67
+ framework: "FADP",
68
+ status: "not-implemented",
69
+ severity: "critical",
70
+ implementation_guidance: "Implement the revised Swiss FADP (in effect since September 2023): maintain a data processing register, appoint a data protection advisor if processing high-risk data on a large scale, provide transparent privacy notices, and comply with FDPIC requirements.",
71
+ checks: [
72
+ { id: "FADP-01-C1", description: "Data processing register maintained", status: "not-implemented" },
73
+ { id: "FADP-01-C2", description: "FADP privacy notices published", status: "not-implemented" },
74
+ ],
75
+ },
76
+ {
77
+ id: "FADP-02",
78
+ name: "Swiss Cross-Border Transfers",
79
+ description: "Ensure lawful international data transfers under Swiss FADP.",
80
+ category: "cross-border-transfers",
81
+ framework: "FADP",
82
+ status: "not-implemented",
83
+ severity: "high",
84
+ implementation_guidance: "Ensure transfers to countries without adequate protection are covered by adequate safeguards (SCCs, BCRs, or FDPIC-approved mechanisms). Maintain the list of countries recognized as adequate by the FDPIC. Document transfer assessments.",
85
+ checks: [
86
+ { id: "FADP-02-C1", description: "Adequate safeguards for non-adequate transfers", status: "not-implemented" },
87
+ { id: "FADP-02-C2", description: "FDPIC adequacy list maintained", status: "not-implemented" },
88
+ ],
89
+ },
90
+ ];
91
+ return {
92
+ id: "ch-fadp",
93
+ name: "Switzerland FADP Pack",
94
+ description: "Swiss Federal Act on Data Protection (revFSDG) compliance controls including FDPIC requirements and Swiss cross-border transfer rules.",
95
+ version: "1.0.0",
96
+ project_types: ["saas", "generic-web-application", "api-backend"],
97
+ controls,
98
+ frameworks: ["FADP"],
99
+ };
100
+ }
101
+ // ============================================================
102
+ // ASIA-PACIFIC
103
+ // ============================================================
104
+ export function createSingaporePDPAPolicyPack() {
105
+ const controls = [
106
+ {
107
+ id: "PDPA-SG-01",
108
+ name: "Accountability Obligation",
109
+ description: "Appoint a Data Protection Officer (DPO) and make their contact information publicly available.",
110
+ category: "privacy-governance",
111
+ framework: "PDPA-SG",
112
+ status: "not-implemented",
113
+ severity: "critical",
114
+ implementation_guidance: "Appoint a DPO and deputy DPO. Publish DPO contact information on the organization's website and in the PDPC's registry. Ensure the DPO has adequate knowledge of PDPA requirements. Develop and implement a data protection policy aligned with PDPC guidelines.",
115
+ checks: [
116
+ { id: "PDPA-SG-01-C1", description: "DPO appointed and publicly identified", status: "not-implemented" },
117
+ { id: "PDPA-SG-01-C2", description: "Data protection policy developed", status: "not-implemented" },
118
+ ],
119
+ },
120
+ {
121
+ id: "PDPA-SG-02",
122
+ name: "Data Breach Notification",
123
+ description: "Notify PDPC and affected individuals of qualifying data breaches within 3 calendar days.",
124
+ category: "incident-management",
125
+ framework: "PDPA-SG",
126
+ status: "not-implemented",
127
+ severity: "critical",
128
+ implementation_guidance: "Implement breach assessment procedures to determine if a breach is notifiable (significant scale or significant harm). Notify the PDPC within 3 calendar days of assessing a breach as notifiable. Notify affected individuals if the breach is likely to result in significant harm. Document all breach notifications.",
129
+ checks: [
130
+ { id: "PDPA-SG-02-C1", description: "Breach notification to PDPC within 3 days", status: "not-implemented" },
131
+ { id: "PDPA-SG-02-C2", description: "Individual notification for significant harm breaches", status: "not-implemented" },
132
+ ],
133
+ },
134
+ {
135
+ id: "PDPA-SG-03",
136
+ name: "Do Not Call Registry",
137
+ description: "Comply with Singapore's Do Not Call (DNC) registry requirements for telemarketing.",
138
+ category: "consent-management",
139
+ framework: "PDPA-SG",
140
+ status: "not-implemented",
141
+ severity: "medium",
142
+ implementation_guidance: "Check the DNC registry before sending marketing messages to Singapore phone numbers. Maintain clear consent records for telemarketing. Honor DNC registry and individual opt-out requests. Implement processes to verify DNC status before each campaign.",
143
+ checks: [
144
+ { id: "PDPA-SG-03-C1", description: "DNC registry checked before telemarketing", status: "not-implemented" },
145
+ { id: "PDPA-SG-03-C2", description: "Opt-out requests honored promptly", status: "not-implemented" },
146
+ ],
147
+ },
148
+ {
149
+ id: "PDPA-SG-04",
150
+ name: "Data Portability (PDPA Amendment)",
151
+ description: "Implement data portability requirements under the PDPA amendments.",
152
+ category: "data-subject-rights",
153
+ framework: "PDPA-SG",
154
+ status: "not-implemented",
155
+ severity: "medium",
156
+ implementation_guidance: "Implement mechanisms allowing individuals to request their personal data in a structured, commonly used, and machine-readable format. Enable transmission to another organization where applicable. Develop portability request handling procedures.",
157
+ checks: [
158
+ { id: "PDPA-SG-04-C1", description: "Data portability mechanism implemented", status: "not-implemented" },
159
+ { id: "PDPA-SG-04-C2", description: "Request handling procedures documented", status: "not-implemented" },
160
+ ],
161
+ },
162
+ ];
163
+ return {
164
+ id: "sg-pdpa",
165
+ name: "Singapore PDPA Pack",
166
+ description: "Singapore Personal Data Protection Act (PDPA) controls: DPO appointment, PDPC breach notification (3 days), Do Not Call registry compliance, and data portability.",
167
+ version: "1.0.0",
168
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
169
+ controls,
170
+ frameworks: ["PDPA-SG"],
171
+ };
172
+ }
173
+ export function createPhilippinesDPAPolicyPack() {
174
+ const controls = [
175
+ {
176
+ id: "DPA-PH-01",
177
+ name: "PIC/PIP Responsibilities",
178
+ description: "Designate Personal Information Controller (PIC) and Personal Information Processor (PIP) roles.",
179
+ category: "privacy-governance",
180
+ framework: "DPA-PH",
181
+ status: "not-implemented",
182
+ severity: "critical",
183
+ implementation_guidance: "Designate and document PIC (controller) and PIP (processor) roles. Define their respective responsibilities under the Philippine Data Privacy Act. Ensure contracts between PICs and PIPs clearly define obligations. Implement the principle of accountability throughout the data lifecycle.",
184
+ checks: [
185
+ { id: "DPA-PH-01-C1", description: "PIC and PIP roles designated and documented", status: "not-implemented" },
186
+ { id: "DPA-PH-01-C2", description: "PIC-PIP contracts define obligations", status: "not-implemented" },
187
+ ],
188
+ },
189
+ {
190
+ id: "DPA-PH-02",
191
+ name: "NPC Registration",
192
+ description: "Register with the National Privacy Commission (NPC) as required.",
193
+ category: "privacy-governance",
194
+ framework: "DPA-PH",
195
+ status: "not-implemented",
196
+ severity: "high",
197
+ implementation_guidance: "Register with the NPC if processing personal data of 1,000+ individuals. Appoint a Data Protection Officer and register them with the NPC. Submit the required registration forms and documentation. Renew registration as required by NPC circulars.",
198
+ checks: [
199
+ { id: "DPA-PH-02-C1", description: "NPC registration completed if applicable", status: "not-implemented" },
200
+ { id: "DPA-PH-02-C2", description: "DPO registered with NPC", status: "not-implemented" },
201
+ ],
202
+ },
203
+ {
204
+ id: "DPA-PH-03",
205
+ name: "NPC Circular Compliance",
206
+ description: "Comply with NPC Circular 16-03 (Security of Personal Data) and NPC Circular 17-01 (Registration).",
207
+ category: "security-controls",
208
+ framework: "DPA-PH",
209
+ status: "not-implemented",
210
+ severity: "high",
211
+ implementation_guidance: "Implement NPC Circular 16-03 requirements: physical security, organizational security, and technical security measures. Document data processing systems per Circular 17-01. Conduct privacy impact assessments. Maintain breach management procedures aligned with NPC requirements.",
212
+ checks: [
213
+ { id: "DPA-PH-03-C1", description: "NPC Circular 16-03 security measures implemented", status: "not-implemented" },
214
+ { id: "DPA-PH-03-C2", description: "Data processing systems documented per Circular 17-01", status: "not-implemented" },
215
+ ],
216
+ },
217
+ {
218
+ id: "DPA-PH-04",
219
+ name: "Breach Reporting to NPC",
220
+ description: "Report personal data breaches to the NPC within 72 hours.",
221
+ category: "incident-management",
222
+ framework: "DPA-PH",
223
+ status: "not-implemented",
224
+ severity: "critical",
225
+ implementation_guidance: "Implement procedures to report breaches involving sensitive personal data or affecting 100+ individuals to the NPC within 72 hours. Notify affected individuals. Document all breach reports and follow-up communications with the NPC.",
226
+ checks: [
227
+ { id: "DPA-PH-04-C1", description: "NPC breach notification within 72 hours", status: "not-implemented" },
228
+ { id: "DPA-PH-04-C2", description: "Affected individuals notified", status: "not-implemented" },
229
+ ],
230
+ },
231
+ ];
232
+ return {
233
+ id: "ph-dpa",
234
+ name: "Philippines Data Privacy Act Pack",
235
+ description: "Philippine Data Privacy Act (DPA) controls: PIC/PIP responsibilities, NPC registration, NPC Circular compliance (16-03, 17-01), and NPC breach reporting (72 hours).",
236
+ version: "1.0.0",
237
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application", "government-system"],
238
+ controls,
239
+ frameworks: ["DPA-PH"],
240
+ };
241
+ }
242
+ export function createJapanAPPIPolicyPack() {
243
+ const controls = [
244
+ {
245
+ id: "APPI-01",
246
+ name: "Personal Information Handling Business Operator Compliance",
247
+ description: "Comply with Japan's Act on the Protection of Personal Information (APPI) as a Personal Information Handling Business Operator.",
248
+ category: "privacy-governance",
249
+ framework: "APPI",
250
+ status: "not-implemented",
251
+ severity: "critical",
252
+ implementation_guidance: "Specify the purpose of use for personal data and publish it. Obtain consent for using data beyond the specified purpose. Maintain proper handling of sensitive personal information (race, creed, medical history, criminal records). Respond to disclosure requests from data subjects.",
253
+ checks: [
254
+ { id: "APPI-01-C1", description: "Purpose of use specified and published", status: "not-implemented" },
255
+ { id: "APPI-01-C2", description: "Sensitive information handling procedures defined", status: "not-implemented" },
256
+ ],
257
+ },
258
+ {
259
+ id: "APPI-02",
260
+ name: "Cross-Border Transfer Requirements",
261
+ description: "Implement APPI requirements for transferring personal data to third parties in foreign countries.",
262
+ category: "cross-border-transfers",
263
+ framework: "APPI",
264
+ status: "not-implemented",
265
+ severity: "high",
266
+ implementation_guidance: "Obtain prior consent for cross-border transfers to countries without equivalent data protection. Inform data subjects of the destination country and its data protection regime. Document the equivalent protection status of destination countries per PPC guidelines.",
267
+ checks: [
268
+ { id: "APPI-02-C1", description: "Prior consent obtained for cross-border transfers", status: "not-implemented" },
269
+ { id: "APPI-02-C2", description: "Destination country protection status documented", status: "not-implemented" },
270
+ ],
271
+ },
272
+ {
273
+ id: "APPI-03",
274
+ name: "PPC Breach Reporting",
275
+ description: "Report personal data breaches to the Personal Information Protection Commission (PPC).",
276
+ category: "incident-management",
277
+ framework: "APPI",
278
+ status: "not-implemented",
279
+ severity: "high",
280
+ implementation_guidance: "Report breaches involving sensitive or high-risk personal data to the PPC without delay (within 3-5 days). Notify affected individuals. Document breach details, remediation actions, and preventive measures. Maintain breach records for PPC inspection.",
281
+ checks: [
282
+ { id: "APPI-03-C1", description: "PPC breach reporting procedures implemented", status: "not-implemented" },
283
+ { id: "APPI-03-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" },
284
+ ],
285
+ },
286
+ ];
287
+ return {
288
+ id: "jp-appi",
289
+ name: "Japan APPI Pack",
290
+ description: "Japan Act on the Protection of Personal Information (APPI) controls: purpose specification, cross-border transfer consent, sensitive data handling, and PPC breach reporting.",
291
+ version: "1.0.0",
292
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
293
+ controls,
294
+ frameworks: ["APPI"],
295
+ };
296
+ }
297
+ export function createSouthKoreaPIPAPolicyPack() {
298
+ const controls = [
299
+ {
300
+ id: "PIPA-01",
301
+ name: "Consent Requirements",
302
+ description: "Implement South Korea's strong consent requirements for personal data processing.",
303
+ category: "consent-management",
304
+ framework: "PIPA",
305
+ status: "not-implemented",
306
+ severity: "critical",
307
+ implementation_guidance: "Obtain separate consent for each processing purpose. Provide clear information about: collection items, purpose, retention period, and third-party sharing. Obtain explicit opt-in consent (not pre-checked boxes). Implement consent withdrawal mechanisms. Maintain detailed consent records.",
308
+ checks: [
309
+ { id: "PIPA-01-C1", description: "Separate consent per processing purpose", status: "not-implemented" },
310
+ { id: "PIPA-01-C2", description: "Explicit opt-in (no pre-checked boxes)", status: "not-implemented" },
311
+ { id: "PIPA-01-C3", description: "Consent withdrawal mechanism available", status: "not-implemented" },
312
+ ],
313
+ },
314
+ {
315
+ id: "PIPA-02",
316
+ name: "Processing Restrictions",
317
+ description: "Comply with PIPA restrictions on processing sensitive information and unique identifiers.",
318
+ category: "consent-management",
319
+ framework: "PIPA",
320
+ status: "not-implemented",
321
+ severity: "high",
322
+ implementation_guidance: "Obtain separate consent for sensitive information (ideology, health, criminal records). Obtain separate consent for resident registration numbers (RRN). Implement strict security controls for sensitive data. Minimize collection of unique identifiers.",
323
+ checks: [
324
+ { id: "PIPA-02-C1", description: "Separate consent for sensitive information", status: "not-implemented" },
325
+ { id: "PIPA-02-C2", description: "Strict security for unique identifiers", status: "not-implemented" },
326
+ ],
327
+ },
328
+ {
329
+ id: "PIPA-03",
330
+ name: "KISA Breach Notification",
331
+ description: "Report personal data breaches to KISA and affected individuals without delay.",
332
+ category: "incident-management",
333
+ framework: "PIPA",
334
+ status: "not-implemented",
335
+ severity: "critical",
336
+ implementation_guidance: "Report breaches to KISA (Korea Internet & Security Agency) without delay upon becoming aware. Notify affected individuals without delay. Document breach details including: cause, scope, data types, mitigation measures, and recurrence prevention plans.",
337
+ checks: [
338
+ { id: "PIPA-03-C1", description: "KISA breach notification without delay", status: "not-implemented" },
339
+ { id: "PIPA-03-C2", description: "Individual notification without delay", status: "not-implemented" },
340
+ ],
341
+ },
342
+ ];
343
+ return {
344
+ id: "kr-pipa",
345
+ name: "South Korea PIPA Pack",
346
+ description: "South Korea Personal Information Protection Act (PIPA) controls: strong consent requirements, sensitive data restrictions, and KISA breach notification.",
347
+ version: "1.0.0",
348
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
349
+ controls,
350
+ frameworks: ["PIPA"],
351
+ };
352
+ }
353
+ export function createChinaPIPLPolicyPack() {
354
+ const controls = [
355
+ {
356
+ id: "PIPL-01",
357
+ name: "Data Localization",
358
+ description: "Implement data localization requirements for personal information collected in China.",
359
+ category: "cross-border-transfers",
360
+ framework: "PIPL",
361
+ status: "not-implemented",
362
+ severity: "critical",
363
+ implementation_guidance: "Store personal information of Chinese residents within mainland China for critical information infrastructure operators (CIIO) and processors exceeding thresholds. Implement technical controls ensuring affected data remains within China. Do not transfer abroad without completing required assessments.",
364
+ checks: [
365
+ { id: "PIPL-01-C1", description: "Data localization requirements assessed and implemented", status: "not-implemented" },
366
+ { id: "PIPL-01-C2", description: "Technical controls enforce China data residency", status: "not-implemented" },
367
+ ],
368
+ },
369
+ {
370
+ id: "PIPL-02",
371
+ name: "CAC Security Assessment",
372
+ description: "Complete Cyberspace Administration of China (CAC) security assessment for cross-border transfers.",
373
+ category: "cross-border-transfers",
374
+ framework: "PIPL",
375
+ status: "not-implemented",
376
+ severity: "critical",
377
+ implementation_guidance: "Complete CAC security assessment before transferring personal information abroad if required (CIIOs, large-scale processors, or sensitive data). Submit to CAC standard contract requirements. Maintain records of CAC assessments and approvals. Monitor CAC threshold updates.",
378
+ checks: [
379
+ { id: "PIPL-02-C1", description: "CAC security assessment completed for applicable transfers", status: "not-implemented" },
380
+ { id: "PIPL-02-C2", description: "CAC standard contracts executed", status: "not-implemented" },
381
+ ],
382
+ },
383
+ {
384
+ id: "PIPL-03",
385
+ name: "Separate Consent for Sensitive Information",
386
+ description: "Obtain separate consent for processing sensitive personal information under PIPL.",
387
+ category: "consent-management",
388
+ framework: "PIPL",
389
+ status: "not-implemented",
390
+ severity: "high",
391
+ implementation_guidance: "Obtain separate, explicit consent for processing sensitive personal information (biometrics, religion, health, financial data, children under 14). Provide detailed information about necessity and impact. Implement stricter security measures for sensitive data. Document all sensitive data consent records.",
392
+ checks: [
393
+ { id: "PIPL-03-C1", description: "Separate consent for sensitive personal information", status: "not-implemented" },
394
+ { id: "PIPL-03-C2", description: "Stricter security for sensitive data", status: "not-implemented" },
395
+ ],
396
+ },
397
+ {
398
+ id: "PIPL-04",
399
+ name: "PIPL Individual Rights",
400
+ description: "Implement PIPL-specific data subject rights including the right to explanation for automated decisions.",
401
+ category: "data-subject-rights",
402
+ framework: "PIPL",
403
+ status: "not-implemented",
404
+ severity: "high",
405
+ implementation_guidance: "Implement rights: access, copy, correction, deletion, restriction, portability, and explanation of automated decisions. Provide mechanisms for individuals to refuse profiling. Respond to requests within 15 working days. Document all requests and responses.",
406
+ checks: [
407
+ { id: "PIPL-04-C1", description: "All PIPL rights implemented with request mechanisms", status: "not-implemented" },
408
+ { id: "PIPL-04-C2", description: "Automated decision explanation provided", status: "not-implemented" },
409
+ { id: "PIPL-04-C3", description: "Responses within 15 working days", status: "not-implemented" },
410
+ ],
411
+ },
412
+ ];
413
+ return {
414
+ id: "cn-pipl",
415
+ name: "China PIPL Pack",
416
+ description: "China Personal Information Protection Law (PIPL) controls: data localization, CAC security assessment, separate consent for sensitive data, and PIPL individual rights.",
417
+ version: "1.0.0",
418
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
419
+ controls,
420
+ frameworks: ["PIPL"],
421
+ };
422
+ }
423
+ export function createIndiaDPDPAPolicyPack() {
424
+ const controls = [
425
+ {
426
+ id: "DPDPA-01",
427
+ name: "Consent Manager Framework",
428
+ description: "Implement interoperable consent management per India's DPDPA Consent Manager requirements.",
429
+ category: "consent-management",
430
+ framework: "DPDPA",
431
+ status: "not-implemented",
432
+ severity: "critical",
433
+ implementation_guidance: "Integrate with DPDP-approved Consent Manager platforms. Ensure consent is free, specific, informed, unconditional, and unambiguous with clear affirmative action. Provide the ability to withdraw consent through the Consent Manager. Maintain verifiable consent records.",
434
+ checks: [
435
+ { id: "DPDPA-01-C1", description: "Consent Manager integration implemented", status: "not-implemented" },
436
+ { id: "DPDPA-01-C2", description: "Consent withdrawal via Consent Manager available", status: "not-implemented" },
437
+ ],
438
+ },
439
+ {
440
+ id: "DPDPA-02",
441
+ name: "Significant Data Fiduciary Obligations",
442
+ description: "Comply with enhanced obligations if designated as a Significant Data Fiduciary.",
443
+ category: "privacy-governance",
444
+ framework: "DPDPA",
445
+ status: "not-implemented",
446
+ severity: "high",
447
+ implementation_guidance: "If designated as a Significant Data Fiduciary by the Central Government: appoint a DPO based in India, conduct Data Protection Impact Assessments, conduct independent data audits, and comply with any additional measures prescribed by the Data Protection Board.",
448
+ checks: [
449
+ { id: "DPDPA-02-C1", description: "SDF status assessed and documented", status: "not-implemented" },
450
+ { id: "DPDPA-02-C2", description: "DPO based in India appointed if SDF", status: "not-implemented" },
451
+ ],
452
+ },
453
+ {
454
+ id: "DPDPA-03",
455
+ name: "Breach Notification to Data Protection Board",
456
+ description: "Report personal data breaches to the Data Protection Board of India.",
457
+ category: "incident-management",
458
+ framework: "DPDPA",
459
+ status: "not-implemented",
460
+ severity: "critical",
461
+ implementation_guidance: "Notify affected individuals and the Data Protection Board of any personal data breach. Provide detailed description of the breach, its likely impact, mitigation measures, and actions taken. Implement procedures for timely notification as prescribed by Board regulations.",
462
+ checks: [
463
+ { id: "DPDPA-03-C1", description: "Board notification procedures implemented", status: "not-implemented" },
464
+ { id: "DPDPA-03-C2", description: "Affected individuals notified", status: "not-implemented" },
465
+ ],
466
+ },
467
+ ];
468
+ return {
469
+ id: "in-dpdpa",
470
+ name: "India DPDPA Pack",
471
+ description: "India Digital Personal Data Protection Act (DPDPA) controls: Consent Manager framework, Significant Data Fiduciary obligations, and Data Protection Board breach reporting.",
472
+ version: "1.0.0",
473
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
474
+ controls,
475
+ frameworks: ["DPDPA"],
476
+ };
477
+ }
478
+ // ============================================================
479
+ // AMERICAS
480
+ // ============================================================
481
+ export function createBrazilLGPDPolicyPack() {
482
+ const controls = [
483
+ {
484
+ id: "LGPD-01",
485
+ name: "Data Protection Officer (Encarregado)",
486
+ description: "Appoint a Data Protection Officer (DPO/Encarregado) and communicate with ANPD.",
487
+ category: "privacy-governance",
488
+ framework: "LGPD",
489
+ status: "not-implemented",
490
+ severity: "critical",
491
+ implementation_guidance: "Appoint an Encarregado (DPO) who will: communicate with ANPD, handle data subject requests, guide data protection activities, and provide annual reports. Publish DPO contact information on the organization's website. Ensure the DPO has adequate authority and independence.",
492
+ checks: [
493
+ { id: "LGPD-01-C1", description: "Encarregado appointed and contact info published", status: "not-implemented" },
494
+ { id: "LGPD-01-C2", description: "Annual ANPD report prepared", status: "not-implemented" },
495
+ ],
496
+ },
497
+ {
498
+ id: "LGPD-02",
499
+ name: "Legal Bases for Processing",
500
+ description: "Identify and document the appropriate legal basis for each processing activity under LGPD.",
501
+ category: "consent-management",
502
+ framework: "LGPD",
503
+ status: "not-implemented",
504
+ severity: "high",
505
+ implementation_guidance: "Document the legal basis for each processing activity: consent, contract performance, legal obligation, public policy, research, legitimate interests, credit protection, or health protection. Maintain records alongside the ROPA. Conduct legitimate interest assessments where applicable.",
506
+ checks: [
507
+ { id: "LGPD-02-C1", description: "Legal basis documented per processing activity", status: "not-implemented" },
508
+ { id: "LGPD-02-C2", description: "Legitimate interest assessments conducted", status: "not-implemented" },
509
+ ],
510
+ },
511
+ {
512
+ id: "LGPD-03",
513
+ name: "ANPD Breach Notification",
514
+ description: "Notify ANPD and affected individuals of data security incidents that may cause risk or damage.",
515
+ category: "incident-management",
516
+ framework: "LGPD",
517
+ status: "not-implemented",
518
+ severity: "critical",
519
+ implementation_guidance: "Notify ANPD within a reasonable timeframe of becoming aware of a security incident that may cause risk or relevant damage to data subjects. Include: nature of the incident, affected data, technical security measures, risk assessment, and mitigation steps. Notify affected individuals about risks and mitigation measures.",
520
+ checks: [
521
+ { id: "LGPD-03-C1", description: "ANPD notification procedures implemented", status: "not-implemented" },
522
+ { id: "LGPD-03-C2", description: "Individual notification for risk/damage incidents", status: "not-implemented" },
523
+ ],
524
+ },
525
+ {
526
+ id: "LGPD-04",
527
+ name: "LGPD Data Subject Rights",
528
+ description: "Implement LGPD-specific rights including confirmation of processing and data quality.",
529
+ category: "data-subject-rights",
530
+ framework: "LGPD",
531
+ status: "not-implemented",
532
+ severity: "high",
533
+ implementation_guidance: "Implement LGPD rights: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, deletion of consented data, information about sharing, information about refusal to consent, and revocation of consent. Respond within 15 days.",
534
+ checks: [
535
+ { id: "LGPD-04-C1", description: "All LGPD rights implemented", status: "not-implemented" },
536
+ { id: "LGPD-04-C2", description: "Responses within 15 days", status: "not-implemented" },
537
+ ],
538
+ },
539
+ ];
540
+ return {
541
+ id: "br-lgpd",
542
+ name: "Brazil LGPD Pack",
543
+ description: "Brazilian General Data Protection Law (LGPD) controls: Encarregado appointment, ANPD communication, legal bases documentation, LGPD rights, and ANPD breach notification.",
544
+ version: "1.0.0",
545
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
546
+ controls,
547
+ frameworks: ["LGPD"],
548
+ };
549
+ }
550
+ export function createCanadaPIPEDAPolicyPack() {
551
+ const controls = [
552
+ {
553
+ id: "PIPEDA-01",
554
+ name: "Accountability Principle",
555
+ description: "Designate an individual accountable for compliance with PIPEDA's 10 fair information principles.",
556
+ category: "privacy-governance",
557
+ framework: "PIPEDA",
558
+ status: "not-implemented",
559
+ severity: "critical",
560
+ implementation_guidance: "Designate a Privacy Officer accountable for PIPEDA compliance. Develop and implement a privacy management program aligned with PIPEDA's 10 fair information principles. Ensure accountability is documented and communicated throughout the organization. Conduct annual PIPEDA compliance assessments.",
561
+ checks: [
562
+ { id: "PIPEDA-01-C1", description: "Privacy Officer designated and documented", status: "not-implemented" },
563
+ { id: "PIPEDA-01-C2", description: "PIPEDA privacy management program implemented", status: "not-implemented" },
564
+ ],
565
+ },
566
+ {
567
+ id: "PIPEDA-02",
568
+ name: "OPC Breach Notification",
569
+ description: "Notify the Office of the Privacy Commissioner (OPC) and affected individuals of breaches posing real risk of significant harm.",
570
+ category: "incident-management",
571
+ framework: "PIPEDA",
572
+ status: "not-implemented",
573
+ severity: "critical",
574
+ implementation_guidance: "Assess breaches for real risk of significant harm (RROSH). Notify affected individuals and the OPC of breaches meeting the RROSH threshold as soon as feasible. Maintain records of all breaches for 24 months. Include breach details, risk assessment, and mitigation measures in notifications.",
575
+ checks: [
576
+ { id: "PIPEDA-02-C1", description: "RROSH assessment process implemented", status: "not-implemented" },
577
+ { id: "PIPEDA-02-C2", description: "OPC and individual notification for RROSH breaches", status: "not-implemented" },
578
+ { id: "PIPEDA-02-C3", description: "Breach records maintained for 24 months", status: "not-implemented" },
579
+ ],
580
+ },
581
+ {
582
+ id: "PIPEDA-03",
583
+ name: "Cross-Border Transfer Requirements",
584
+ description: "Ensure cross-border transfers of personal information maintain PIPEDA-level protection.",
585
+ category: "cross-border-transfers",
586
+ framework: "PIPEDA",
587
+ status: "not-implemented",
588
+ severity: "medium",
589
+ implementation_guidance: "Ensure third-party recipients in other countries provide a level of protection comparable to PIPEDA. Implement contractual safeguards. Conduct due diligence on foreign recipients. Inform individuals of cross-border transfers in privacy notices.",
590
+ checks: [
591
+ { id: "PIPEDA-03-C1", description: "Comparable protection ensured for cross-border transfers", status: "not-implemented" },
592
+ { id: "PIPEDA-03-C2", description: "Individuals informed of cross-border transfers", status: "not-implemented" },
593
+ ],
594
+ },
595
+ ];
596
+ return {
597
+ id: "ca-pipeda",
598
+ name: "Canada PIPEDA Pack",
599
+ description: "Canada Personal Information Protection and Electronic Documents Act (PIPEDA) controls: accountability principle, OPC breach notification (RROSH), and cross-border transfer safeguards.",
600
+ version: "1.0.0",
601
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
602
+ controls,
603
+ frameworks: ["PIPEDA"],
604
+ };
605
+ }
606
+ export function createCaliforniaCRPAPolicyPack() {
607
+ const controls = [
608
+ {
609
+ id: "CPRA-01",
610
+ name: "Consumer Rights",
611
+ description: "Implement California Consumer Privacy Act (CPRA) consumer rights including the right to opt-out of sale/sharing.",
612
+ category: "data-subject-rights",
613
+ framework: "CPRA",
614
+ status: "not-implemented",
615
+ severity: "critical",
616
+ implementation_guidance: "Implement CPRA rights: know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI, and non-discrimination. Provide a 'Do Not Sell or Share My Personal Information' link. Implement a 'Limit the Use of My Sensitive Personal Information' link. Honor Global Privacy Control (GPC) signals. Respond to requests within 45 days.",
617
+ checks: [
618
+ { id: "CPRA-01-C1", description: "All CPRA rights implemented with request mechanisms", status: "not-implemented" },
619
+ { id: "CPRA-01-C2", description: "'Do Not Sell or Share' link provided", status: "not-implemented" },
620
+ { id: "CPRA-01-C3", description: "GPC signals honored", status: "not-implemented" },
621
+ { id: "CPRA-01-C4", description: "Responses within 45 days", status: "not-implemented" },
622
+ ],
623
+ },
624
+ {
625
+ id: "CPRA-02",
626
+ name: "Sensitive Personal Information Controls",
627
+ description: "Implement specific controls for sensitive personal information under CPRA.",
628
+ category: "consent-management",
629
+ framework: "CPRA",
630
+ status: "not-implemented",
631
+ severity: "high",
632
+ implementation_guidance: "Identify and classify sensitive personal information (SSN, driver's license, financial accounts, health data, precise geolocation, biometrics, email/passwords). Provide the right to limit use of sensitive PI. Implement additional security controls for sensitive PI categories. Disclose sensitive PI categories in privacy notices.",
633
+ checks: [
634
+ { id: "CPRA-02-C1", description: "Sensitive PI classified and documented", status: "not-implemented" },
635
+ { id: "CPRA-02-C2", description: "Limit use mechanism for sensitive PI available", status: "not-implemented" },
636
+ ],
637
+ },
638
+ {
639
+ id: "CPRA-03",
640
+ name: "Privacy Notice Requirements",
641
+ description: "Provide CPRA-compliant privacy notices at collection and in general privacy policy.",
642
+ category: "privacy-governance",
643
+ framework: "CPRA",
644
+ status: "not-implemented",
645
+ severity: "high",
646
+ implementation_guidance: "Provide notice at collection listing: categories of PI collected, purposes, retention periods, and whether sold/shared. Update privacy policy with: PI categories, sources, business purposes, third-party categories, sale/sharing opt-out, sensitive PI categories, retention periods, and financial incentive details. Review and update annually.",
647
+ checks: [
648
+ { id: "CPRA-03-C1", description: "Notice at collection provided", status: "not-implemented" },
649
+ { id: "CPRA-03-C2", description: "Privacy policy includes all CPRA-required sections", status: "not-implemented" },
650
+ ],
651
+ },
652
+ ];
653
+ return {
654
+ id: "us-cpra",
655
+ name: "California CPRA Pack",
656
+ description: "California Consumer Privacy Rights Act (CPRA) controls: consumer rights, opt-out of sale/sharing, sensitive PI controls, GPC support, and privacy notice requirements.",
657
+ version: "1.0.0",
658
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
659
+ controls,
660
+ frameworks: ["CPRA"],
661
+ };
662
+ }
663
+ // ============================================================
664
+ // AFRICA
665
+ // ============================================================
666
+ export function createSouthAfricaPOPIAPolicyPack() {
667
+ const controls = [
668
+ {
669
+ id: "POPIA-01",
670
+ name: "Information Officer",
671
+ description: "Designate an Information Officer and register with the Information Regulator.",
672
+ category: "privacy-governance",
673
+ framework: "POPIA",
674
+ status: "not-implemented",
675
+ severity: "critical",
676
+ implementation_guidance: "Designate an Information Officer (IO) and deputy IO. Register the IO with the Information Regulator. Ensure the IO's contact details are publicly available. The IO is responsible for: encouraging compliance, handling information requests, cooperating with the Regulator, and internal awareness training.",
677
+ checks: [
678
+ { id: "POPIA-01-C1", description: "Information Officer designated and registered", status: "not-implemented" },
679
+ { id: "POPIA-01-C2", description: "IO contact details publicly available", status: "not-implemented" },
680
+ ],
681
+ },
682
+ {
683
+ id: "POPIA-02",
684
+ name: "Processing Conditions",
685
+ description: "Implement POPIA's 8 conditions for lawful processing of personal information.",
686
+ category: "consent-management",
687
+ framework: "POPIA",
688
+ status: "not-implemented",
689
+ severity: "high",
690
+ implementation_guidance: "Implement the 8 conditions: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Document compliance for each condition. Conduct annual POPIA compliance assessments.",
691
+ checks: [
692
+ { id: "POPIA-02-C1", description: "All 8 processing conditions documented and implemented", status: "not-implemented" },
693
+ { id: "POPIA-02-C2", description: "Annual compliance assessments conducted", status: "not-implemented" },
694
+ ],
695
+ },
696
+ {
697
+ id: "POPIA-03",
698
+ name: "Information Regulator Breach Notification",
699
+ description: "Notify the Information Regulator of security compromises as soon as reasonably possible.",
700
+ category: "incident-management",
701
+ framework: "POPIA",
702
+ status: "not-implemented",
703
+ severity: "high",
704
+ implementation_guidance: "Notify the Information Regulator of security compromises where there are reasonable grounds to believe personal information has been accessed or acquired by unauthorized persons. Notify affected data subjects. Document all notifications and the Regulator's responses.",
705
+ checks: [
706
+ { id: "POPIA-03-C1", description: "Regulator notification procedures implemented", status: "not-implemented" },
707
+ { id: "POPIA-03-C2", description: "Affected individuals notified", status: "not-implemented" },
708
+ ],
709
+ },
710
+ ];
711
+ return {
712
+ id: "za-popia",
713
+ name: "South Africa POPIA Pack",
714
+ description: "South Africa Protection of Personal Information Act (POPIA) controls: Information Officer designation, 8 processing conditions, and Information Regulator breach notification.",
715
+ version: "1.0.0",
716
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
717
+ controls,
718
+ frameworks: ["POPIA"],
719
+ };
720
+ }
721
+ // ============================================================
722
+ // MIDDLE EAST
723
+ // ============================================================
724
+ export function createUAEPDPLPolicyPack() {
725
+ const controls = [
726
+ {
727
+ id: "PDPL-UAE-01",
728
+ name: "Privacy Impact Assessment",
729
+ description: "Conduct privacy impact assessments for processing activities that may affect individual privacy.",
730
+ category: "privacy-governance",
731
+ framework: "PDPL-UAE",
732
+ status: "not-implemented",
733
+ severity: "high",
734
+ implementation_guidance: "Conduct PIAs for new processing activities involving sensitive data, large-scale processing, or innovative technologies. Document: processing purposes, data categories, necessity assessment, risk evaluation, and mitigation measures. Submit PIAs to the UAE Data Office if required.",
735
+ checks: [
736
+ { id: "PDPL-UAE-01-C1", description: "PIA procedures documented and implemented", status: "not-implemented" },
737
+ { id: "PDPL-UAE-01-C2", description: "PIAs conducted for high-risk processing", status: "not-implemented" },
738
+ ],
739
+ },
740
+ {
741
+ id: "PDPL-UAE-02",
742
+ name: "Cross-Border Transfer Requirements",
743
+ description: "Implement UAE PDPL requirements for cross-border data transfers.",
744
+ category: "cross-border-transfers",
745
+ framework: "PDPL-UAE",
746
+ status: "not-implemented",
747
+ severity: "high",
748
+ implementation_guidance: "Ensure cross-border transfers meet UAE PDPL requirements: adequate protection in destination country, appropriate safeguards, or specific authorization. Document transfer assessments. Monitor UAE Data Office guidance on recognized adequate jurisdictions.",
749
+ checks: [
750
+ { id: "PDPL-UAE-02-C1", description: "Transfer adequacy assessments documented", status: "not-implemented" },
751
+ { id: "PDPL-UAE-02-C2", description: "Appropriate safeguards implemented", status: "not-implemented" },
752
+ ],
753
+ },
754
+ ];
755
+ return {
756
+ id: "ae-pdpl",
757
+ name: "UAE PDPL Pack",
758
+ description: "UAE Personal Data Protection Law (PDPL) controls: privacy impact assessments and cross-border transfer requirements.",
759
+ version: "1.0.0",
760
+ project_types: ["saas", "generic-web-application", "api-backend"],
761
+ controls,
762
+ frameworks: ["PDPL-UAE"],
763
+ };
764
+ }
765
+ export function createSaudiArabiaPDPLPolicyPack() {
766
+ const controls = [
767
+ {
768
+ id: "PDPL-SA-01",
769
+ name: "Data Localization",
770
+ description: "Implement Saudi Arabia PDPL data localization requirements for personal data.",
771
+ category: "cross-border-transfers",
772
+ framework: "PDPL-SA",
773
+ status: "not-implemented",
774
+ severity: "critical",
775
+ implementation_guidance: "Ensure personal data is processed and stored within Saudi Arabia unless the transfer meets PDPL requirements. Obtain National Data Management Office (NDMO) approval for cross-border transfers. Implement technical controls enforcing data residency. Document localization compliance.",
776
+ checks: [
777
+ { id: "PDPL-SA-01-C1", description: "Data localization requirements assessed", status: "not-implemented" },
778
+ { id: "PDPL-SA-01-C2", description: "NDMO approval for applicable transfers", status: "not-implemented" },
779
+ ],
780
+ },
781
+ {
782
+ id: "PDPL-SA-02",
783
+ name: "Consent Management",
784
+ description: "Implement Saudi PDPL consent requirements including explicit consent for sensitive data.",
785
+ category: "consent-management",
786
+ framework: "PDPL-SA",
787
+ status: "not-implemented",
788
+ severity: "high",
789
+ implementation_guidance: "Obtain clear and explicit consent for processing personal data. Obtain separate explicit consent for sensitive personal data (health, genetic, biometric, racial/ethnic, religious, credit/financial). Provide withdrawal mechanisms. Document consent records in Arabic and English.",
790
+ checks: [
791
+ { id: "PDPL-SA-02-C1", description: "Explicit consent for processing implemented", status: "not-implemented" },
792
+ { id: "PDPL-SA-02-C2", description: "Separate consent for sensitive data", status: "not-implemented" },
793
+ ],
794
+ },
795
+ ];
796
+ return {
797
+ id: "sa-pdpl",
798
+ name: "Saudi Arabia PDPL Pack",
799
+ description: "Saudi Arabia Personal Data Protection Law (PDPL) controls: data localization, NDMO approval for transfers, and explicit consent requirements.",
800
+ version: "1.0.0",
801
+ project_types: ["saas", "generic-web-application", "api-backend"],
802
+ controls,
803
+ frameworks: ["PDPL-SA"],
804
+ };
805
+ }