@greenarmor/ges-policy-engine 1.2.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.d.ts +7 -0
  2. package/dist/index.js +51 -0
  3. package/dist/packs/countries.d.ts +13 -0
  4. package/dist/packs/countries.js +156 -0
  5. package/dist/packs/privacy-africa-me.d.ts +4 -0
  6. package/dist/packs/privacy-africa-me.js +369 -0
  7. package/dist/packs/privacy-americas.d.ts +4 -0
  8. package/dist/packs/privacy-americas.js +509 -0
  9. package/dist/packs/privacy-asia.d.ts +7 -0
  10. package/dist/packs/privacy-asia.js +991 -0
  11. package/dist/packs/privacy-core.d.ts +2 -0
  12. package/dist/packs/privacy-core.js +643 -0
  13. package/dist/packs/privacy-countries.d.ts +15 -0
  14. package/dist/packs/privacy-countries.js +805 -0
  15. package/dist/packs/privacy-europe.d.ts +3 -0
  16. package/dist/packs/privacy-europe.js +372 -0
  17. package/package.json +3 -3
package/dist/packs/privacy-americas.js ADDED
@@ -0,0 +1,509 @@
1
+ // ============================================================
2
+ // BRAZIL — LGPD (Lei Geral de Proteção de Dados, Law No. 13,709/2018)
3
+ // Regulator: ANPD (Autoridade Nacional de Proteção de Dados)
4
+ // In effect: September 18, 2020 (sanctions from August 1, 2021)
5
+ // ============================================================
6
+ export function createBrazilLGPDPolicyPack() {
7
+ const controls = [
8
+ // --- Governance & Accountability ---
9
+ {
10
+ id: "LGPD-01",
11
+ name: "Encarregado (DPO) Appointment",
12
+ description: "Appoint an Encarregado (Data Protection Officer) and publish their contact information per ANPD guidance.",
13
+ category: "privacy-governance",
14
+ framework: "LGPD",
15
+ status: "not-implemented",
16
+ severity: "critical",
17
+ implementation_guidance: "Appoint an Encarregado de Proteção de Dados (DPO) who is responsible for: accepting complaints, communicating with ANPD, guiding employees/contractors on LGPD compliance, and executing other ANPD-defined duties. Publish the Encarregado's identity and contact details on the organization's website or other accessible medium. The Encarregado must be a person of integrity and independence. Small entities may be exempted by ANPD regulation. [Ref: LGPD Article 41; ANPD Resolution CD/ANPD No. 5/2022]",
18
+ checks: [
19
+ { id: "LGPD-01-C1", description: "Encarregado appointed with defined responsibilities", status: "not-implemented" },
20
+ { id: "LGPD-01-C2", description: "Contact information published and accessible", status: "not-implemented" },
21
+ { id: "LGPD-01-C3", description: "ANPD exemption assessment documented if applicable", status: "not-implemented" },
22
+ ],
23
+ },
24
+ {
25
+ id: "LGPD-02",
26
+ name: "Records of Processing Activities",
27
+ description: "Maintain a Record of Personal Data Processing Operations as required by LGPD Article 37.",
28
+ category: "data-inventory",
29
+ framework: "LGPD",
30
+ status: "not-implemented",
31
+ severity: "critical",
32
+ implementation_guidance: "Maintain a Record of Personal Data Processing Operations (ROPD) documenting: controller/processor/Encarregado details, categories of data subjects, personal data categories, purposes, data sharing, international transfers, retention, and security measures. Small entities are exempt unless processing is high-risk under ANPD criteria. [Ref: LGPD Article 37; ANPD Simplified Records Resolution]",
33
+ checks: [
34
+ { id: "LGPD-02-C1", description: "ROPD maintained with all Article 37 required fields", status: "not-implemented" },
35
+ { id: "LGPD-02-C2", description: "Records updated when processing activities change", status: "not-implemented" },
36
+ { id: "LGPD-02-C3", description: "Exemption assessment documented for small entities", status: "not-implemented" },
37
+ ],
38
+ },
39
+ // --- Legal Bases & Consent ---
40
+ {
41
+ id: "LGPD-03",
42
+ name: "Legal Basis for Processing",
43
+ description: "Identify and document one of the ten LGPD legal bases for each processing activity.",
44
+ category: "consent-management",
45
+ framework: "LGPD",
46
+ status: "not-implemented",
47
+ severity: "critical",
48
+ implementation_guidance: "Document the applicable legal basis for each processing activity. The ten bases are: (1) consent, (2) compliance with legal/regulatory duty, (3) public administration policy execution, (4) studies by research entities, (5) contract performance, (6) regular exercise of rights, (7) protection of life/physical safety, (8) protection of health by health professionals/services, (9) legitimate interests, (10) credit protection. When relying on legitimate interests, conduct a balancing test. [Ref: LGPD Article 7]",
49
+ checks: [
50
+ { id: "LGPD-03-C1", description: "Legal basis documented per processing activity", status: "not-implemented" },
51
+ { id: "LGPD-03-C2", description: "Legitimate interest balancing test conducted where applicable", status: "not-implemented" },
52
+ { id: "LGPD-03-C3", description: "Legal basis communicated in privacy notice", status: "not-implemented" },
53
+ ],
54
+ },
55
+ {
56
+ id: "LGPD-04",
57
+ name: "Consent Management (LGPD)",
58
+ description: "Obtain free, informed, and unambiguous consent that is specific for each purpose.",
59
+ category: "consent-management",
60
+ framework: "LGPD",
61
+ status: "not-implemented",
62
+ severity: "critical",
63
+ implementation_guidance: "Consent must be: free, informed, unambiguous, expressed in writing or by other means demonstrating the holder's will. Must be specific for each purpose (no bundled consent). Consent for sensitive personal data must be in writing or by separate means, unless an exception applies. Children and adolescents' data requires specific consent from at least one parent or legal guardian (best interest of the child principle). Provide easy withdrawal mechanism at no cost. [Ref: LGPD Articles 8, 11, 14]",
64
+ checks: [
65
+ { id: "LGPD-04-C1", description: "Consent obtained per specific purpose (no bundling)", status: "not-implemented" },
66
+ { id: "LGPD-04-C2", description: "Written/separate consent for sensitive data", status: "not-implemented" },
67
+ { id: "LGPD-04-C3", description: "Guardian consent for minors (best interest principle)", status: "not-implemented" },
68
+ { id: "LGPD-04-C4", description: "Easy, free consent withdrawal mechanism", status: "not-implemented" },
69
+ ],
70
+ },
71
+ // --- Data Subject Rights ---
72
+ {
73
+ id: "LGPD-05",
74
+ name: "Holder Rights (Article 18)",
75
+ description: "Implement all data holder rights with response within 15 days of request.",
76
+ category: "data-subject-rights",
77
+ framework: "LGPD",
78
+ status: "not-implemented",
79
+ severity: "critical",
80
+ implementation_guidance: "Implement rights: (1) confirmation of processing, (2) access to data, (3) correction of incomplete/inaccurate data, (4) anonymization/blocking/deletion of unnecessary/excessive/processed in non-compliance, (5) portability to another service/product provider, (6) deletion of personal data processed with consent, (7) information about data sharing, (8) information about possibility to deny consent and consequences. Respond within 15 days of the request. Facilitate rights via an easy, free mechanism. [Ref: LGPD Article 18]",
81
+ checks: [
82
+ { id: "LGPD-05-C1", description: "All Article 18 rights implemented and accessible", status: "not-implemented" },
83
+ { id: "LGPD-05-C2", description: "Response within 15 days of request", status: "not-implemented" },
84
+ { id: "LGPD-05-C3", description: "Free mechanism for exercising rights", status: "not-implemented" },
85
+ ],
86
+ },
87
+ // --- Security & DPIA ---
88
+ {
89
+ id: "LGPD-06",
90
+ name: "Security of Personal Data",
91
+ description: "Implement appropriate technical and organizational security measures per LGPD Article 46.",
92
+ category: "security-controls",
93
+ framework: "LGPD",
94
+ status: "not-implemented",
95
+ severity: "critical",
96
+ implementation_guidance: "Implement security measures appropriate to the nature of the personal data and considering: the current state of technology, the specific characteristics of processing, and the potential risks. Measures should include: access controls, encryption, network security, authentication, backup, and incident response. Periodically review and update measures. Follow ANPD security guidance when published. [Ref: LGPD Article 46]",
97
+ checks: [
98
+ { id: "LGPD-06-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" },
99
+ { id: "LGPD-06-C2", description: "Encryption and access controls implemented", status: "not-implemented" },
100
+ { id: "LGPD-06-C3", description: "Security measures reviewed and updated periodically", status: "not-implemented" },
101
+ ],
102
+ },
103
+ {
104
+ id: "LGPD-07",
105
+ name: "Data Protection Impact Assessment (DPIA-LGPD)",
106
+ description: "Conduct a Data Protection Impact Assessment for processing based on legitimate interests or high-risk activities.",
107
+ category: "privacy-governance",
108
+ framework: "LGPD",
109
+ status: "not-implemented",
110
+ severity: "high",
111
+ implementation_guidance: "Conduct a DPIA for processing activities that may generate public risk, based on ANPD criteria. The DPIA must document: processing description, legitimacy assessments, risk analysis, and mitigation measures. Consult the Encarregado. The DPIA must be kept under confidentiality. Submit to ANPD when requested or when the processing poses high risk. [Ref: LGPD Article 38; ANPD DPIA Guidance]",
112
+ checks: [
113
+ { id: "LGPD-07-C1", description: "DPIA criteria established based on ANPD guidance", status: "not-implemented" },
114
+ { id: "LGPD-07-C2", description: "DPIAs conducted for high-risk processing", status: "not-implemented" },
115
+ { id: "LGPD-07-C3", description: "DPIA records maintained under confidentiality", status: "not-implemented" },
116
+ ],
117
+ },
118
+ // --- Breach Notification ---
119
+ {
120
+ id: "LGPD-08",
121
+ name: "ANPD Breach Notification",
122
+ description: "Notify ANPD and affected data subjects of security incidents that may cause risk or harm.",
123
+ category: "incident-management",
124
+ framework: "LGPD",
125
+ status: "not-implemented",
126
+ severity: "critical",
127
+ implementation_guidance: "Notify ANPD within a reasonable timeframe of a security incident that may cause risk or relevant harm to data subjects. The ANPD notification must include: nature of data, description of the incident, affected data subjects, technical/security measures adopted, risks involved, and reasons for delay (if any). Notify affected data subjects unless the risk has been mitigated (e.g., encryption). Maintain an internal incident register. [Ref: LGPD Article 48; ANPD Resolution CD/ANPD No. 15/2024]",
128
+ checks: [
129
+ { id: "LGPD-08-C1", description: "ANPD notification procedure established", status: "not-implemented" },
130
+ { id: "LGPD-08-C2", description: "Affected data subjects notified when risk/harm exists", status: "not-implemented" },
131
+ { id: "LGPD-08-C3", description: "Incident register maintained", status: "not-implemented" },
132
+ ],
133
+ },
134
+ // --- International Transfers ---
135
+ {
136
+ id: "LGPD-09",
137
+ name: "International Data Transfer (LGPD)",
138
+ description: "Ensure international transfers of personal data comply with LGPD Articles 33-36.",
139
+ category: "cross-border-transfers",
140
+ framework: "LGPD",
141
+ status: "not-implemented",
142
+ severity: "high",
143
+ implementation_guidance: "Transfer personal data to foreign countries only when: the destination country provides adequate level of protection (ANPD adequacy decision), the controller guarantees and demonstrates compliance (SCCs), international cooperation instruments exist, or the controller proves effective compliance with principles and rights. ANPD may establish specific contractual clauses (CCs). When a transfer basis is contested, the burden of proof is on the controller. [Ref: LGPD Articles 33-36; ANPD International Transfer Regulations]",
144
+ checks: [
145
+ { id: "LGPD-09-C1", description: "Transfer register maintained with basis per transfer", status: "not-implemented" },
146
+ { id: "LGPD-09-C2", description: "ANPD SCCs or adequacy for each international transfer", status: "not-implemented" },
147
+ { id: "LGPD-09-C3", description: "ANPD adequacy decisions monitored", status: "not-implemented" },
148
+ ],
149
+ },
150
+ // --- Processor Management ---
151
+ {
152
+ id: "LGPD-10",
153
+ name: "Operator (Processor) Contracts",
154
+ description: "Execute LGPD-compliant contracts with all operators (processors).",
155
+ category: "vendor-management",
156
+ framework: "LGPD",
157
+ status: "not-implemented",
158
+ severity: "high",
159
+ implementation_guidance: "Execute written contracts with operators (processors) covering: processing purposes, nature and scope, duration, data categories, data subject rights, security measures, confidentiality, sub-processor controls, data return/deletion upon termination, and audit rights. Operators must process only on documented instructions. Operators are jointly liable for damages caused by processing that deviates from instructions. [Ref: LGPD Article 39]",
160
+ checks: [
161
+ { id: "LGPD-10-C1", description: "Article 39 contracts executed with all operators", status: "not-implemented" },
162
+ { id: "LGPD-10-C2", description: "Sub-processor flow-down terms included", status: "not-implemented" },
163
+ { id: "LGPD-10-C3", description: "Data return/deletion upon termination guaranteed", status: "not-implemented" },
164
+ ],
165
+ },
166
+ ];
167
+ return {
168
+ id: "br-lgpd",
169
+ name: "Brazil LGPD Pack (Law 13,709/2018)",
170
+ description: "Comprehensive Brazilian LGPD controls: Encarregado appointment (Art. 41), ROPD (Art. 37), ten legal bases (Art. 7), consent management (Art. 8/11/14), holder rights with 15-day response (Art. 18), security (Art. 46), DPIA (Art. 38), ANPD breach notification (Art. 48), international transfers (Art. 33-36), and operator contracts (Art. 39).",
171
+ version: "1.0.0",
172
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
173
+ controls,
174
+ frameworks: ["LGPD"],
175
+ };
176
+ }
177
+ // ============================================================
178
+ // CANADA — PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5)
179
+ // Regulator: Office of the Privacy Commissioner of Canada (OPC)
180
+ // Breach provisions: PIPEDA Section 10.1 (in force Nov 1, 2018)
181
+ // ============================================================
182
+ export function createCanadaPIPEDAPolicyPack() {
183
+ const controls = [
184
+ // --- Accountability Principle ---
185
+ {
186
+ id: "PIPEDA-01",
187
+ name: "Accountability (Principle 1)",
188
+ description: "Designate a Privacy Officer responsible for compliance and implement accountability policies.",
189
+ category: "privacy-governance",
190
+ framework: "PIPEDA",
191
+ status: "not-implemented",
192
+ severity: "critical",
193
+ implementation_guidance: "Designate an individual (Privacy Officer) accountable for PIPEDA compliance. The organization is responsible for personal information under its control, including information transferred to third parties for processing. Implement policies and practices to comply with PIPEDA. Make the Privacy Officer's identity and contact information available upon request. [Ref: PIPEDA Schedule 1, Principle 4.1]",
194
+ checks: [
195
+ { id: "PIPEDA-01-C1", description: "Privacy Officer designated and documented", status: "not-implemented" },
196
+ { id: "PIPEDA-01-C2", description: "Accountability policies implemented", status: "not-implemented" },
197
+ { id: "PIPEDA-01-C3", description: "Privacy Officer contact available upon request", status: "not-implemented" },
198
+ ],
199
+ },
200
+ // --- Identifying Purposes ---
201
+ {
202
+ id: "PIPEDA-02",
203
+ name: "Identifying Purposes (Principle 2)",
204
+ description: "Document and communicate the purposes for personal information collection before or at the time of collection.",
205
+ category: "consent-management",
206
+ framework: "PIPEDA",
207
+ status: "not-implemented",
208
+ severity: "high",
209
+ implementation_guidance: "Identify and document purposes for which personal information is collected. Communicate purposes to the individual before or at the time of collection. For secondary use, identify the new purpose and obtain consent. Purposes should be limited to what a reasonable person would consider appropriate. [Ref: PIPEDA Schedule 1, Principle 4.2; PIPEDA Section 5]",
210
+ checks: [
211
+ { id: "PIPEDA-02-C1", description: "Purposes documented before/at collection", status: "not-implemented" },
212
+ { id: "PIPEDA-02-C2", description: "New consent obtained for secondary purposes", status: "not-implemented" },
213
+ ],
214
+ },
215
+ // --- Consent ---
216
+ {
217
+ id: "PIPEDA-03",
218
+ name: "Consent (Principle 3)",
219
+ description: "Obtain meaningful knowledge and consent for collection, use, or disclosure of personal information.",
220
+ category: "consent-management",
221
+ framework: "PIPEDA",
222
+ status: "not-implemented",
223
+ severity: "critical",
224
+ implementation_guidance: "Obtain consent that is appropriate for the circumstances. Consent can be express or implied. Require express consent for sensitive information. Do not make consent a condition of providing a service beyond what is necessary. Provide means to withdraw consent, subject to legal/contractual restrictions. For minors, obtain consent from a parent/guardian. Consider the 'appropriate purposes' test under PIPEDA Section 5(3). [Ref: PIPEDA Schedule 1, Principle 4.3; PIPEDA Section 6.1]",
225
+ checks: [
226
+ { id: "PIPEDA-03-C1", description: "Consent obtained appropriate to circumstances", status: "not-implemented" },
227
+ { id: "PIPEDA-03-C2", description: "Express consent for sensitive data", status: "not-implemented" },
228
+ { id: "PIPEDA-03-C3", description: "Consent withdrawal mechanism available", status: "not-implemented" },
229
+ ],
230
+ },
231
+ // --- Limiting Collection ---
232
+ {
233
+ id: "PIPEDA-04",
234
+ name: "Limiting Collection (Principle 4)",
235
+ description: "Limit collection of personal information to what is necessary for identified purposes.",
236
+ category: "data-inventory",
237
+ framework: "PIPEDA",
238
+ status: "not-implemented",
239
+ severity: "high",
240
+ implementation_guidance: "Collect personal information only by fair and lawful means. Do not collect information that is unnecessary for the identified purposes. Document data minimization practices. Avoid deceptive or misleading collection practices. Regularly review collection forms and processes for necessity. [Ref: PIPEDA Schedule 1, Principle 4.4]",
241
+ checks: [
242
+ { id: "PIPEDA-04-C1", description: "Collection limited to identified purposes", status: "not-implemented" },
243
+ { id: "PIPEDA-04-C2", description: "Collection methods are fair and lawful", status: "not-implemented" },
244
+ ],
245
+ },
246
+ // --- Limiting Use, Disclosure, and Retention ---
247
+ {
248
+ id: "PIPEDA-05",
249
+ name: "Limiting Use, Disclosure, Retention (Principle 5)",
250
+ description: "Do not use or disclose personal information for new purposes without consent. Retain only as long as necessary.",
251
+ category: "data-retention",
252
+ framework: "PIPEDA",
253
+ status: "not-implemented",
254
+ severity: "high",
255
+ implementation_guidance: "Use and disclose personal information only for the purpose it was collected, unless consent is obtained or required by law. Retain personal information only as long as necessary for the identified purposes or as required by law. Destroy, erase, or anonymize data no longer required. Document retention and destruction guidelines. [Ref: PIPEDA Schedule 1, Principle 4.5]",
256
+ checks: [
257
+ { id: "PIPEDA-05-C1", description: "New purposes require fresh consent", status: "not-implemented" },
258
+ { id: "PIPEDA-05-C2", description: "Retention schedules documented", status: "not-implemented" },
259
+ { id: "PIPEDA-05-C3", description: "Destruction/anonymization of expired data", status: "not-implemented" },
260
+ ],
261
+ },
262
+ // --- Accuracy ---
263
+ {
264
+ id: "PIPEDA-06",
265
+ name: "Accuracy (Principle 6)",
266
+ description: "Ensure personal information is accurate, complete, and up-to-date for its intended use.",
267
+ category: "data-inventory",
268
+ framework: "PIPEDA",
269
+ status: "not-implemented",
270
+ severity: "medium",
271
+ implementation_guidance: "Minimize the possibility of using inaccurate information for decisions. Update personal information when inaccuracies are identified. Provide mechanisms for individuals to challenge accuracy and have information amended. Do not routinely update data unless necessary for the identified purpose. [Ref: PIPEDA Schedule 1, Principle 4.6]",
272
+ checks: [
273
+ { id: "PIPEDA-06-C1", description: "Accuracy verification procedures implemented", status: "not-implemented" },
274
+ { id: "PIPEDA-06-C2", description: "Individual amendment/challenge mechanism available", status: "not-implemented" },
275
+ ],
276
+ },
277
+ // --- Safeguards ---
278
+ {
279
+ id: "PIPEDA-07",
280
+ name: "Safeguards (Principle 7)",
281
+ description: "Implement security safeguards appropriate to the sensitivity of the personal information.",
282
+ category: "security-controls",
283
+ framework: "PIPEDA",
284
+ status: "not-implemented",
285
+ severity: "critical",
286
+ implementation_guidance: "Protect personal information with safeguards appropriate to sensitivity. Safeguards include: physical measures (locked offices, restricted access), organizational measures (security clearances, need-to-know), and technological measures (passwords, encryption, firewalls). Methods of disposal must prevent unauthorized access. Ensure employees understand the importance of maintaining confidentiality. [Ref: PIPEDA Schedule 1, Principle 4.7; OPC Security Guidance]",
287
+ checks: [
288
+ { id: "PIPEDA-07-C1", description: "Safeguards proportional to data sensitivity", status: "not-implemented" },
289
+ { id: "PIPEDA-07-C2", description: "Physical, organizational, and technical safeguards implemented", status: "not-implemented" },
290
+ { id: "PIPEDA-07-C3", description: "Secure disposal methods preventing unauthorized access", status: "not-implemented" },
291
+ ],
292
+ },
293
+ // --- Access and Individual Rights ---
294
+ {
295
+ id: "PIPEDA-08",
296
+ name: "Openness and Access (Principles 8 & 9)",
297
+ description: "Provide individuals access to their personal information and make privacy policies readily available.",
298
+ category: "data-subject-rights",
299
+ framework: "PIPEDA",
300
+ status: "not-implemented",
301
+ severity: "high",
302
+ implementation_guidance: "Make information about privacy policies and practices readily available. Upon request, inform individuals of the existence, use, and disclosure of their personal information and provide access. Respond within 30 days (extendable by 30). Provide access at minimal or no cost. Allow individuals to challenge the accuracy and completeness of information. Document refusals with reasons. [Ref: PIPEDA Schedule 1, Principles 4.8-4.9; PIPEDA Section 8]",
303
+ checks: [
304
+ { id: "PIPEDA-08-C1", description: "Privacy policy publicly available", status: "not-implemented" },
305
+ { id: "PIPEDA-08-C2", description: "Access requests fulfilled within 30 days", status: "not-implemented" },
306
+ { id: "PIPEDA-08-C3", description: "Accuracy challenge mechanism implemented", status: "not-implemented" },
307
+ ],
308
+ },
309
+ // --- Challenging Compliance ---
310
+ {
311
+ id: "PIPEDA-09",
312
+ name: "Challenging Compliance (Principle 10)",
313
+ description: "Establish procedures to receive and respond to complaints about personal information handling.",
314
+ category: "data-subject-rights",
315
+ framework: "PIPEDA",
316
+ status: "not-implemented",
317
+ severity: "medium",
318
+ implementation_guidance: "Establish complaint procedures that are easily accessible and simple to use. Inform complainants of avenues of recourse, including the ability to complain to the OPC. Investigate all complaints and take appropriate remedial action. Document complaints, investigations, and outcomes. [Ref: PIPEDA Schedule 1, Principle 4.10]",
319
+ checks: [
320
+ { id: "PIPEDA-09-C1", description: "Accessible complaint procedure established", status: "not-implemented" },
321
+ { id: "PIPEDA-09-C2", description: "OPC escalation communicated to complainants", status: "not-implemented" },
322
+ { id: "PIPEDA-09-C3", description: "Complaint register maintained", status: "not-implemented" },
323
+ ],
324
+ },
325
+ // --- Mandatory Breach Notification ---
326
+ {
327
+ id: "PIPEDA-10",
328
+ name: "Mandatory Breach Notification (RROSH)",
329
+ description: "Notify the OPC and affected individuals of breaches posing a 'real risk of significant harm.'",
330
+ category: "incident-management",
331
+ framework: "PIPEDA",
332
+ status: "not-implemented",
333
+ severity: "critical",
334
+ implementation_guidance: "Conduct a Real Risk of Significant Harm (RROSH) assessment for every breach. If a breach poses a real risk of significant harm to an individual, notify: (1) the affected individual(s) directly, (2) the OPC, and (3) any other organization/government institution that may mitigate harm. Maintain a breach record containing: breach description, date/discovery date, number of affected individuals, RROSH assessment, and remediation. Keep breach records for 24 months. [Ref: PIPEDA Section 10.1; Breach of Security Safeguards Regulations]",
335
+ checks: [
336
+ { id: "PIPEDA-10-C1", description: "RROSH assessment procedure implemented", status: "not-implemented" },
337
+ { id: "PIPEDA-10-C2", description: "OPC and individual notification for RROSH breaches", status: "not-implemented" },
338
+ { id: "PIPEDA-10-C3", description: "Breach records maintained for 24 months", status: "not-implemented" },
339
+ ],
340
+ },
341
+ ];
342
+ return {
343
+ id: "ca-pipeda",
344
+ name: "Canada PIPEDA Pack (10 Fair Information Principles)",
345
+ description: "Comprehensive Canadian PIPEDA controls covering all 10 CSA fair information principles (Schedule 1): accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, challenging compliance, plus mandatory RROSH breach notification (Section 10.1).",
346
+ version: "1.0.0",
347
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
348
+ controls,
349
+ frameworks: ["PIPEDA"],
350
+ };
351
+ }
352
+ // ============================================================
353
+ // CALIFORNIA — CPRA (California Privacy Rights Act of 2020)
354
+ // Amends CCPA (California Consumer Privacy Act of 2018)
355
+ // Civil Code Sections 1798.100 - 1798.199.100
356
+ // Regulator: California Privacy Protection Agency (CPPA)
357
+ // ============================================================
358
+ export function createCaliforniaCRPAPolicyPack() {
359
+ const controls = [
360
+ // --- Consumer Rights ---
361
+ {
362
+ id: "CPRA-01",
363
+ name: "Right to Know and Access",
364
+ description: "Implement consumer rights to know what personal information is collected, used, shared, or sold.",
365
+ category: "data-subject-rights",
366
+ framework: "CPRA",
367
+ status: "not-implemented",
368
+ severity: "critical",
369
+ implementation_guidance: "Provide consumers the right to: (1) know the categories and specific pieces of personal information collected, (2) know the categories of sources, (3) know the business/commercial purpose for collecting/selling/sharing, (4) know the categories of third parties receiving data. Provide two methods for submitting requests (at minimum a toll-free number and internet address). Verify the consumer's identity. Respond within 45 days (extendable by 45). [Ref: Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115]",
370
+ checks: [
371
+ { id: "CPRA-01-C1", description: "Two request submission methods available", status: "not-implemented" },
372
+ { id: "CPRA-01-C2", description: "Identity verification procedure implemented", status: "not-implemented" },
373
+ { id: "CPRA-01-C3", description: "Response within 45 days (90 max)", status: "not-implemented" },
374
+ ],
375
+ },
376
+ {
377
+ id: "CPRA-02",
378
+ name: "Right to Delete",
379
+ description: "Allow consumers to request deletion of their personal information.",
380
+ category: "data-subject-rights",
381
+ framework: "CPRA",
382
+ status: "not-implemented",
383
+ severity: "high",
384
+ implementation_guidance: "Upon a verifiable consumer request, delete the consumer's personal information from business records and direct service providers/contractors to delete. Exceptions include: completing transactions, security/fraud detection, debugging, exercising free speech, complying with legal obligations, internal uses aligned with consumer expectations, and legal compliance. [Ref: Cal. Civ. Code § 1798.105]",
385
+ checks: [
386
+ { id: "CPRA-02-C1", description: "Deletion request process implemented", status: "not-implemented" },
387
+ { id: "CPRA-02-C2", description: "Service provider deletion directed", status: "not-implemented" },
388
+ { id: "CPRA-02-C3", description: "Exceptions documented and applied appropriately", status: "not-implemented" },
389
+ ],
390
+ },
391
+ {
392
+ id: "CPRA-03",
393
+ name: "Right to Correct",
394
+ description: "Allow consumers to correct inaccurate personal information maintained by the business.",
395
+ category: "data-subject-rights",
396
+ framework: "CPRA",
397
+ status: "not-implemented",
398
+ severity: "medium",
399
+ implementation_guidance: "Implement a mechanism for consumers to request correction of inaccurate personal information. Use reasonable efforts to verify accuracy before correcting. Consider the nature of the personal information, its use, and the potential impact on the consumer. Communicate the outcome of correction requests. [Ref: Cal. Civ. Code § 1798.106; CPRA added this right]",
400
+ checks: [
401
+ { id: "CPRA-03-C1", description: "Correction request process implemented", status: "not-implemented" },
402
+ { id: "CPRA-03-C2", description: "Reasonable accuracy verification before correction", status: "not-implemented" },
403
+ ],
404
+ },
405
+ {
406
+ id: "CPRA-04",
407
+ name: "Right to Opt-Out of Sale/Sharing",
408
+ description: "Provide mechanisms for consumers to opt out of sale or sharing of personal information.",
409
+ category: "consent-management",
410
+ framework: "CPRA",
411
+ status: "not-implemented",
412
+ severity: "critical",
413
+ implementation_guidance: "Provide a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on the homepage. Honor Global Privacy Control (GPC) browser signals as a valid opt-out request. Do not require account creation to submit opt-out requests. Do not discriminate against consumers who exercise their rights (except for permitted financial incentives). Allow authorized agents to submit requests on behalf of consumers. [Ref: Cal. Civ. Code § 1798.120, § 1798.135; CPPA GPC Regulations]",
414
+ checks: [
415
+ { id: "CPRA-04-C1", description: "'Do Not Sell or Share' link on homepage", status: "not-implemented" },
416
+ { id: "CPRA-04-C2", description: "GPC browser signals honored", status: "not-implemented" },
417
+ { id: "CPRA-04-C3", description: "No account requirement for opt-out", status: "not-implemented" },
418
+ { id: "CPRA-04-C4", description: "Authorized agent requests supported", status: "not-implemented" },
419
+ ],
420
+ },
421
+ {
422
+ id: "CPRA-05",
423
+ name: "Sensitive Personal Information Controls",
424
+ description: "Allow consumers to limit use and disclosure of sensitive personal information.",
425
+ category: "consent-management",
426
+ framework: "CPRA",
427
+ status: "not-implemented",
428
+ severity: "high",
429
+ implementation_guidance: "Implement a 'Limit the Use of My Sensitive Personal Information' link. Sensitive PI includes: SSN/driver's license/state ID, financial account info with access codes, precise geolocation, racial/ethnic origin, religious beliefs, private communications, genetic/biometric/health data, sex life/orientation. Consumers may limit use to what is necessary for performing services or providing goods. [Ref: Cal. Civ. Code § 1798.121; CPRA Definition of Sensitive PI § 1798.140(ae)]",
430
+ checks: [
431
+ { id: "CPRA-05-C1", description: "'Limit Sensitive PI' link on homepage", status: "not-implemented" },
432
+ { id: "CPRA-05-C2", description: "Sensitive PI categories identified and mapped", status: "not-implemented" },
433
+ { id: "CPRA-05-C3", description: "Use limiting mechanism implemented", status: "not-implemented" },
434
+ ],
435
+ },
436
+ // --- Privacy Notice & Disclosures ---
437
+ {
438
+ id: "CPRA-06",
439
+ name: "Privacy Policy Requirements",
440
+ description: "Publish a privacy policy meeting all CPRA disclosure requirements.",
441
+ category: "privacy-governance",
442
+ framework: "CPRA",
443
+ status: "not-implemented",
444
+ severity: "high",
445
+ implementation_guidance: "Publish a privacy policy describing: categories of PI collected, retention periods per category, categories of PI sold/shared, consumers' rights and how to exercise them, GPC recognition, financial incentive programs, PI collection/use/sources/categories of third parties, purpose of collecting/sharing, whether the business processes PI for secondary uses, whether assessments are conducted, and contact methods. Update at least every 12 months. Submit to CPPA registry if required. [Ref: Cal. Civ. Code § 1798.130; CPPA Privacy Policy Regulations]",
446
+ checks: [
447
+ { id: "CPRA-06-C1", description: "Privacy policy includes all CPRA-required disclosures", status: "not-implemented" },
448
+ { id: "CPRA-06-C2", description: "Retention periods disclosed per data category", status: "not-implemented" },
449
+ { id: "CPRA-06-C3", description: "Policy reviewed at least annually", status: "not-implemented" },
450
+ ],
451
+ },
452
+ // --- Service Provider / Contractor Contracts ---
453
+ {
454
+ id: "CPRA-07",
455
+ name: "Service Provider and Contractor Contracts",
456
+ description: "Execute CPRA-compliant contracts with all service providers, contractors, and third parties.",
457
+ category: "vendor-management",
458
+ framework: "CPRA",
459
+ status: "not-implemented",
460
+ severity: "high",
461
+ implementation_guidance: "Execute written contracts with service providers/contractors that: set out specific business purposes, prohibit using PI for other purposes, prohibit combining with other data (except permitted), prohibit selling/sharing, require notification of inability to comply within 5 days, grant audit rights, require sub-processor flow-down, and specify security measures. For third parties receiving PI, contract must prohibit combining for cross-context behavioral advertising. [Ref: Cal. Civ. Code § 1798.140(ag), § 1798.100(d); CPPA Contract Regulations]",
462
+ checks: [
463
+ { id: "CPRA-07-C1", description: "CPRA-compliant contracts with all service providers", status: "not-implemented" },
464
+ { id: "CPRA-07-C2", description: "Audit rights and sub-processor flow-down included", status: "not-implemented" },
465
+ { id: "CPRA-07-C3", description: "Cross-context behavioral advertising prohibition in third-party contracts", status: "not-implemented" },
466
+ ],
467
+ },
468
+ // --- Data Protection Assessments ---
469
+ {
470
+ id: "CPRA-08",
471
+ name: "Cybersecurity Audits and DPAs",
472
+ description: "Conduct cybersecurity audits and data protection assessments for processing activities presenting significant risk.",
473
+ category: "privacy-governance",
474
+ framework: "CPRA",
475
+ status: "not-implemented",
476
+ severity: "high",
477
+ implementation_guidance: "Conduct regular cybersecurity audits. Perform Data Protection Assessments for processing activities that present significant risk to consumer privacy or security, including: selling/sharing PI, processing sensitive PI, automated decision-making technology (ADMT), and processing for purposes incompatible with disclosed purposes. Document assessments and make available to the CPPA upon request. [Ref: Cal. Civ. Code § 1798.185(a)(15); CPPA ADMT and Risk Assessment Regulations]",
478
+ checks: [
479
+ { id: "CPRA-08-C1", description: "Cybersecurity audit program established", status: "not-implemented" },
480
+ { id: "CPRA-08-C2", description: "DPAs conducted for significant-risk processing", status: "not-implemented" },
481
+ { id: "CPRA-08-C3", description: "ADMT assessments conducted where applicable", status: "not-implemented" },
482
+ ],
483
+ },
484
+ // --- Data Minimization & Purpose Limitation ---
485
+ {
486
+ id: "CPRA-09",
487
+ name: "Data Minimization and Purpose Limitation",
488
+ description: "Collect and process personal information only for specific, explicit, and disclosed purposes.",
489
+ category: "data-inventory",
490
+ framework: "CPRA",
491
+ status: "not-implemented",
492
+ severity: "high",
493
+ implementation_guidance: "Collect, use, retain, and share only what is reasonably necessary and proportionate to the disclosed purposes. Document collection purposes and verify minimization. Do not use PI for incompatible secondary purposes without notice and consent. Retain PI no longer than necessary for the purpose. [Ref: Cal. Civ. Code § 1798.100(c)]",
494
+ checks: [
495
+ { id: "CPRA-09-C1", description: "Collection limited to reasonably necessary data", status: "not-implemented" },
496
+ { id: "CPRA-09-C2", description: "Purpose compatibility assessed before secondary use", status: "not-implemented" },
497
+ ],
498
+ },
499
+ ];
500
+ return {
501
+ id: "us-cpra",
502
+ name: "California CPRA Pack (CCPA as amended by CPRA 2020)",
503
+ description: "Comprehensive California privacy controls covering CPRA/CCPA: right to know/access (§1798.100-115), right to delete (§1798.105), right to correct (§1798.106), opt-out of sale/sharing with GPC support (§1798.120/135), sensitive PI controls (§1798.121), privacy policy requirements, service provider contracts, cybersecurity audits and DPAs (§1798.185), and data minimization.",
504
+ version: "1.0.0",
505
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
506
+ controls,
507
+ frameworks: ["CPRA"],
508
+ };
509
+ }
package/dist/packs/privacy-asia.d.ts ADDED
@@ -0,0 +1,7 @@
1
+ import type { PolicyPack } from "@greenarmor/ges-core";
2
+ export declare function createSingaporePDPAPolicyPack(): PolicyPack;
3
+ export declare function createPhilippinesDPAPolicyPack(): PolicyPack;
4
+ export declare function createJapanAPPIPolicyPack(): PolicyPack;
5
+ export declare function createSouthKoreaPIPAPolicyPack(): PolicyPack;
6
+ export declare function createChinaPIPLPolicyPack(): PolicyPack;
7
+ export declare function createIndiaDPDPAPolicyPack(): PolicyPack;