bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,129 +1,129 @@
1
- # SSP Writing Guide
2
-
3
- The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
- It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
- data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
-
7
- > Always use the official FedRAMP SSP template. One template covers all baselines
8
- > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
-
10
- ---
11
-
12
- ## SSP Section-by-Section Guide
13
-
14
- ### Section 1: Information System Name and Title
15
- - Formal name of the CSO
16
- - Unique identifier (assigned during FedRAMP process)
17
- - Service model (IaaS / PaaS / SaaS)
18
- - Deployment model (Public / Private / Community / Hybrid cloud)
19
-
20
- ### Section 2: System Categorization
21
- - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
- - Overall impact level = high-water mark of the three values
23
- - Justify each categorization with the types of federal information processed
24
-
25
- ### Section 3: System Owner / Authorizing Official
26
- - List CSP system owner, ISSO, and agency AO contacts
27
- - For agency authorization, include the sponsoring agency AO
28
-
29
- ### Section 4: Assignment of Security Responsibility
30
- - Identify the ISSO (Information System Security Officer)
31
- - Document CSP security team contacts
32
-
33
- ### Section 5: System Mission / Purpose
34
- - Brief description of what the system does
35
- - What federal agencies/programs it supports
36
- - What types of federal data it handles
37
-
38
- ### Section 6: System Description
39
- - Narrative description of the system
40
- - Technology stack overview
41
- - Key system components
42
-
43
- ### Section 7: General System Description / System Environment
44
- **This is one of the most scrutinized sections.**
45
- - Detailed architecture description
46
- - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
- - Network architecture diagram (embedded)
48
- - Data flow diagrams (embedded)
49
- - Ports, protocols, and services table
50
- - External connections table (all services connecting to/from the boundary)
51
-
52
- **Common mistakes:**
53
- - Vague boundary descriptions ("the cloud environment") — be specific
54
- - Missing data flows for admin/management traffic
55
- - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
-
57
- ### Section 8: System Environment / Interconnections
58
- - Interconnection Security Agreements (ISAs) for each external system
59
- - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
- - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
-
62
- ### Section 9: Laws, Regulations, Standards (Appendix B)
63
- - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
- - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
- - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
-
67
- ### Section 10: Minimum Security Controls
68
- **The largest section — one narrative per control.**
69
-
70
- For each control in the applicable baseline:
71
-
72
- ```
73
- [Control ID] [Control Name]
74
- Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
-
76
- [Control Implementation Statement]
77
- Describe HOW the control is implemented. Be specific:
78
- - What tool, policy, or process implements this control?
79
- - Who is responsible?
80
- - Where is the evidence?
81
- - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
-
83
- Customer Responsibility (if applicable):
84
- [Describe what the customer/agency must do]
85
- ```
86
-
87
- **Writing tips:**
88
- - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
- - Reference specific policy document names, tool names, configuration settings
90
- - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
- - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
-
93
- ### SSP Appendices (A through Q)
94
-
95
- | Appendix | Content | Required? |
96
- |---|---|---|
97
- | A | Acronyms & Glossary | Yes |
98
- | B | Related Laws & Regulations (Attachment 12) | Yes |
99
- | C | Security Policies & Procedures | Yes (CSP-authored) |
100
- | D | User Guide | Yes |
101
- | E | Rules of Behavior | Yes (FedRAMP template) |
102
- | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
- | G | Configuration Management Plan | Yes (CSP-authored) |
104
- | H | Incident Response Plan | Yes (CSP-authored) |
105
- | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
- | J | FIPS 199 Categorization | Yes |
107
- | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
- | L | Cryptographic Modules Table | Yes |
109
- | M | Continuous Monitoring Plan | Yes |
110
- | N | Separation of Duties Matrix | Conditional |
111
- | O | POA&M | Yes (FedRAMP template) |
112
- | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
- | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
-
115
- ---
116
-
117
- ## SSP Quality Checklist
118
-
119
- Before submitting, verify:
120
- - [ ] All controls for the applicable baseline have implementation statements
121
- - [ ] No controls describe future/planned state as currently implemented
122
- - [ ] All "Planned" controls appear in POA&M
123
- - [ ] Architecture diagrams and control narratives are consistent
124
- - [ ] External connections table matches the data flow diagrams
125
- - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
- - [ ] IIW lists every asset in the boundary
127
- - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
- - [ ] All required appendices (C through Q as applicable) are attached
129
- - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
1
+ # SSP Writing Guide
2
+
3
+ The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
+ It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
+ data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
+
7
+ > Always use the official FedRAMP SSP template. One template covers all baselines
8
+ > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
+
10
+ ---
11
+
12
+ ## SSP Section-by-Section Guide
13
+
14
+ ### Section 1: Information System Name and Title
15
+ - Formal name of the CSO
16
+ - Unique identifier (assigned during FedRAMP process)
17
+ - Service model (IaaS / PaaS / SaaS)
18
+ - Deployment model (Public / Private / Community / Hybrid cloud)
19
+
20
+ ### Section 2: System Categorization
21
+ - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
+ - Overall impact level = high-water mark of the three values
23
+ - Justify each categorization with the types of federal information processed
24
+
25
+ ### Section 3: System Owner / Authorizing Official
26
+ - List CSP system owner, ISSO, and agency AO contacts
27
+ - For agency authorization, include the sponsoring agency AO
28
+
29
+ ### Section 4: Assignment of Security Responsibility
30
+ - Identify the ISSO (Information System Security Officer)
31
+ - Document CSP security team contacts
32
+
33
+ ### Section 5: System Mission / Purpose
34
+ - Brief description of what the system does
35
+ - What federal agencies/programs it supports
36
+ - What types of federal data it handles
37
+
38
+ ### Section 6: System Description
39
+ - Narrative description of the system
40
+ - Technology stack overview
41
+ - Key system components
42
+
43
+ ### Section 7: General System Description / System Environment
44
+ **This is one of the most scrutinized sections.**
45
+ - Detailed architecture description
46
+ - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
+ - Network architecture diagram (embedded)
48
+ - Data flow diagrams (embedded)
49
+ - Ports, protocols, and services table
50
+ - External connections table (all services connecting to/from the boundary)
51
+
52
+ **Common mistakes:**
53
+ - Vague boundary descriptions ("the cloud environment") — be specific
54
+ - Missing data flows for admin/management traffic
55
+ - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
+
57
+ ### Section 8: System Environment / Interconnections
58
+ - Interconnection Security Agreements (ISAs) for each external system
59
+ - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
+ - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
+
62
+ ### Section 9: Laws, Regulations, Standards (Appendix B)
63
+ - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
+ - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
+ - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
+
67
+ ### Section 10: Minimum Security Controls
68
+ **The largest section — one narrative per control.**
69
+
70
+ For each control in the applicable baseline:
71
+
72
+ ```
73
+ [Control ID] [Control Name]
74
+ Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
+
76
+ [Control Implementation Statement]
77
+ Describe HOW the control is implemented. Be specific:
78
+ - What tool, policy, or process implements this control?
79
+ - Who is responsible?
80
+ - Where is the evidence?
81
+ - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
+
83
+ Customer Responsibility (if applicable):
84
+ [Describe what the customer/agency must do]
85
+ ```
86
+
87
+ **Writing tips:**
88
+ - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
+ - Reference specific policy document names, tool names, configuration settings
90
+ - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
+ - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
+
93
+ ### SSP Appendices (A through Q)
94
+
95
+ | Appendix | Content | Required? |
96
+ |---|---|---|
97
+ | A | Acronyms & Glossary | Yes |
98
+ | B | Related Laws & Regulations (Attachment 12) | Yes |
99
+ | C | Security Policies & Procedures | Yes (CSP-authored) |
100
+ | D | User Guide | Yes |
101
+ | E | Rules of Behavior | Yes (FedRAMP template) |
102
+ | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
+ | G | Configuration Management Plan | Yes (CSP-authored) |
104
+ | H | Incident Response Plan | Yes (CSP-authored) |
105
+ | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
+ | J | FIPS 199 Categorization | Yes |
107
+ | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
+ | L | Cryptographic Modules Table | Yes |
109
+ | M | Continuous Monitoring Plan | Yes |
110
+ | N | Separation of Duties Matrix | Conditional |
111
+ | O | POA&M | Yes (FedRAMP template) |
112
+ | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
+ | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
+
115
+ ---
116
+
117
+ ## SSP Quality Checklist
118
+
119
+ Before submitting, verify:
120
+ - [ ] All controls for the applicable baseline have implementation statements
121
+ - [ ] No controls describe future/planned state as currently implemented
122
+ - [ ] All "Planned" controls appear in POA&M
123
+ - [ ] Architecture diagrams and control narratives are consistent
124
+ - [ ] External connections table matches the data flow diagrams
125
+ - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
+ - [ ] IIW lists every asset in the boundary
127
+ - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
+ - [ ] All required appendices (C through Q as applicable) are attached
129
+ - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
@@ -1,192 +1,192 @@
1
- # Consent Notice / Cookie Banner Template
2
-
3
- ## Legal Basis
4
- Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
- ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
-
7
- ---
8
-
9
- ## Consent Requirements Checklist (Art. 7)
10
- - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
- - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
- - [ ] **Informed**: Clear plain-language explanation before consent given
13
- - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
- - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
- - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
- - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
-
18
- ---
19
-
20
- ## Cookie Banner — Required Elements
21
-
22
- ### Layer 1 (Initial Banner)
23
- ```
24
- We use cookies to [improve your experience / personalise content / analyse traffic].
25
- [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
-
27
- [Link to Cookie Policy]
28
- ```
29
-
30
- **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
- pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
-
33
- ### Layer 2 (Preference Centre)
34
- Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
- | Category | Description | Default |
36
- |----------|-------------|---------|
37
- | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
- | Analytics | [Provider, purpose] | OFF |
39
- | Marketing | [Provider, purpose] | OFF |
40
- | Personalisation | [Provider, purpose] | OFF |
41
-
42
- ### Consent Record to Store
43
- ```json
44
- {
45
- "userId": "...",
46
- "consentTimestamp": "ISO-8601",
47
- "consentVersion": "v1.2",
48
- "purposes": {
49
- "analytics": true,
50
- "marketing": false
51
- },
52
- "method": "explicit-click",
53
- "ipAddress": "[pseudonymised or omit]"
54
- }
55
- ```
56
-
57
- ---
58
- ---
59
-
60
- # DPIA Template (Data Protection Impact Assessment)
61
-
62
- ## Legal Basis
63
- Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
- Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
-
66
- ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
- - Systematic and extensive profiling
68
- - Large-scale special category data (Art. 9)
69
- - Systematic monitoring of public areas
70
- - New technologies
71
- - Automated decision-making with legal/significant effects (Art. 22)
72
- - Children's data at scale
73
- - Data matching / combining datasets
74
-
75
- ---
76
-
77
- ## DPIA Structure
78
-
79
- ### 1. Description of Processing (Art. 35(7)(a))
80
- - **System / project name**: [NAME]
81
- - **Controller**: [NAME + DPO if applicable]
82
- - **Nature of processing**: [What operations are performed on the data]
83
- - **Scope**: [Volume, frequency, geographic reach]
84
- - **Context**: [Who are the data subjects; their vulnerability level]
85
- - **Purpose**: [What is the legitimate aim]
86
- - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
-
88
- ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
- Assess whether processing is:
90
- - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
- - **Proportionate** — do the benefits outweigh the risks to individuals?
92
- - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
-
94
- ### 3. Risk Assessment (Art. 35(7)(c))
95
- For each identified risk:
96
- | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
- |------|-----------------|---------------|-----------|------------|
98
- | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
- | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
- | Re-identification | 2 | 3 | High | Pseudonymisation |
101
-
102
- ### 4. Measures to Address Risks (Art. 35(7)(d))
103
- For each High/Medium risk:
104
- - Technical measure: [DESCRIBE]
105
- - Organisational measure: [DESCRIBE]
106
- - Residual risk after mitigation: [Low/Medium/High]
107
-
108
- ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
- - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
- - Data subjects consulted (where appropriate): Yes / No
111
- - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
-
113
- ---
114
- ---
115
-
116
- # Data Retention Policy Template
117
-
118
- ## Legal Basis
119
- Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
- Art. 17 — right to erasure triggers where retention period expired.
121
-
122
- ---
123
-
124
- ## Retention Schedule
125
-
126
- | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
- |--------------|-----------------|-----------------|--------------|----------------|
128
- | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
- | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
- | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
- | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
- | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
- | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
- | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
-
136
- ---
137
-
138
- ## Operational Requirements
139
- - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
- - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
- - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
- - Retention schedule reviewed: annually or upon material change to processing
143
-
144
- ---
145
- ---
146
-
147
- # Data Subject Rights Procedure
148
-
149
- ## Legal Basis
150
- Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
-
152
- ---
153
-
154
- ## Rights Summary
155
-
156
- | Right | Article | When Applicable | Response Time |
157
- |-------|---------|----------------|--------------|
158
- | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
- | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
- | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
- | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
- | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
- | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
- | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
-
166
- ---
167
-
168
- ## Request Handling Process
169
-
170
- 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
- 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
- 3. **Log**: Record date received, type of request, handler assigned.
173
- 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
- 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
- 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
- 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
-
178
- ## Exemptions to Document
179
- - Legal claims (Art. 17(3)(e))
180
- - Freedom of expression (Art. 17(3)(a))
181
- - Public interest archiving (Art. 17(3)(d))
182
- - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
-
184
- ---
185
-
186
- ## SLA & Escalation
187
- - Day 0: Request received and logged
188
- - Day 3: Identity verified; request categorised
189
- - Day 20: Draft response reviewed by DPO/legal
190
- - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
- - Day 30: Statutory deadline
192
- - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))
1
+ # Consent Notice / Cookie Banner Template
2
+
3
+ ## Legal Basis
4
+ Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
+ ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
+
7
+ ---
8
+
9
+ ## Consent Requirements Checklist (Art. 7)
10
+ - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
+ - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
+ - [ ] **Informed**: Clear plain-language explanation before consent given
13
+ - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
+ - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
+ - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
+ - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
+
18
+ ---
19
+
20
+ ## Cookie Banner — Required Elements
21
+
22
+ ### Layer 1 (Initial Banner)
23
+ ```
24
+ We use cookies to [improve your experience / personalise content / analyse traffic].
25
+ [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
+
27
+ [Link to Cookie Policy]
28
+ ```
29
+
30
+ **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
+ pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
+
33
+ ### Layer 2 (Preference Centre)
34
+ Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
+ | Category | Description | Default |
36
+ |----------|-------------|---------|
37
+ | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
+ | Analytics | [Provider, purpose] | OFF |
39
+ | Marketing | [Provider, purpose] | OFF |
40
+ | Personalisation | [Provider, purpose] | OFF |
41
+
42
+ ### Consent Record to Store
43
+ ```json
44
+ {
45
+ "userId": "...",
46
+ "consentTimestamp": "ISO-8601",
47
+ "consentVersion": "v1.2",
48
+ "purposes": {
49
+ "analytics": true,
50
+ "marketing": false
51
+ },
52
+ "method": "explicit-click",
53
+ "ipAddress": "[pseudonymised or omit]"
54
+ }
55
+ ```
56
+
57
+ ---
58
+ ---
59
+
60
+ # DPIA Template (Data Protection Impact Assessment)
61
+
62
+ ## Legal Basis
63
+ Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
+ Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
+
66
+ ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
+ - Systematic and extensive profiling
68
+ - Large-scale special category data (Art. 9)
69
+ - Systematic monitoring of public areas
70
+ - New technologies
71
+ - Automated decision-making with legal/significant effects (Art. 22)
72
+ - Children's data at scale
73
+ - Data matching / combining datasets
74
+
75
+ ---
76
+
77
+ ## DPIA Structure
78
+
79
+ ### 1. Description of Processing (Art. 35(7)(a))
80
+ - **System / project name**: [NAME]
81
+ - **Controller**: [NAME + DPO if applicable]
82
+ - **Nature of processing**: [What operations are performed on the data]
83
+ - **Scope**: [Volume, frequency, geographic reach]
84
+ - **Context**: [Who are the data subjects; their vulnerability level]
85
+ - **Purpose**: [What is the legitimate aim]
86
+ - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
+
88
+ ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
+ Assess whether processing is:
90
+ - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
+ - **Proportionate** — do the benefits outweigh the risks to individuals?
92
+ - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
+
94
+ ### 3. Risk Assessment (Art. 35(7)(c))
95
+ For each identified risk:
96
+ | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
+ |------|-----------------|---------------|-----------|------------|
98
+ | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
+ | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
+ | Re-identification | 2 | 3 | High | Pseudonymisation |
101
+
102
+ ### 4. Measures to Address Risks (Art. 35(7)(d))
103
+ For each High/Medium risk:
104
+ - Technical measure: [DESCRIBE]
105
+ - Organisational measure: [DESCRIBE]
106
+ - Residual risk after mitigation: [Low/Medium/High]
107
+
108
+ ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
+ - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
+ - Data subjects consulted (where appropriate): Yes / No
111
+ - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
+
113
+ ---
114
+ ---
115
+
116
+ # Data Retention Policy Template
117
+
118
+ ## Legal Basis
119
+ Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
+ Art. 17 — right to erasure triggers where retention period expired.
121
+
122
+ ---
123
+
124
+ ## Retention Schedule
125
+
126
+ | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
+ |--------------|-----------------|-----------------|--------------|----------------|
128
+ | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
+ | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
+ | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
+ | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
+ | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
+ | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
+ | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
+
136
+ ---
137
+
138
+ ## Operational Requirements
139
+ - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
+ - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
+ - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
+ - Retention schedule reviewed: annually or upon material change to processing
143
+
144
+ ---
145
+ ---
146
+
147
+ # Data Subject Rights Procedure
148
+
149
+ ## Legal Basis
150
+ Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
+
152
+ ---
153
+
154
+ ## Rights Summary
155
+
156
+ | Right | Article | When Applicable | Response Time |
157
+ |-------|---------|----------------|--------------|
158
+ | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
+ | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
+ | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
+ | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
+ | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
+ | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
+ | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
+
166
+ ---
167
+
168
+ ## Request Handling Process
169
+
170
+ 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
+ 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
+ 3. **Log**: Record date received, type of request, handler assigned.
173
+ 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
+ 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
+ 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
+ 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
+
178
+ ## Exemptions to Document
179
+ - Legal claims (Art. 17(3)(e))
180
+ - Freedom of expression (Art. 17(3)(a))
181
+ - Public interest archiving (Art. 17(3)(d))
182
+ - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
+
184
+ ---
185
+
186
+ ## SLA & Escalation
187
+ - Day 0: Request received and logged
188
+ - Day 3: Identity verified; request categorised
189
+ - Day 20: Draft response reviewed by DPO/legal
190
+ - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
+ - Day 30: Statutory deadline
192
+ - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))