bmad-plus 0.7.5 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -425
- package/LICENSE +21 -21
- package/README.md +555 -447
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -222
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,129 +1,129 @@
|
|
|
1
|
-
# SSP Writing Guide
|
|
2
|
-
|
|
3
|
-
The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
|
|
4
|
-
It tells the complete security story of the Cloud Service Offering (CSO): architecture,
|
|
5
|
-
data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
|
|
6
|
-
|
|
7
|
-
> Always use the official FedRAMP SSP template. One template covers all baselines
|
|
8
|
-
> (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
|
|
9
|
-
|
|
10
|
-
---
|
|
11
|
-
|
|
12
|
-
## SSP Section-by-Section Guide
|
|
13
|
-
|
|
14
|
-
### Section 1: Information System Name and Title
|
|
15
|
-
- Formal name of the CSO
|
|
16
|
-
- Unique identifier (assigned during FedRAMP process)
|
|
17
|
-
- Service model (IaaS / PaaS / SaaS)
|
|
18
|
-
- Deployment model (Public / Private / Community / Hybrid cloud)
|
|
19
|
-
|
|
20
|
-
### Section 2: System Categorization
|
|
21
|
-
- FIPS 199 impact determination: Confidentiality / Integrity / Availability
|
|
22
|
-
- Overall impact level = high-water mark of the three values
|
|
23
|
-
- Justify each categorization with the types of federal information processed
|
|
24
|
-
|
|
25
|
-
### Section 3: System Owner / Authorizing Official
|
|
26
|
-
- List CSP system owner, ISSO, and agency AO contacts
|
|
27
|
-
- For agency authorization, include the sponsoring agency AO
|
|
28
|
-
|
|
29
|
-
### Section 4: Assignment of Security Responsibility
|
|
30
|
-
- Identify the ISSO (Information System Security Officer)
|
|
31
|
-
- Document CSP security team contacts
|
|
32
|
-
|
|
33
|
-
### Section 5: System Mission / Purpose
|
|
34
|
-
- Brief description of what the system does
|
|
35
|
-
- What federal agencies/programs it supports
|
|
36
|
-
- What types of federal data it handles
|
|
37
|
-
|
|
38
|
-
### Section 6: System Description
|
|
39
|
-
- Narrative description of the system
|
|
40
|
-
- Technology stack overview
|
|
41
|
-
- Key system components
|
|
42
|
-
|
|
43
|
-
### Section 7: General System Description / System Environment
|
|
44
|
-
**This is one of the most scrutinized sections.**
|
|
45
|
-
- Detailed architecture description
|
|
46
|
-
- Authorization boundary narrative — clearly define what is IN and OUT of scope
|
|
47
|
-
- Network architecture diagram (embedded)
|
|
48
|
-
- Data flow diagrams (embedded)
|
|
49
|
-
- Ports, protocols, and services table
|
|
50
|
-
- External connections table (all services connecting to/from the boundary)
|
|
51
|
-
|
|
52
|
-
**Common mistakes:**
|
|
53
|
-
- Vague boundary descriptions ("the cloud environment") — be specific
|
|
54
|
-
- Missing data flows for admin/management traffic
|
|
55
|
-
- Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
|
|
56
|
-
|
|
57
|
-
### Section 8: System Environment / Interconnections
|
|
58
|
-
- Interconnection Security Agreements (ISAs) for each external system
|
|
59
|
-
- Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
|
|
60
|
-
- Inherited controls from leveraged services must be documented in CIS/CRM workbook
|
|
61
|
-
|
|
62
|
-
### Section 9: Laws, Regulations, Standards (Appendix B)
|
|
63
|
-
- Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
|
|
64
|
-
- Lists applicable federal laws (FISMA, Privacy Act, etc.)
|
|
65
|
-
- May include agency-specific requirements (HIPAA, CJIS if applicable)
|
|
66
|
-
|
|
67
|
-
### Section 10: Minimum Security Controls
|
|
68
|
-
**The largest section — one narrative per control.**
|
|
69
|
-
|
|
70
|
-
For each control in the applicable baseline:
|
|
71
|
-
|
|
72
|
-
```
|
|
73
|
-
[Control ID] [Control Name]
|
|
74
|
-
Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
|
|
75
|
-
|
|
76
|
-
[Control Implementation Statement]
|
|
77
|
-
Describe HOW the control is implemented. Be specific:
|
|
78
|
-
- What tool, policy, or process implements this control?
|
|
79
|
-
- Who is responsible?
|
|
80
|
-
- Where is the evidence?
|
|
81
|
-
- For shared controls: what is the CSP responsibility vs. customer responsibility?
|
|
82
|
-
|
|
83
|
-
Customer Responsibility (if applicable):
|
|
84
|
-
[Describe what the customer/agency must do]
|
|
85
|
-
```
|
|
86
|
-
|
|
87
|
-
**Writing tips:**
|
|
88
|
-
- Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
|
|
89
|
-
- Reference specific policy document names, tool names, configuration settings
|
|
90
|
-
- For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
|
|
91
|
-
- Mark unimplemented controls as "Planned" and ensure they appear in POA&M
|
|
92
|
-
|
|
93
|
-
### SSP Appendices (A through Q)
|
|
94
|
-
|
|
95
|
-
| Appendix | Content | Required? |
|
|
96
|
-
|---|---|---|
|
|
97
|
-
| A | Acronyms & Glossary | Yes |
|
|
98
|
-
| B | Related Laws & Regulations (Attachment 12) | Yes |
|
|
99
|
-
| C | Security Policies & Procedures | Yes (CSP-authored) |
|
|
100
|
-
| D | User Guide | Yes |
|
|
101
|
-
| E | Rules of Behavior | Yes (FedRAMP template) |
|
|
102
|
-
| F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
|
|
103
|
-
| G | Configuration Management Plan | Yes (CSP-authored) |
|
|
104
|
-
| H | Incident Response Plan | Yes (CSP-authored) |
|
|
105
|
-
| I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
|
|
106
|
-
| J | FIPS 199 Categorization | Yes |
|
|
107
|
-
| K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
|
|
108
|
-
| L | Cryptographic Modules Table | Yes |
|
|
109
|
-
| M | Continuous Monitoring Plan | Yes |
|
|
110
|
-
| N | Separation of Duties Matrix | Conditional |
|
|
111
|
-
| O | POA&M | Yes (FedRAMP template) |
|
|
112
|
-
| P | Supply Chain Risk Management Plan | Yes (Rev 5) |
|
|
113
|
-
| Q | Privacy Impact Assessment (PIA) | If PII in scope |
|
|
114
|
-
|
|
115
|
-
---
|
|
116
|
-
|
|
117
|
-
## SSP Quality Checklist
|
|
118
|
-
|
|
119
|
-
Before submitting, verify:
|
|
120
|
-
- [ ] All controls for the applicable baseline have implementation statements
|
|
121
|
-
- [ ] No controls describe future/planned state as currently implemented
|
|
122
|
-
- [ ] All "Planned" controls appear in POA&M
|
|
123
|
-
- [ ] Architecture diagrams and control narratives are consistent
|
|
124
|
-
- [ ] External connections table matches the data flow diagrams
|
|
125
|
-
- [ ] CIS/CRM workbook is complete for all shared/inherited controls
|
|
126
|
-
- [ ] IIW lists every asset in the boundary
|
|
127
|
-
- [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
|
|
128
|
-
- [ ] All required appendices (C through Q as applicable) are attached
|
|
129
|
-
- [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
|
|
1
|
+
# SSP Writing Guide
|
|
2
|
+
|
|
3
|
+
The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
|
|
4
|
+
It tells the complete security story of the Cloud Service Offering (CSO): architecture,
|
|
5
|
+
data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
|
|
6
|
+
|
|
7
|
+
> Always use the official FedRAMP SSP template. One template covers all baselines
|
|
8
|
+
> (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## SSP Section-by-Section Guide
|
|
13
|
+
|
|
14
|
+
### Section 1: Information System Name and Title
|
|
15
|
+
- Formal name of the CSO
|
|
16
|
+
- Unique identifier (assigned during FedRAMP process)
|
|
17
|
+
- Service model (IaaS / PaaS / SaaS)
|
|
18
|
+
- Deployment model (Public / Private / Community / Hybrid cloud)
|
|
19
|
+
|
|
20
|
+
### Section 2: System Categorization
|
|
21
|
+
- FIPS 199 impact determination: Confidentiality / Integrity / Availability
|
|
22
|
+
- Overall impact level = high-water mark of the three values
|
|
23
|
+
- Justify each categorization with the types of federal information processed
|
|
24
|
+
|
|
25
|
+
### Section 3: System Owner / Authorizing Official
|
|
26
|
+
- List CSP system owner, ISSO, and agency AO contacts
|
|
27
|
+
- For agency authorization, include the sponsoring agency AO
|
|
28
|
+
|
|
29
|
+
### Section 4: Assignment of Security Responsibility
|
|
30
|
+
- Identify the ISSO (Information System Security Officer)
|
|
31
|
+
- Document CSP security team contacts
|
|
32
|
+
|
|
33
|
+
### Section 5: System Mission / Purpose
|
|
34
|
+
- Brief description of what the system does
|
|
35
|
+
- What federal agencies/programs it supports
|
|
36
|
+
- What types of federal data it handles
|
|
37
|
+
|
|
38
|
+
### Section 6: System Description
|
|
39
|
+
- Narrative description of the system
|
|
40
|
+
- Technology stack overview
|
|
41
|
+
- Key system components
|
|
42
|
+
|
|
43
|
+
### Section 7: General System Description / System Environment
|
|
44
|
+
**This is one of the most scrutinized sections.**
|
|
45
|
+
- Detailed architecture description
|
|
46
|
+
- Authorization boundary narrative — clearly define what is IN and OUT of scope
|
|
47
|
+
- Network architecture diagram (embedded)
|
|
48
|
+
- Data flow diagrams (embedded)
|
|
49
|
+
- Ports, protocols, and services table
|
|
50
|
+
- External connections table (all services connecting to/from the boundary)
|
|
51
|
+
|
|
52
|
+
**Common mistakes:**
|
|
53
|
+
- Vague boundary descriptions ("the cloud environment") — be specific
|
|
54
|
+
- Missing data flows for admin/management traffic
|
|
55
|
+
- Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
|
|
56
|
+
|
|
57
|
+
### Section 8: System Environment / Interconnections
|
|
58
|
+
- Interconnection Security Agreements (ISAs) for each external system
|
|
59
|
+
- Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
|
|
60
|
+
- Inherited controls from leveraged services must be documented in CIS/CRM workbook
|
|
61
|
+
|
|
62
|
+
### Section 9: Laws, Regulations, Standards (Appendix B)
|
|
63
|
+
- Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
|
|
64
|
+
- Lists applicable federal laws (FISMA, Privacy Act, etc.)
|
|
65
|
+
- May include agency-specific requirements (HIPAA, CJIS if applicable)
|
|
66
|
+
|
|
67
|
+
### Section 10: Minimum Security Controls
|
|
68
|
+
**The largest section — one narrative per control.**
|
|
69
|
+
|
|
70
|
+
For each control in the applicable baseline:
|
|
71
|
+
|
|
72
|
+
```
|
|
73
|
+
[Control ID] [Control Name]
|
|
74
|
+
Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
|
|
75
|
+
|
|
76
|
+
[Control Implementation Statement]
|
|
77
|
+
Describe HOW the control is implemented. Be specific:
|
|
78
|
+
- What tool, policy, or process implements this control?
|
|
79
|
+
- Who is responsible?
|
|
80
|
+
- Where is the evidence?
|
|
81
|
+
- For shared controls: what is the CSP responsibility vs. customer responsibility?
|
|
82
|
+
|
|
83
|
+
Customer Responsibility (if applicable):
|
|
84
|
+
[Describe what the customer/agency must do]
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
**Writing tips:**
|
|
88
|
+
- Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
|
|
89
|
+
- Reference specific policy document names, tool names, configuration settings
|
|
90
|
+
- For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
|
|
91
|
+
- Mark unimplemented controls as "Planned" and ensure they appear in POA&M
|
|
92
|
+
|
|
93
|
+
### SSP Appendices (A through Q)
|
|
94
|
+
|
|
95
|
+
| Appendix | Content | Required? |
|
|
96
|
+
|---|---|---|
|
|
97
|
+
| A | Acronyms & Glossary | Yes |
|
|
98
|
+
| B | Related Laws & Regulations (Attachment 12) | Yes |
|
|
99
|
+
| C | Security Policies & Procedures | Yes (CSP-authored) |
|
|
100
|
+
| D | User Guide | Yes |
|
|
101
|
+
| E | Rules of Behavior | Yes (FedRAMP template) |
|
|
102
|
+
| F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
|
|
103
|
+
| G | Configuration Management Plan | Yes (CSP-authored) |
|
|
104
|
+
| H | Incident Response Plan | Yes (CSP-authored) |
|
|
105
|
+
| I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
|
|
106
|
+
| J | FIPS 199 Categorization | Yes |
|
|
107
|
+
| K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
|
|
108
|
+
| L | Cryptographic Modules Table | Yes |
|
|
109
|
+
| M | Continuous Monitoring Plan | Yes |
|
|
110
|
+
| N | Separation of Duties Matrix | Conditional |
|
|
111
|
+
| O | POA&M | Yes (FedRAMP template) |
|
|
112
|
+
| P | Supply Chain Risk Management Plan | Yes (Rev 5) |
|
|
113
|
+
| Q | Privacy Impact Assessment (PIA) | If PII in scope |
|
|
114
|
+
|
|
115
|
+
---
|
|
116
|
+
|
|
117
|
+
## SSP Quality Checklist
|
|
118
|
+
|
|
119
|
+
Before submitting, verify:
|
|
120
|
+
- [ ] All controls for the applicable baseline have implementation statements
|
|
121
|
+
- [ ] No controls describe future/planned state as currently implemented
|
|
122
|
+
- [ ] All "Planned" controls appear in POA&M
|
|
123
|
+
- [ ] Architecture diagrams and control narratives are consistent
|
|
124
|
+
- [ ] External connections table matches the data flow diagrams
|
|
125
|
+
- [ ] CIS/CRM workbook is complete for all shared/inherited controls
|
|
126
|
+
- [ ] IIW lists every asset in the boundary
|
|
127
|
+
- [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
|
|
128
|
+
- [ ] All required appendices (C through Q as applicable) are attached
|
|
129
|
+
- [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
|
|
@@ -1,192 +1,192 @@
|
|
|
1
|
-
# Consent Notice / Cookie Banner Template
|
|
2
|
-
|
|
3
|
-
## Legal Basis
|
|
4
|
-
Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
|
|
5
|
-
ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
|
|
6
|
-
|
|
7
|
-
---
|
|
8
|
-
|
|
9
|
-
## Consent Requirements Checklist (Art. 7)
|
|
10
|
-
- [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
|
|
11
|
-
- [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
|
|
12
|
-
- [ ] **Informed**: Clear plain-language explanation before consent given
|
|
13
|
-
- [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
|
|
14
|
-
- [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
|
|
15
|
-
- [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
|
|
16
|
-
- [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## Cookie Banner — Required Elements
|
|
21
|
-
|
|
22
|
-
### Layer 1 (Initial Banner)
|
|
23
|
-
```
|
|
24
|
-
We use cookies to [improve your experience / personalise content / analyse traffic].
|
|
25
|
-
[ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
|
|
26
|
-
|
|
27
|
-
[Link to Cookie Policy]
|
|
28
|
-
```
|
|
29
|
-
|
|
30
|
-
**Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
|
|
31
|
-
pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
|
|
32
|
-
|
|
33
|
-
### Layer 2 (Preference Centre)
|
|
34
|
-
Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
|
|
35
|
-
| Category | Description | Default |
|
|
36
|
-
|----------|-------------|---------|
|
|
37
|
-
| Strictly Necessary | Required for site function — no consent needed | Always ON |
|
|
38
|
-
| Analytics | [Provider, purpose] | OFF |
|
|
39
|
-
| Marketing | [Provider, purpose] | OFF |
|
|
40
|
-
| Personalisation | [Provider, purpose] | OFF |
|
|
41
|
-
|
|
42
|
-
### Consent Record to Store
|
|
43
|
-
```json
|
|
44
|
-
{
|
|
45
|
-
"userId": "...",
|
|
46
|
-
"consentTimestamp": "ISO-8601",
|
|
47
|
-
"consentVersion": "v1.2",
|
|
48
|
-
"purposes": {
|
|
49
|
-
"analytics": true,
|
|
50
|
-
"marketing": false
|
|
51
|
-
},
|
|
52
|
-
"method": "explicit-click",
|
|
53
|
-
"ipAddress": "[pseudonymised or omit]"
|
|
54
|
-
}
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
---
|
|
58
|
-
---
|
|
59
|
-
|
|
60
|
-
# DPIA Template (Data Protection Impact Assessment)
|
|
61
|
-
|
|
62
|
-
## Legal Basis
|
|
63
|
-
Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
|
|
64
|
-
Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
|
|
65
|
-
|
|
66
|
-
## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
|
|
67
|
-
- Systematic and extensive profiling
|
|
68
|
-
- Large-scale special category data (Art. 9)
|
|
69
|
-
- Systematic monitoring of public areas
|
|
70
|
-
- New technologies
|
|
71
|
-
- Automated decision-making with legal/significant effects (Art. 22)
|
|
72
|
-
- Children's data at scale
|
|
73
|
-
- Data matching / combining datasets
|
|
74
|
-
|
|
75
|
-
---
|
|
76
|
-
|
|
77
|
-
## DPIA Structure
|
|
78
|
-
|
|
79
|
-
### 1. Description of Processing (Art. 35(7)(a))
|
|
80
|
-
- **System / project name**: [NAME]
|
|
81
|
-
- **Controller**: [NAME + DPO if applicable]
|
|
82
|
-
- **Nature of processing**: [What operations are performed on the data]
|
|
83
|
-
- **Scope**: [Volume, frequency, geographic reach]
|
|
84
|
-
- **Context**: [Who are the data subjects; their vulnerability level]
|
|
85
|
-
- **Purpose**: [What is the legitimate aim]
|
|
86
|
-
- **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
|
|
87
|
-
|
|
88
|
-
### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
|
|
89
|
-
Assess whether processing is:
|
|
90
|
-
- **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
|
|
91
|
-
- **Proportionate** — do the benefits outweigh the risks to individuals?
|
|
92
|
-
- **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
|
|
93
|
-
|
|
94
|
-
### 3. Risk Assessment (Art. 35(7)(c))
|
|
95
|
-
For each identified risk:
|
|
96
|
-
| Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
|
|
97
|
-
|------|-----------------|---------------|-----------|------------|
|
|
98
|
-
| Unauthorised access | 2 | 3 | High | Encryption, access controls |
|
|
99
|
-
| Function creep | 1 | 2 | Medium | Purpose limitation controls |
|
|
100
|
-
| Re-identification | 2 | 3 | High | Pseudonymisation |
|
|
101
|
-
|
|
102
|
-
### 4. Measures to Address Risks (Art. 35(7)(d))
|
|
103
|
-
For each High/Medium risk:
|
|
104
|
-
- Technical measure: [DESCRIBE]
|
|
105
|
-
- Organisational measure: [DESCRIBE]
|
|
106
|
-
- Residual risk after mitigation: [Low/Medium/High]
|
|
107
|
-
|
|
108
|
-
### 5. DPO / Stakeholder Sign-off (Art. 35(2))
|
|
109
|
-
- DPO consulted: Yes / No — DPO opinion: [ATTACH]
|
|
110
|
-
- Data subjects consulted (where appropriate): Yes / No
|
|
111
|
-
- Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
|
|
112
|
-
|
|
113
|
-
---
|
|
114
|
-
---
|
|
115
|
-
|
|
116
|
-
# Data Retention Policy Template
|
|
117
|
-
|
|
118
|
-
## Legal Basis
|
|
119
|
-
Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
|
|
120
|
-
Art. 17 — right to erasure triggers where retention period expired.
|
|
121
|
-
|
|
122
|
-
---
|
|
123
|
-
|
|
124
|
-
## Retention Schedule
|
|
125
|
-
|
|
126
|
-
| Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
|
|
127
|
-
|--------------|-----------------|-----------------|--------------|----------------|
|
|
128
|
-
| Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
|
|
129
|
-
| Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
|
|
130
|
-
| Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
|
|
131
|
-
| Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
|
|
132
|
-
| CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
|
|
133
|
-
| Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
|
|
134
|
-
| Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
|
|
135
|
-
|
|
136
|
-
---
|
|
137
|
-
|
|
138
|
-
## Operational Requirements
|
|
139
|
-
- Automated deletion jobs should run [FREQUENCY] against retention schedule
|
|
140
|
-
- Backups must be included in retention policy — purge from backups within [X] days of primary deletion
|
|
141
|
-
- Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
|
|
142
|
-
- Retention schedule reviewed: annually or upon material change to processing
|
|
143
|
-
|
|
144
|
-
---
|
|
145
|
-
---
|
|
146
|
-
|
|
147
|
-
# Data Subject Rights Procedure
|
|
148
|
-
|
|
149
|
-
## Legal Basis
|
|
150
|
-
Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
|
|
151
|
-
|
|
152
|
-
---
|
|
153
|
-
|
|
154
|
-
## Rights Summary
|
|
155
|
-
|
|
156
|
-
| Right | Article | When Applicable | Response Time |
|
|
157
|
-
|-------|---------|----------------|--------------|
|
|
158
|
-
| Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
|
|
159
|
-
| Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
|
|
160
|
-
| Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
|
|
161
|
-
| Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
|
|
162
|
-
| Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
|
|
163
|
-
| Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
|
|
164
|
-
| No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
|
|
165
|
-
|
|
166
|
-
---
|
|
167
|
-
|
|
168
|
-
## Request Handling Process
|
|
169
|
-
|
|
170
|
-
1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
|
|
171
|
-
2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
|
|
172
|
-
3. **Log**: Record date received, type of request, handler assigned.
|
|
173
|
-
4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
|
|
174
|
-
5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
|
|
175
|
-
6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
|
|
176
|
-
7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
|
|
177
|
-
|
|
178
|
-
## Exemptions to Document
|
|
179
|
-
- Legal claims (Art. 17(3)(e))
|
|
180
|
-
- Freedom of expression (Art. 17(3)(a))
|
|
181
|
-
- Public interest archiving (Art. 17(3)(d))
|
|
182
|
-
- Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
|
|
183
|
-
|
|
184
|
-
---
|
|
185
|
-
|
|
186
|
-
## SLA & Escalation
|
|
187
|
-
- Day 0: Request received and logged
|
|
188
|
-
- Day 3: Identity verified; request categorised
|
|
189
|
-
- Day 20: Draft response reviewed by DPO/legal
|
|
190
|
-
- Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
|
|
191
|
-
- Day 30: Statutory deadline
|
|
192
|
-
- Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))
|
|
1
|
+
# Consent Notice / Cookie Banner Template
|
|
2
|
+
|
|
3
|
+
## Legal Basis
|
|
4
|
+
Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
|
|
5
|
+
ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Consent Requirements Checklist (Art. 7)
|
|
10
|
+
- [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
|
|
11
|
+
- [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
|
|
12
|
+
- [ ] **Informed**: Clear plain-language explanation before consent given
|
|
13
|
+
- [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
|
|
14
|
+
- [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
|
|
15
|
+
- [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
|
|
16
|
+
- [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Cookie Banner — Required Elements
|
|
21
|
+
|
|
22
|
+
### Layer 1 (Initial Banner)
|
|
23
|
+
```
|
|
24
|
+
We use cookies to [improve your experience / personalise content / analyse traffic].
|
|
25
|
+
[ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
|
|
26
|
+
|
|
27
|
+
[Link to Cookie Policy]
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
**Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
|
|
31
|
+
pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
|
|
32
|
+
|
|
33
|
+
### Layer 2 (Preference Centre)
|
|
34
|
+
Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
|
|
35
|
+
| Category | Description | Default |
|
|
36
|
+
|----------|-------------|---------|
|
|
37
|
+
| Strictly Necessary | Required for site function — no consent needed | Always ON |
|
|
38
|
+
| Analytics | [Provider, purpose] | OFF |
|
|
39
|
+
| Marketing | [Provider, purpose] | OFF |
|
|
40
|
+
| Personalisation | [Provider, purpose] | OFF |
|
|
41
|
+
|
|
42
|
+
### Consent Record to Store
|
|
43
|
+
```json
|
|
44
|
+
{
|
|
45
|
+
"userId": "...",
|
|
46
|
+
"consentTimestamp": "ISO-8601",
|
|
47
|
+
"consentVersion": "v1.2",
|
|
48
|
+
"purposes": {
|
|
49
|
+
"analytics": true,
|
|
50
|
+
"marketing": false
|
|
51
|
+
},
|
|
52
|
+
"method": "explicit-click",
|
|
53
|
+
"ipAddress": "[pseudonymised or omit]"
|
|
54
|
+
}
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
---
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
# DPIA Template (Data Protection Impact Assessment)
|
|
61
|
+
|
|
62
|
+
## Legal Basis
|
|
63
|
+
Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
|
|
64
|
+
Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
|
|
65
|
+
|
|
66
|
+
## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
|
|
67
|
+
- Systematic and extensive profiling
|
|
68
|
+
- Large-scale special category data (Art. 9)
|
|
69
|
+
- Systematic monitoring of public areas
|
|
70
|
+
- New technologies
|
|
71
|
+
- Automated decision-making with legal/significant effects (Art. 22)
|
|
72
|
+
- Children's data at scale
|
|
73
|
+
- Data matching / combining datasets
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
## DPIA Structure
|
|
78
|
+
|
|
79
|
+
### 1. Description of Processing (Art. 35(7)(a))
|
|
80
|
+
- **System / project name**: [NAME]
|
|
81
|
+
- **Controller**: [NAME + DPO if applicable]
|
|
82
|
+
- **Nature of processing**: [What operations are performed on the data]
|
|
83
|
+
- **Scope**: [Volume, frequency, geographic reach]
|
|
84
|
+
- **Context**: [Who are the data subjects; their vulnerability level]
|
|
85
|
+
- **Purpose**: [What is the legitimate aim]
|
|
86
|
+
- **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
|
|
87
|
+
|
|
88
|
+
### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
|
|
89
|
+
Assess whether processing is:
|
|
90
|
+
- **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
|
|
91
|
+
- **Proportionate** — do the benefits outweigh the risks to individuals?
|
|
92
|
+
- **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
|
|
93
|
+
|
|
94
|
+
### 3. Risk Assessment (Art. 35(7)(c))
|
|
95
|
+
For each identified risk:
|
|
96
|
+
| Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
|
|
97
|
+
|------|-----------------|---------------|-----------|------------|
|
|
98
|
+
| Unauthorised access | 2 | 3 | High | Encryption, access controls |
|
|
99
|
+
| Function creep | 1 | 2 | Medium | Purpose limitation controls |
|
|
100
|
+
| Re-identification | 2 | 3 | High | Pseudonymisation |
|
|
101
|
+
|
|
102
|
+
### 4. Measures to Address Risks (Art. 35(7)(d))
|
|
103
|
+
For each High/Medium risk:
|
|
104
|
+
- Technical measure: [DESCRIBE]
|
|
105
|
+
- Organisational measure: [DESCRIBE]
|
|
106
|
+
- Residual risk after mitigation: [Low/Medium/High]
|
|
107
|
+
|
|
108
|
+
### 5. DPO / Stakeholder Sign-off (Art. 35(2))
|
|
109
|
+
- DPO consulted: Yes / No — DPO opinion: [ATTACH]
|
|
110
|
+
- Data subjects consulted (where appropriate): Yes / No
|
|
111
|
+
- Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
|
|
112
|
+
|
|
113
|
+
---
|
|
114
|
+
---
|
|
115
|
+
|
|
116
|
+
# Data Retention Policy Template
|
|
117
|
+
|
|
118
|
+
## Legal Basis
|
|
119
|
+
Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
|
|
120
|
+
Art. 17 — right to erasure triggers where retention period expired.
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
## Retention Schedule
|
|
125
|
+
|
|
126
|
+
| Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
|
|
127
|
+
|--------------|-----------------|-----------------|--------------|----------------|
|
|
128
|
+
| Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
|
|
129
|
+
| Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
|
|
130
|
+
| Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
|
|
131
|
+
| Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
|
|
132
|
+
| CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
|
|
133
|
+
| Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
|
|
134
|
+
| Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
|
|
135
|
+
|
|
136
|
+
---
|
|
137
|
+
|
|
138
|
+
## Operational Requirements
|
|
139
|
+
- Automated deletion jobs should run [FREQUENCY] against retention schedule
|
|
140
|
+
- Backups must be included in retention policy — purge from backups within [X] days of primary deletion
|
|
141
|
+
- Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
|
|
142
|
+
- Retention schedule reviewed: annually or upon material change to processing
|
|
143
|
+
|
|
144
|
+
---
|
|
145
|
+
---
|
|
146
|
+
|
|
147
|
+
# Data Subject Rights Procedure
|
|
148
|
+
|
|
149
|
+
## Legal Basis
|
|
150
|
+
Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## Rights Summary
|
|
155
|
+
|
|
156
|
+
| Right | Article | When Applicable | Response Time |
|
|
157
|
+
|-------|---------|----------------|--------------|
|
|
158
|
+
| Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
|
|
159
|
+
| Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
|
|
160
|
+
| Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
|
|
161
|
+
| Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
|
|
162
|
+
| Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
|
|
163
|
+
| Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
|
|
164
|
+
| No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## Request Handling Process
|
|
169
|
+
|
|
170
|
+
1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
|
|
171
|
+
2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
|
|
172
|
+
3. **Log**: Record date received, type of request, handler assigned.
|
|
173
|
+
4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
|
|
174
|
+
5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
|
|
175
|
+
6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
|
|
176
|
+
7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
|
|
177
|
+
|
|
178
|
+
## Exemptions to Document
|
|
179
|
+
- Legal claims (Art. 17(3)(e))
|
|
180
|
+
- Freedom of expression (Art. 17(3)(a))
|
|
181
|
+
- Public interest archiving (Art. 17(3)(d))
|
|
182
|
+
- Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## SLA & Escalation
|
|
187
|
+
- Day 0: Request received and logged
|
|
188
|
+
- Day 3: Identity verified; request categorised
|
|
189
|
+
- Day 20: Draft response reviewed by DPO/legal
|
|
190
|
+
- Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
|
|
191
|
+
- Day 30: Statutory deadline
|
|
192
|
+
- Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))
|