bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,129 +1,129 @@
1
- # SSP Writing Guide
2
-
3
- The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
- It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
- data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
-
7
- > Always use the official FedRAMP SSP template. One template covers all baselines
8
- > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
-
10
- ---
11
-
12
- ## SSP Section-by-Section Guide
13
-
14
- ### Section 1: Information System Name and Title
15
- - Formal name of the CSO
16
- - Unique identifier (assigned during FedRAMP process)
17
- - Service model (IaaS / PaaS / SaaS)
18
- - Deployment model (Public / Private / Community / Hybrid cloud)
19
-
20
- ### Section 2: System Categorization
21
- - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
- - Overall impact level = high-water mark of the three values
23
- - Justify each categorization with the types of federal information processed
24
-
25
- ### Section 3: System Owner / Authorizing Official
26
- - List CSP system owner, ISSO, and agency AO contacts
27
- - For agency authorization, include the sponsoring agency AO
28
-
29
- ### Section 4: Assignment of Security Responsibility
30
- - Identify the ISSO (Information System Security Officer)
31
- - Document CSP security team contacts
32
-
33
- ### Section 5: System Mission / Purpose
34
- - Brief description of what the system does
35
- - What federal agencies/programs it supports
36
- - What types of federal data it handles
37
-
38
- ### Section 6: System Description
39
- - Narrative description of the system
40
- - Technology stack overview
41
- - Key system components
42
-
43
- ### Section 7: General System Description / System Environment
44
- **This is one of the most scrutinized sections.**
45
- - Detailed architecture description
46
- - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
- - Network architecture diagram (embedded)
48
- - Data flow diagrams (embedded)
49
- - Ports, protocols, and services table
50
- - External connections table (all services connecting to/from the boundary)
51
-
52
- **Common mistakes:**
53
- - Vague boundary descriptions ("the cloud environment") — be specific
54
- - Missing data flows for admin/management traffic
55
- - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
-
57
- ### Section 8: System Environment / Interconnections
58
- - Interconnection Security Agreements (ISAs) for each external system
59
- - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
- - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
-
62
- ### Section 9: Laws, Regulations, Standards (Appendix B)
63
- - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
- - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
- - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
-
67
- ### Section 10: Minimum Security Controls
68
- **The largest section — one narrative per control.**
69
-
70
- For each control in the applicable baseline:
71
-
72
- ```
73
- [Control ID] [Control Name]
74
- Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
-
76
- [Control Implementation Statement]
77
- Describe HOW the control is implemented. Be specific:
78
- - What tool, policy, or process implements this control?
79
- - Who is responsible?
80
- - Where is the evidence?
81
- - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
-
83
- Customer Responsibility (if applicable):
84
- [Describe what the customer/agency must do]
85
- ```
86
-
87
- **Writing tips:**
88
- - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
- - Reference specific policy document names, tool names, configuration settings
90
- - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
- - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
-
93
- ### SSP Appendices (A through Q)
94
-
95
- | Appendix | Content | Required? |
96
- |---|---|---|
97
- | A | Acronyms & Glossary | Yes |
98
- | B | Related Laws & Regulations (Attachment 12) | Yes |
99
- | C | Security Policies & Procedures | Yes (CSP-authored) |
100
- | D | User Guide | Yes |
101
- | E | Rules of Behavior | Yes (FedRAMP template) |
102
- | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
- | G | Configuration Management Plan | Yes (CSP-authored) |
104
- | H | Incident Response Plan | Yes (CSP-authored) |
105
- | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
- | J | FIPS 199 Categorization | Yes |
107
- | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
- | L | Cryptographic Modules Table | Yes |
109
- | M | Continuous Monitoring Plan | Yes |
110
- | N | Separation of Duties Matrix | Conditional |
111
- | O | POA&M | Yes (FedRAMP template) |
112
- | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
- | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
-
115
- ---
116
-
117
- ## SSP Quality Checklist
118
-
119
- Before submitting, verify:
120
- - [ ] All controls for the applicable baseline have implementation statements
121
- - [ ] No controls describe future/planned state as currently implemented
122
- - [ ] All "Planned" controls appear in POA&M
123
- - [ ] Architecture diagrams and control narratives are consistent
124
- - [ ] External connections table matches the data flow diagrams
125
- - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
- - [ ] IIW lists every asset in the boundary
127
- - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
- - [ ] All required appendices (C through Q as applicable) are attached
129
- - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
1
+ # SSP Writing Guide
2
+
3
+ The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
+ It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
+ data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
+
7
+ > Always use the official FedRAMP SSP template. One template covers all baselines
8
+ > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
+
10
+ ---
11
+
12
+ ## SSP Section-by-Section Guide
13
+
14
+ ### Section 1: Information System Name and Title
15
+ - Formal name of the CSO
16
+ - Unique identifier (assigned during FedRAMP process)
17
+ - Service model (IaaS / PaaS / SaaS)
18
+ - Deployment model (Public / Private / Community / Hybrid cloud)
19
+
20
+ ### Section 2: System Categorization
21
+ - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
+ - Overall impact level = high-water mark of the three values
23
+ - Justify each categorization with the types of federal information processed
24
+
25
+ ### Section 3: System Owner / Authorizing Official
26
+ - List CSP system owner, ISSO, and agency AO contacts
27
+ - For agency authorization, include the sponsoring agency AO
28
+
29
+ ### Section 4: Assignment of Security Responsibility
30
+ - Identify the ISSO (Information System Security Officer)
31
+ - Document CSP security team contacts
32
+
33
+ ### Section 5: System Mission / Purpose
34
+ - Brief description of what the system does
35
+ - What federal agencies/programs it supports
36
+ - What types of federal data it handles
37
+
38
+ ### Section 6: System Description
39
+ - Narrative description of the system
40
+ - Technology stack overview
41
+ - Key system components
42
+
43
+ ### Section 7: General System Description / System Environment
44
+ **This is one of the most scrutinized sections.**
45
+ - Detailed architecture description
46
+ - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
+ - Network architecture diagram (embedded)
48
+ - Data flow diagrams (embedded)
49
+ - Ports, protocols, and services table
50
+ - External connections table (all services connecting to/from the boundary)
51
+
52
+ **Common mistakes:**
53
+ - Vague boundary descriptions ("the cloud environment") — be specific
54
+ - Missing data flows for admin/management traffic
55
+ - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
+
57
+ ### Section 8: System Environment / Interconnections
58
+ - Interconnection Security Agreements (ISAs) for each external system
59
+ - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
+ - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
+
62
+ ### Section 9: Laws, Regulations, Standards (Appendix B)
63
+ - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
+ - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
+ - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
+
67
+ ### Section 10: Minimum Security Controls
68
+ **The largest section — one narrative per control.**
69
+
70
+ For each control in the applicable baseline:
71
+
72
+ ```
73
+ [Control ID] [Control Name]
74
+ Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
+
76
+ [Control Implementation Statement]
77
+ Describe HOW the control is implemented. Be specific:
78
+ - What tool, policy, or process implements this control?
79
+ - Who is responsible?
80
+ - Where is the evidence?
81
+ - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
+
83
+ Customer Responsibility (if applicable):
84
+ [Describe what the customer/agency must do]
85
+ ```
86
+
87
+ **Writing tips:**
88
+ - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
+ - Reference specific policy document names, tool names, configuration settings
90
+ - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
+ - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
+
93
+ ### SSP Appendices (A through Q)
94
+
95
+ | Appendix | Content | Required? |
96
+ |---|---|---|
97
+ | A | Acronyms & Glossary | Yes |
98
+ | B | Related Laws & Regulations (Attachment 12) | Yes |
99
+ | C | Security Policies & Procedures | Yes (CSP-authored) |
100
+ | D | User Guide | Yes |
101
+ | E | Rules of Behavior | Yes (FedRAMP template) |
102
+ | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
+ | G | Configuration Management Plan | Yes (CSP-authored) |
104
+ | H | Incident Response Plan | Yes (CSP-authored) |
105
+ | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
+ | J | FIPS 199 Categorization | Yes |
107
+ | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
+ | L | Cryptographic Modules Table | Yes |
109
+ | M | Continuous Monitoring Plan | Yes |
110
+ | N | Separation of Duties Matrix | Conditional |
111
+ | O | POA&M | Yes (FedRAMP template) |
112
+ | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
+ | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
+
115
+ ---
116
+
117
+ ## SSP Quality Checklist
118
+
119
+ Before submitting, verify:
120
+ - [ ] All controls for the applicable baseline have implementation statements
121
+ - [ ] No controls describe future/planned state as currently implemented
122
+ - [ ] All "Planned" controls appear in POA&M
123
+ - [ ] Architecture diagrams and control narratives are consistent
124
+ - [ ] External connections table matches the data flow diagrams
125
+ - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
+ - [ ] IIW lists every asset in the boundary
127
+ - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
+ - [ ] All required appendices (C through Q as applicable) are attached
129
+ - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
@@ -1,192 +1,192 @@
1
- # Consent Notice / Cookie Banner Template
2
-
3
- ## Legal Basis
4
- Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
- ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
-
7
- ---
8
-
9
- ## Consent Requirements Checklist (Art. 7)
10
- - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
- - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
- - [ ] **Informed**: Clear plain-language explanation before consent given
13
- - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
- - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
- - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
- - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
-
18
- ---
19
-
20
- ## Cookie Banner — Required Elements
21
-
22
- ### Layer 1 (Initial Banner)
23
- ```
24
- We use cookies to [improve your experience / personalise content / analyse traffic].
25
- [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
-
27
- [Link to Cookie Policy]
28
- ```
29
-
30
- **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
- pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
-
33
- ### Layer 2 (Preference Centre)
34
- Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
- | Category | Description | Default |
36
- |----------|-------------|---------|
37
- | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
- | Analytics | [Provider, purpose] | OFF |
39
- | Marketing | [Provider, purpose] | OFF |
40
- | Personalisation | [Provider, purpose] | OFF |
41
-
42
- ### Consent Record to Store
43
- ```json
44
- {
45
- "userId": "...",
46
- "consentTimestamp": "ISO-8601",
47
- "consentVersion": "v1.2",
48
- "purposes": {
49
- "analytics": true,
50
- "marketing": false
51
- },
52
- "method": "explicit-click",
53
- "ipAddress": "[pseudonymised or omit]"
54
- }
55
- ```
56
-
57
- ---
58
- ---
59
-
60
- # DPIA Template (Data Protection Impact Assessment)
61
-
62
- ## Legal Basis
63
- Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
- Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
-
66
- ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
- - Systematic and extensive profiling
68
- - Large-scale special category data (Art. 9)
69
- - Systematic monitoring of public areas
70
- - New technologies
71
- - Automated decision-making with legal/significant effects (Art. 22)
72
- - Children's data at scale
73
- - Data matching / combining datasets
74
-
75
- ---
76
-
77
- ## DPIA Structure
78
-
79
- ### 1. Description of Processing (Art. 35(7)(a))
80
- - **System / project name**: [NAME]
81
- - **Controller**: [NAME + DPO if applicable]
82
- - **Nature of processing**: [What operations are performed on the data]
83
- - **Scope**: [Volume, frequency, geographic reach]
84
- - **Context**: [Who are the data subjects; their vulnerability level]
85
- - **Purpose**: [What is the legitimate aim]
86
- - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
-
88
- ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
- Assess whether processing is:
90
- - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
- - **Proportionate** — do the benefits outweigh the risks to individuals?
92
- - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
-
94
- ### 3. Risk Assessment (Art. 35(7)(c))
95
- For each identified risk:
96
- | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
- |------|-----------------|---------------|-----------|------------|
98
- | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
- | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
- | Re-identification | 2 | 3 | High | Pseudonymisation |
101
-
102
- ### 4. Measures to Address Risks (Art. 35(7)(d))
103
- For each High/Medium risk:
104
- - Technical measure: [DESCRIBE]
105
- - Organisational measure: [DESCRIBE]
106
- - Residual risk after mitigation: [Low/Medium/High]
107
-
108
- ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
- - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
- - Data subjects consulted (where appropriate): Yes / No
111
- - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
-
113
- ---
114
- ---
115
-
116
- # Data Retention Policy Template
117
-
118
- ## Legal Basis
119
- Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
- Art. 17 — right to erasure triggers where retention period expired.
121
-
122
- ---
123
-
124
- ## Retention Schedule
125
-
126
- | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
- |--------------|-----------------|-----------------|--------------|----------------|
128
- | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
- | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
- | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
- | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
- | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
- | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
- | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
-
136
- ---
137
-
138
- ## Operational Requirements
139
- - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
- - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
- - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
- - Retention schedule reviewed: annually or upon material change to processing
143
-
144
- ---
145
- ---
146
-
147
- # Data Subject Rights Procedure
148
-
149
- ## Legal Basis
150
- Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
-
152
- ---
153
-
154
- ## Rights Summary
155
-
156
- | Right | Article | When Applicable | Response Time |
157
- |-------|---------|----------------|--------------|
158
- | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
- | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
- | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
- | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
- | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
- | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
- | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
-
166
- ---
167
-
168
- ## Request Handling Process
169
-
170
- 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
- 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
- 3. **Log**: Record date received, type of request, handler assigned.
173
- 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
- 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
- 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
- 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
-
178
- ## Exemptions to Document
179
- - Legal claims (Art. 17(3)(e))
180
- - Freedom of expression (Art. 17(3)(a))
181
- - Public interest archiving (Art. 17(3)(d))
182
- - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
-
184
- ---
185
-
186
- ## SLA & Escalation
187
- - Day 0: Request received and logged
188
- - Day 3: Identity verified; request categorised
189
- - Day 20: Draft response reviewed by DPO/legal
190
- - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
- - Day 30: Statutory deadline
192
- - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))
1
+ # Consent Notice / Cookie Banner Template
2
+
3
+ ## Legal Basis
4
+ Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
+ ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
+
7
+ ---
8
+
9
+ ## Consent Requirements Checklist (Art. 7)
10
+ - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
+ - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
+ - [ ] **Informed**: Clear plain-language explanation before consent given
13
+ - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
+ - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
+ - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
+ - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
+
18
+ ---
19
+
20
+ ## Cookie Banner — Required Elements
21
+
22
+ ### Layer 1 (Initial Banner)
23
+ ```
24
+ We use cookies to [improve your experience / personalise content / analyse traffic].
25
+ [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
+
27
+ [Link to Cookie Policy]
28
+ ```
29
+
30
+ **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
+ pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
+
33
+ ### Layer 2 (Preference Centre)
34
+ Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
+ | Category | Description | Default |
36
+ |----------|-------------|---------|
37
+ | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
+ | Analytics | [Provider, purpose] | OFF |
39
+ | Marketing | [Provider, purpose] | OFF |
40
+ | Personalisation | [Provider, purpose] | OFF |
41
+
42
+ ### Consent Record to Store
43
+ ```json
44
+ {
45
+ "userId": "...",
46
+ "consentTimestamp": "ISO-8601",
47
+ "consentVersion": "v1.2",
48
+ "purposes": {
49
+ "analytics": true,
50
+ "marketing": false
51
+ },
52
+ "method": "explicit-click",
53
+ "ipAddress": "[pseudonymised or omit]"
54
+ }
55
+ ```
56
+
57
+ ---
58
+ ---
59
+
60
+ # DPIA Template (Data Protection Impact Assessment)
61
+
62
+ ## Legal Basis
63
+ Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
+ Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
+
66
+ ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
+ - Systematic and extensive profiling
68
+ - Large-scale special category data (Art. 9)
69
+ - Systematic monitoring of public areas
70
+ - New technologies
71
+ - Automated decision-making with legal/significant effects (Art. 22)
72
+ - Children's data at scale
73
+ - Data matching / combining datasets
74
+
75
+ ---
76
+
77
+ ## DPIA Structure
78
+
79
+ ### 1. Description of Processing (Art. 35(7)(a))
80
+ - **System / project name**: [NAME]
81
+ - **Controller**: [NAME + DPO if applicable]
82
+ - **Nature of processing**: [What operations are performed on the data]
83
+ - **Scope**: [Volume, frequency, geographic reach]
84
+ - **Context**: [Who are the data subjects; their vulnerability level]
85
+ - **Purpose**: [What is the legitimate aim]
86
+ - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
+
88
+ ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
+ Assess whether processing is:
90
+ - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
+ - **Proportionate** — do the benefits outweigh the risks to individuals?
92
+ - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
+
94
+ ### 3. Risk Assessment (Art. 35(7)(c))
95
+ For each identified risk:
96
+ | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
+ |------|-----------------|---------------|-----------|------------|
98
+ | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
+ | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
+ | Re-identification | 2 | 3 | High | Pseudonymisation |
101
+
102
+ ### 4. Measures to Address Risks (Art. 35(7)(d))
103
+ For each High/Medium risk:
104
+ - Technical measure: [DESCRIBE]
105
+ - Organisational measure: [DESCRIBE]
106
+ - Residual risk after mitigation: [Low/Medium/High]
107
+
108
+ ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
+ - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
+ - Data subjects consulted (where appropriate): Yes / No
111
+ - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
+
113
+ ---
114
+ ---
115
+
116
+ # Data Retention Policy Template
117
+
118
+ ## Legal Basis
119
+ Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
+ Art. 17 — right to erasure triggers where retention period expired.
121
+
122
+ ---
123
+
124
+ ## Retention Schedule
125
+
126
+ | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
+ |--------------|-----------------|-----------------|--------------|----------------|
128
+ | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
+ | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
+ | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
+ | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
+ | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
+ | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
+ | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
+
136
+ ---
137
+
138
+ ## Operational Requirements
139
+ - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
+ - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
+ - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
+ - Retention schedule reviewed: annually or upon material change to processing
143
+
144
+ ---
145
+ ---
146
+
147
+ # Data Subject Rights Procedure
148
+
149
+ ## Legal Basis
150
+ Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
+
152
+ ---
153
+
154
+ ## Rights Summary
155
+
156
+ | Right | Article | When Applicable | Response Time |
157
+ |-------|---------|----------------|--------------|
158
+ | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
+ | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
+ | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
+ | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
+ | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
+ | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
+ | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
+
166
+ ---
167
+
168
+ ## Request Handling Process
169
+
170
+ 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
+ 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
+ 3. **Log**: Record date received, type of request, handler assigned.
173
+ 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
+ 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
+ 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
+ 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
+
178
+ ## Exemptions to Document
179
+ - Legal claims (Art. 17(3)(e))
180
+ - Freedom of expression (Art. 17(3)(a))
181
+ - Public interest archiving (Art. 17(3)(d))
182
+ - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
+
184
+ ---
185
+
186
+ ## SLA & Escalation
187
+ - Day 0: Request received and logged
188
+ - Day 3: Identity verified; request categorised
189
+ - Day 20: Draft response reviewed by DPO/legal
190
+ - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
+ - Day 30: Statutory deadline
192
+ - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))