Audit template
compliance-privacy
Finds where you process personal data without a lawful basisThe legal ground under the GDPR that justifies processing personal data, such as consent or contract., consent, or a way to delete it.
Maps to: GDPRGeneral Data Protection Regulation — the EU law governing how personal data may be processed. · ePrivacyEU ePrivacy Directive — rules on cookies, tracking, and electronic communications, alongside the GDPR. · EU AI ActEU Artificial Intelligence Act — the EU regulation classifying and governing AI systems by risk.
specialists, in parallel
Each finding is evidence-bound and survives ≥2-of-3 adversarial skeptics.
How this audit works
Primary lens is GDPRGeneral Data Protection Regulation — the EU law governing how personal data may be processed., extended to ePrivacyEU ePrivacy Directive — rules on cookies, tracking, and electronic communications, alongside the GDPR., the EU AI ActEU Artificial Intelligence Act — the EU regulation classifying and governing AI systems by risk., and CCPACalifornia Consumer Privacy Act — the California law granting consumers rights over their personal data. where they apply. A swarm of specialist agents builds a verified data-flow / RoPARecord of Processing Activities — the GDPR-mandated inventory of how an organization processes personal data. map, then checks lawful basisThe legal ground under the GDPR that justifies processing personal data, such as consent or contract., consent and cookies, transparency, data-subject rightsThe rights the GDPR gives individuals over their data, such as access, erasure, and portability., retention, international transfers, processor contracts, and breach readiness. Consent is verified by network trace, not the banner UI, and erasure and access rights are checked end-to-end in code; every finding cites a specific article and a file, table, cookie, or policy clause.
Use it when
Cookie banner that lies
Marketing ships a consent banner, but analytics and ad pixels still fire on first load. A network trace catches every non-essential tag that runs before opt-in, names the line that injects it, and maps it to ePrivacyEU ePrivacy Directive — rules on cookies, tracking, and electronic communications, alongside the GDPR. and Art. 6 with a gate-before-consent fix.
A user files a deletion request
Support promises erasure in the privacy policy, but no one has traced where the data actually lives. The audit follows each personal-data category and flags where deletion fails to propagate to backups, logs, or third-party processors, against Art. 17.
Shipping an AI feature in the EU
A new profiling or LLM feature goes live without a DPIAData Protection Impact Assessment — a GDPR-required risk analysis for high-risk processing of personal data. or an EU AI ActEU Artificial Intelligence Act — the EU regulation classifying and governing AI systems by risk. risk tier. The audit classifies the feature, checks Art. 22 safeguards and AI-transparency duties, and traces whether the data leaves the EEA without a valid transfer mechanism.
What you get
A per-dimension scorecard, a verified data-flow / RoPARecord of Processing Activities — the GDPR-mandated inventory of how an organization processes personal data. map, and a priority-sorted findings register where each finding cites its article and ships a concrete before/after fix, turned into German GitHub issues under one tracking issue.