Skip to main content
Dharma Governance

Cross-legal frameworks Dharma covers

Most tools just list certifications. Dharma also maps the legal documents your business must actually hold, from privacy policies and consent notices to data-processing agreements, breach notices and AI disclosures, and shows which laws across jurisdictions require each one. The audit engine scores documents against 27 frameworks today, and the compliance map detects the wider set of laws and certifications that apply to you.

Run a governance auditSee the control crosswalk

Legal documents, mapped to the laws that require them

The documents customers, regulators and auditors expect, and where the obligation comes from. Lekha generates these as part of the 180+ document library; Dharma checks you hold the right ones.

Privacy Policy
Tells data subjects what personal data you collect, why, how long you keep it and their rights.
Required by: GDPR Art. 13 to 14, UK GDPR, DPDP Act 2023 s.5, CCPA / CPRA, LGPD, PIPEDA, Singapore PDPA, FADP
Cookie and Tracking Policy
Discloses cookies, pixels and trackers, their purpose and how users control them.
Required by: EU ePrivacy Directive, GDPR consent, CCPA / CPRA opt-out, LGPD
Consent Notice and Form
Captures free, specific, informed, withdrawable consent and logs a record of it.
Required by: GDPR Art. 7, DPDP Act 2023 s.6, CCPA opt-in for minors, LGPD
Data Processing Agreement (DPA)
Contract binding a processor or vendor to handle personal data on your documented instructions.
Required by: GDPR Art. 28, DPDP processor duties, CCPA service-provider terms, Standard Contractual Clauses
Records of Processing Activities (RoPA)
Internal register of every processing activity, its purpose, categories and retention.
Required by: GDPR Art. 30, accountability principle, DPDP record-keeping
Data Subject Request (DSAR) Procedure
How you receive, verify and answer access, correction, erasure and portability requests.
Required by: GDPR Art. 15 to 22, CCPA / CPRA consumer rights, DPDP Act 2023 s.11 to 13
Data Breach Notification
Playbook and templates for notifying regulators and affected people inside the legal window.
Required by: GDPR Art. 33 to 34 (72 hours), DPDP breach reporting, US state breach laws, CCPA
Data Protection Impact Assessment (DPIA)
Risk assessment for high-risk processing, profiling or large-scale or sensitive data.
Required by: GDPR Art. 35, ICO guidance, ISO 27701 alignment
Terms of Service
The contract between you and your users: scope, payment, liability, dispute resolution.
Required by: Contract and consumer-protection law, platform and app-store rules
End-User License Agreement (EULA)
Licence terms for installed or downloadable software, protecting your IP and limiting liability.
Required by: Software licensing and copyright law, distribution-platform rules
Refund and Cancellation Policy
Sets out when and how customers can cancel, return or be refunded.
Required by: Consumer-protection and distance-selling rules, payment-provider requirements
Acceptable Use Policy
Defines permitted and prohibited use of your service and the consequences of misuse.
Required by: Contract law, ISO 27001 A.5, SOC 2 security criteria
Accessibility Statement
Declares your target standard, current conformance and how users report barriers.
Required by: ADA Title II / WCAG 2.1 AA (US deadline Apr 2026), EU Accessibility Act, Section 508
AI Use and Disclosure Notice
Tells users where AI is used, what it does and how decisions can be questioned.
Required by: EU AI Act transparency, FTC guidance, NIST AI RMF, US state AI disclosure laws

Audited today (27)

Frameworks the audit engine scores your documents against, control by control.

DPDP Act 2023
India, Digital Personal Data Protection Act, 2023
10 controls
GDPR
EU, General Data Protection Regulation 2016/679
10 controls
ISO/IEC 27001:2022
ISO, Information Security Management Systems
10 controls
ISO/IEC 27701:2019
ISO, Privacy Information Management System (PIMS)
8 controls
SOC 2
AICPA, Trust Services Criteria (TSC)
9 controls
PCI DSS 4.0
PCI SSC, Payment Card Industry Data Security Standard
9 controls
NIST CSF 2.0
NIST, Cybersecurity Framework
6 controls
CCPA / CPRA
California, Consumer Privacy Act as amended by CPRA
8 controls
POSH Act 2013
India, Sexual Harassment of Women at Workplace Act, 2013
8 controls
UK GDPR / DPA 2018
UK, UK General Data Protection Regulation + Data Protection Act 2018
7 controls
NIS2 Directive
EU, Directive 2022/2555 on Network and Information Security
6 controls
EU AI Act
EU, Regulation (EU) 2024/1689 on Artificial Intelligence
5 controls
HIPAA
US, Health Insurance Portability and Accountability Act 1996 (as amended)
5 controls
LGPD
Brazil, Lei Geral de Proteção de Dados Pessoais (Lei 13.709/2018)
6 controls
Singapore PDPA 2012
Singapore, Personal Data Protection Act 2012 (as amended 2020/2021)
7 controls
UAE PDPL
UAE, Federal Decree-Law No. 45 of 2021 on Personal Data Protection
7 controls
Saudi Arabia PDPL
Saudi Arabia, Personal Data Protection Law (Royal Decree M/19, 2021, amended 2023)
6 controls
Qatar PDPPL
Qatar, Personal Data Privacy Protection Law No. 13 of 2016
5 controls
Bahrain PDPL
Bahrain, Personal Data Protection Law No. 30 of 2018
5 controls
Australian Privacy Act / NDB
Australia, Privacy Act 1988 (Cth) including APPs and Notifiable Data Breaches scheme
6 controls
APRA CPS 234
Australia, APRA Prudential Standard CPS 234 — Information Security
6 controls
POPIA
South Africa, Protection of Personal Information Act 4 of 2013 (effective 2021)
6 controls
Kenya Data Protection Act
Kenya, Data Protection Act No. 24 of 2019 (ODPC-enforced)
5 controls
Nigeria NDPA 2023
Nigeria, Nigeria Data Protection Act 2023 (NDPC-enforced); with NDPR 2019 as prior instrument
6 controls
EU NIS2 Directive
European Union, Directive (EU) 2022/2555; national transposition by October 17, 2024
6 controls
APRA CPS 234 (Information Security)
Australia, APRA Prudential Standard CPS 234 (effective 1 July 2019); guidance CPG 234
6 controls
GLBA / FTC Safeguards Rule
US, Gramm-Leach-Bliley Act 1999 + FTC Safeguards Rule (amended 2023)
5 controls

Also tracked by the compliance map

ISO management systems
ISO 27001, ISO 27701, ISO 22301, ISO 9001, ISO 31000, ISO 20000, ISO 42001
Security and attestation
SOC 1, SOC 2 Type I and II, NIST CSF, NIST 800-53, CIS Controls, CSA STAR, Cyber Essentials, COBIT
Privacy and data protection
GDPR, DPDP Act 2023, Singapore PDPA, UAE and Saudi PDPL, CCPA / CPRA, LGPD, POPIA, PIPEDA, APPI
Consumer, web and accessibility
ePrivacy Directive, ADA Title II / WCAG 2.1 AA, EU Accessibility Act, Section 508, Consumer-protection rules
Industry and sector
HIPAA, HITRUST, PCI DSS, SOX, GLBA, FERPA, RBI and NPCI, DORA, MAS TRM, TISAX, FedRAMP, CMMC, CJIS, FISMA, IRAP, ENS, MeitY
AI governance
EU AI Act, NIST AI RMF, ISO 42001

Heuristic mapping for review, not legal or audit certification.