Is this digital sovereignty assessment free?

Yes. It is entirely free and runs in your browser. No data is transmitted externally.

Which jurisdictions does the assessment cover?

EU (GDPR, NIS2, DORA, EU AI Act), UK (UK GDPR, PECR), India (DPDP Act, CERT-In), Australia (Privacy Act / APPs), Brazil (LGPD), Canada (PIPEDA), Japan (APPI), Saudi Arabia (PDPL), Singapore (PDPA), and South Africa (POPIA).

Is this tool legal advice?

No. This is a screening and gap-analysis tool only, not legal advice or certification. Always consult a qualified legal professional.

A timestamped PDF report, a structured JSON file, and a CSV action register.

How long does the assessment take?

Approximately 12 minutes across five steps: Profile (2 min), Data Flows (3 min), Rule Questions (4 min), Evidence (2 min), and instant Report generation.

Digital Sovereignty & Legal Exposure Assessment

STEP 1 — CLIENT, PROFILE & JURISDICTIONS

Client, profile, and jurisdictions

This shapes which jurisdiction rules and sector overlays are matched to your assessment.

⏱ ~2 minutes

🏢

Client mode

Client / business name

Assessment name

Consultant notes

📊

Business profile

Primary sector

?

Entity size

Processes personal data

Customer, employee, or user identifying information.

Transfers data across borders

Even via cloud vendors or remote teams.

Offers goods/services to EU residents

GDPR applies regardless of incorporation location.

Offers goods/services to UK residents

UK GDPR runs parallel to EU GDPR.

Regulated financial entity

Triggers DORA, PSD2, sector-specific rules.

Critical / essential entity

NIS2 mandatory reporting and management liability.

Uses AI / automated decisioning

EU AI Act obligations from 2025.

🌍

Countries / regions

Select every country where your business operates, serves customers, or processes data.

📁

Data categories

Select all data types your organisation processes.

STEP 2 — DATA FLOW & OPERATING FOOTPRINT

Data flow and operating footprint

Where data originates, lives, and travels determines your transfer obligations.

⏱ ~3 minutes

📍

Data origin

Where is the personal data you collect originally generated?

☁️

Storage / hosting

Primary cloud / hosting provider

?

Transfer Risk: US-based providers fall under the US CLOUD Act. EU personal data requires SCCs + Transfer Impact Assessment (TIA) to remain GDPR-compliant.

Storage locations

🔗

Processor / vendor locations

Where are your key SaaS tools and sub-processors based?

📝

Operational notes

Transfer notes

Known unknowns

Assumptions

STEP 3 — JURISDICTION & SECTOR RULE QUESTIONS

Rule-matched questions

Questions below are matched live from your selected jurisdictions and sector rule packs. Answer based on what is genuinely in place today.

⏱ ~4 minutes

⟳

Matching rules to your profile…

STEP 4 — EVIDENCE READINESS

Evidence readiness

If a regulator or acquirer requested documentation today, which of these could you produce within 48 hours?

⏱ ~2 minutes

📋

Documentation inventory

Data inventory / data map

Foundation for all other compliance evidence. What data exists, where, and who owns it.

Privacy notice — published and current

GDPR Art. 13/14, UK GDPR, DPDP, LGPD — all require clear notice of collection and rights.

Record of Processing Activities (RoPA)

GDPR Art. 30 mandatory. First document regulators request.

Data Processing Agreements with all vendors

Signed, stored, retrievable. Regulators request the full list during audits.

Transfer safeguards — SCCs / IDTAs / adequacy

Current 2021 SCCs or UK IDTAs, countersigned, linked to a transfer map.

DPIA for high-risk processing

GDPR Art. 35 mandatory. Absence is itself a reportable breach.

Incident / breach log and notification playbook

Covers GDPR, CERT-In, PDPA, and NIS2 reporting obligations.

Staff privacy training records (last 12 months)

Significant mitigating factor in enforcement proceedings.

Board or exec-level governance sign-off

Powerful accountability evidence in enforcement proceedings.

📝

Additional context

Consultant / advisor notes

STEP 5 — REVIEW & GENERATE REPORT

Review and generate report

Review your answers then generate your timestamped Digital Sovereignty Risk Report.

⏱ 1 minute

Important

This is a screening and gap-analysis tool only. Not legal advice or certification. Review with qualified legal counsel before relying on it for regulatory, investment, or operational decisions.

Digital Sovereignty &
Legal Exposure
Assessment

Five steps. One board-ready report.

Profile

Data Flows

Rule Questions

Evidence

Report