TrustWaysby Ailoitte
Book a demo
Frameworks

One platform. 9 frameworks. Hundreds of cross-mappings.

We translate the world's most consequential AI + privacy regulations into a single, tenant-aware compliance OS. Enable only what applies. Switch frameworks in one click. Reuse evidence across regimes through curated cross-mappings.

Request a demoSee the platform
9 frameworks in production256 seeded controls240+ cross-framework mappings
EU AI Act
ISO 42001
GDPR
UK GDPR
CCPA
FADP
DPDP
RBI
SEBI
The coverage matrix

Pick the regimes that apply to your AI estate.

Each framework drives its own dashboards, document types, calendar cycle, and Counsel preamble. Mixed footprints get cross-mappings so evidence flows once and counts everywhere it should.

European Union
EU AI Act· 59 controlsGDPR· 37 controls
United Kingdom
UK GDPR· 21 controls
United States
CCPA / CPRA· 17 controls
Switzerland
FADP· 15 controls
India
DPDP· 19 controlsRBI FREE-AI· 24 controlsSEBI AI· 19 controls
Global
ISO 42001· 45 controls
EU AI Act
European Union
Regulator
European Commission · national AI authorities
Version
Regulation (EU) 2024/1689 · Aug 2 2026 high-risk
In our catalog
59 controls seeded
Horizontal AI regulation in the European Union. Risk-based — prohibited / high-risk / limited / minimal. Phased into force Feb 2025 → Aug 2027.
Applies to providers AND deployers — regardless of where they're established — whenever the AI system's output is used in the EU.
Top obligations covered
  • Prohibited-practices screen (Art. 5)
  • Risk management system (Art. 9)
  • Annex IV technical documentation (Art. 11)
  • Human oversight (Art. 14)
  • Fundamental Rights Impact Assessment for deployers (Art. 27)
  • Post-market monitoring + 72-hour incident report (Art. 72-73)
Documents we generate
Annex IV Technical DocFRIAEU Declaration of ConformityGPAI Documentation
See EU AI Act in action
ISO 42001
Global
Regulator
Accredited certification body
Version
ISO/IEC 42001:2023 — AI Management System
In our catalog
45 controls seeded
AI Management System standard. Structured like ISO 27001 — Clauses 4-10 plus Annex A controls A.2-A.10.
Certification proves to enterprise customers that your AI development + operation is governed end-to-end. Required by procurement at most large enterprises.
Top obligations covered
  • Top-management AI Policy (Clause 5 / A.2.2)
  • AI System Impact Assessment (A.5.2)
  • Statement of Applicability (SoA) for Annex A
  • Internal audit + Management Review (Clause 9)
  • Continual improvement (Clause 10)
Documents we generate
AIMS PolicyStatement of ApplicabilityAI Impact AssessmentInternal Audit Report
See ISO 42001 in action
GDPR
European Union
Regulator
EDPB · national DPAs
Version
Regulation (EU) 2016/679
In our catalog
37 controls seeded
EU personal-data regulation. Principles + lawful basis + data-subject rights + controller/processor duties + breach + DPIA + transfers.
Every AI system that touches EU residents' personal data is subject to GDPR — independent of the AI Act analysis.
Top obligations covered
  • Records of Processing Activities (Art. 30)
  • DPIA for high-risk processing (Art. 35)
  • Lawful basis discipline (Art. 6)
  • Breach notification — 72 hours (Art. 33)
  • Cross-border safeguards — SCCs / BCRs (Art. 46)
Documents we generate
RoPADPIADPA (Art. 28)Joint Controller AgreementPrivacy Notice
See GDPR in action
UK GDPR
United Kingdom
Regulator
Information Commissioner's Office (ICO)
Version
UK GDPR + Data Protection Act 2018
In our catalog
21 controls seeded
Post-Brexit UK retained version of the EU GDPR plus DPA 2018 Schedules. ICO is the supervisory authority. DPDI Bill divergence in flight.
Materially aligned to EU GDPR — but UK breach notifications go to the ICO, and UK-international transfers use the IDTA / UK Addendum (not EU SCCs).
Top obligations covered
  • ICO 72-hour breach notification (Art. 33 UK)
  • DPIA against ICO high-risk list (Art. 35 UK)
  • IDTA or UK Addendum for international transfers (Art. 46 UK)
  • DPA 2018 Schedule 1 conditions for SCD
Documents we generate
UK RoPAUK DPIAIDTAICO Breach Notification
See UK GDPR in action
CCPA / CPRA
California, US
Regulator
California Privacy Protection Agency (CPPA) · CA AG
Version
Cal. Civ. Code §§1798.100–199 (CPRA-amended)
In our catalog
17 controls seeded
California consumer-privacy regime — Notice at Collection, consumer rights, opt-out of sale / share, limit-SPI, service-provider terms, CPRA risk + cybersecurity assessments.
Any business that collects Personal Information from California consumers + meets the §1798.140 thresholds is in scope. Statutory damages for breach: $100-$750 per consumer per incident.
Top obligations covered
  • Notice at Collection (§1798.100)
  • Consumer rights: delete / correct / know / opt-out / limit SPI
  • Honour Global Privacy Control (GPC) signals
  • Service-Provider + Contractor contract terms (§1798.140)
  • CPRA Risk Assessment + annual Cybersecurity Audit
Documents we generate
Notice at CollectionCA Privacy PolicyConsumer Rights LogService Provider ContractCPRA Risk Assessment
See CCPA / CPRA in action
FADP
Switzerland
Regulator
Federal Data Protection + Information Commissioner (FDPIC)
Version
Revised FADP (in force 2023-09-01)
In our catalog
15 controls seeded
Switzerland's revised data-protection act — strongly aligned with EU GDPR with Swiss-specific divergences (FDPIC supervises, criminal sanctions for natural persons, mandatory register of processing).
Distinguishing feature: criminal sanctions for individuals (up to CHF 250,000) under Art. 60. Tighter than GDPR in some respects.
Top obligations covered
  • Register of processing activities (Art. 12)
  • DPIA for high-risk processing (Art. 22)
  • Prior consultation with FDPIC (Art. 23)
  • Breach notification to FDPIC (Art. 24)
  • Swiss SCCs / adequacy / DPF for cross-border (Arts. 16-18)
Documents we generate
FADP RegisterArt. 22 DPIAInformation NoticeFDPIC Breach Notification
See FADP in action
DPDP
India
Regulator
Data Protection Board of India
Version
Digital Personal Data Protection Act, 2023
In our catalog
19 controls seeded
India's first comprehensive personal-data law. Notice + consent + Data Fiduciary obligations + Significant Data Fiduciary rules + cross-border notification + Data Principal rights.
Applies to processing of personal data within India + offering goods/services to Data Principals in India. Indian-language notice is a distinctive requirement.
Top obligations covered
  • Itemised notice in English + 22 Indian languages (Sec. 5)
  • Free, specific, informed, unambiguous consent (Sec. 6)
  • Reasonable security safeguards (Sec. 8(5))
  • Breach notification to DPB + Data Principals (Sec. 8(6))
  • Verifiable parental consent for children (Sec. 9)
Documents we generate
Itemised NoticeConsent LogDPDP Breach NotificationVerifiable Parental Consent
See DPDP in action
RBI FREE-AI
India — financial sector
Regulator
Reserve Bank of India (RBI)
Version
Committee Report on FREE-AI · 13 Aug 2025
In our catalog
24 controls seeded
RBI's framework for Responsible + Ethical Enablement of AI in the financial sector. 7 Sutras + 6 Pillars + 26 recommendations. Applies to banks, NBFCs, payment system operators, fintechs.
First sector-specific AI framework in India. Get ahead of the binding Master Directions RBI is expected to issue. Indian fairness context (caste, religion, gender, region) is foundational.
Top obligations covered
  • Board-approved AI Policy (Pillar P.1)
  • Model Risk Management extended to AI/ML (Pillar G.1)
  • Customer disclosure of AI involvement (Pillar Pr.1)
  • Fairness testing for credit + insurance AI (Pillar Pr.3)
  • AI incident reporting template (Pillar A.2)
  • Independent AI audit (Pillar A.1)
Documents we generate
Board AI PolicyAI Use-Case InventoryModel Risk DocFairness AuditAI Incident Report
See RBI FREE-AI in action
SEBI AI
India — securities markets
Regulator
Securities and Exchange Board of India (SEBI)
Version
Cir. 2019/10 (binding) + Nov 2024 + Jun 2025 consultations
In our catalog
19 controls seeded
Quarterly AI/ML system reporting (binding 2019 circular) + emerging responsible-AI guidelines: model governance, investor protection, testing, fairness, data privacy. Intermediary remains solely responsible for AI outputs.
Quarterly reports to Stock Exchange / Depository / SEBI within 30 days (15 days for MFs via AMFI). 5-year AI input/output log retention is a distinctive operational requirement.
Top obligations covered
  • Quarterly AI/ML system inventory + reporting (Cir. 2019/10)
  • Sole responsibility for AI outputs (Resp.1)
  • Skilled internal oversight team (MG.1)
  • Continuous monitoring + drift reporting (MG.3)
  • Investor AI disclosure (IP.1)
  • 5-year input/output log retention (TF.3)
Documents we generate
Quarterly AI/ML ReportResponsibility StatementVendor DD RecordInvestor Disclosure
See SEBI AI in action
Why cross-mappings matter

Build evidence once. Count it everywhere it applies.

Most compliance vendors treat each framework as a silo. We don't. When a GDPR DPIA is approved, it also lights up the relevant EU AI Act Art. 27 FRIA control, the ISO 42001 A.5.2 impact assessment, the UK GDPR Art. 35 DPIA, and the Swiss FADP Art. 22 DPIA — because the underlying analysis is the same and we've curated the mapping.

EQUIVALENT
Same obligation, different regulator. Evidence flows automatically.
e.g. GDPR Art. 35 ≡ EU AI Act Art. 27
SATISFIES / SUPPORTS
Stronger evidence in one regime contributes to a related obligation in another.
e.g. ISO 42001 A.6.2.4 V&V supports EU AI Act Art. 15
RELATED
Conceptually adjacent — we flag the connection so you don't double-work analysis.
e.g. CCPA opt-out ≈ GDPR Art. 21 right to object

Coverage you can't get from a horizontal compliance tool.

Vanta, Drata, and OneTrust treat AI as one more checklist. We treat it as the substrate — and we cover the regulators that matter to AI builders in EU, UK, US, Switzerland, and India.

Request a demoExplore the platform