Supported Frameworks
PrivaBase supports 57 regulatory frameworks. Each framework gets 9 API endpoints automatically — compliance checks, requirements, gap assessments, controls, policies, remediation, and evidence tracking. That's 513+ framework endpoints plus 100+ core API endpoints = 620+ total.
Every framework below is accessible via GET /api/v1/frameworks/{id}. See the Frameworks API Reference for all 9 endpoints.
US Federal & Sector Laws (7)
HIPAA
US healthcare data protection. Privacy Rule, Security Rule, and Breach Notification Rule. Applies to covered entities and business associates.
FERPA
Family Educational Rights and Privacy Act. Protects student education records. Applies to schools receiving federal funding.
GLBA
Gramm-Leach-Bliley Act. Financial privacy requirements for institutions handling consumer financial data. Safeguards Rule and Privacy Rule.
COPPA
Children's Online Privacy Protection Act. Requires parental consent for collecting data from children under 13. Enforced by FTC.
TCPA
Telephone Consumer Protection Act. Regulates telemarketing calls, auto-dialed calls, prerecorded calls, text messages, and unsolicited faxes.
CAN-SPAM Act
Controlling the Assault of Non-Solicited Pornography And Marketing Act. Sets rules for commercial email and messaging.
FTC Act (Section 5)
Federal Trade Commission Act. Prohibits unfair or deceptive practices including those related to data privacy and security.
US State Privacy Laws (18)
California Consumer Privacy Act
Consumer rights to know, delete, and opt-out of data sales. Applies to businesses meeting revenue/data thresholds. Effective 2020.
California Privacy Rights Act
Amends and expands CCPA with right to correct, restrict sensitive data use, and opt-out of automated decision-making. Effective 2023.
Virginia Consumer Data Protection Act
Consumer rights to access, correct, delete, and opt-out. Applies to businesses processing 100k+ Virginia residents' data. Effective 2023.
Colorado Privacy Act
Consumer rights with universal opt-out mechanism. Requires data protection assessments for high-risk processing. Effective 2023.
Connecticut Data Privacy Act
Consumer data rights including access, correction, deletion, and portability. Recognizes global opt-out signals. Effective 2023.
Utah Consumer Privacy Act
Business-friendly privacy law with consumer rights to access, delete, and opt-out. Narrower scope than other state laws. Effective 2023.
Texas Data Privacy and Security Act
Applies to all businesses operating in Texas without revenue threshold. Consumer rights and data protection assessments. Effective 2024.
Oregon Consumer Data Privacy Act
Broad consumer privacy protections with data protection assessments. Includes nonprofits (unlike most state laws). Effective 2024.
Montana Consumer Data Privacy Act
Consumer data rights with 25k resident threshold (lowest in the US). Universal opt-out mechanism required. Effective 2024.
Iowa Consumer Data Protection Act
Consumer privacy rights with 90-day cure period for violations. Limited to businesses processing 100k+ Iowa residents. Effective 2025.
Delaware Personal Data Privacy Act
Comprehensive consumer data rights. Applies to businesses processing 35k+ Delaware residents' data. Effective 2025.
New Jersey Data Privacy Act
Consumer data rights with broad applicability. Includes data protection assessments and universal opt-out requirements. Effective 2025.
Tennessee Information Protection Act
Consumer data privacy rights with affirmative defense for businesses with privacy programs. Effective 2025.
Indiana Consumer Data Protection Act
Consumer privacy rights modeled on Virginia CDPA. Applies to businesses processing 100k+ Indiana residents' data. Effective 2026.
Nebraska Data Privacy Act
Consumer privacy protections with data minimization requirements. Applies to businesses operating in Nebraska. Effective 2025.
New Hampshire Privacy Act
Consumer data rights with data protection assessments. Requires consent for processing sensitive data. Effective 2025.
Kentucky Consumer Data Protection Act
Consumer data rights including access, correction, deletion, and portability. Modeled on Virginia CDPA. Effective 2026.
Maryland Online Data Privacy Act
Strong data minimization and purpose limitation requirements. Restricts sale of sensitive data. Effective 2025.
International Privacy Laws (16)
General Data Protection Regulation
EU's comprehensive data protection regulation. Rights to access, rectification, erasure, portability. Requires legal basis for processing. Fines up to 4% of global revenue.
UK GDPR
UK's post-Brexit version of GDPR. Substantially similar with UK-specific supervisory authority (ICO). Retained EU law adapted for UK context.
Lei Geral de Proteção de Dados
Brazil's general data protection law. 10 legal bases for processing, data subject rights, DPO requirement. Enforced by ANPD.
PIPEDA
Canada's federal private-sector privacy law. Based on 10 fair information principles. Requires meaningful consent for data collection.
POPIA
South Africa's data protection act. 8 conditions for lawful processing. Requires Information Officer registration. Enforced by Information Regulator.
Australian Privacy Act
Australia's federal privacy law with 13 Australian Privacy Principles (APPs). Applies to organizations with $3M+ annual turnover.
PDPA (Singapore)
Singapore's Personal Data Protection Act. Consent-based framework with Do Not Call Registry. Enforced by PDPC.
APPI (Japan)
Japan's Act on the Protection of Personal Information. Requires consent for third-party transfers and cross-border data flows. Enforced by PPC.
India Digital Personal Data Protection Act
India's comprehensive data protection law. Consent-based processing with Data Fiduciary obligations. Significant penalties for non-compliance.
China Personal Information Protection Law
China's comprehensive personal information protection regulation. Strict consent requirements and cross-border transfer restrictions.
Thailand PDPA
Thailand's Personal Data Protection Act. GDPR-inspired framework with data subject rights and DPO requirements. Enforced by PDPC.
Turkey KVKK
Turkey's Personal Data Protection Law. Requires explicit consent, data controller registration, and cross-border transfer safeguards.
Swiss Federal Act on Data Protection
Switzerland's revised data protection law (revFADP). Aligned with GDPR but with Swiss-specific requirements. Enforced by FDPIC.
Argentina LPDP
Argentina's Personal Data Protection Law. EU-adequate jurisdiction. Requires data controller registration and consent for processing.
South Korea PIPA
South Korea's Personal Information Protection Act. One of Asia's strictest data protection laws with significant penalties.
New Zealand Privacy Act
New Zealand's Privacy Act 2020. 13 Information Privacy Principles. Mandatory breach notification and cross-border disclosure restrictions.
International Regulatory (2)
Digital Operational Resilience Act
EU regulation for ICT risk management in financial services. Requires operational resilience testing, incident reporting, and third-party risk management. Effective January 2025.
NIS2 Directive
EU directive on security of network and information systems. Expands scope to essential and important entities across 18 sectors. Requires incident reporting within 24 hours.
Standards & Certifications (14)
SOC 1
AICPA reporting on controls at a service organization relevant to user entities' internal control over financial reporting. Type I and Type II reports.
SOC 2
AICPA trust services criteria for service organizations. Security, Availability, Processing Integrity, Confidentiality, and Privacy.
PCI DSS
Payment Card Industry Data Security Standard. 12 requirements for organizations handling cardholder data. Required by card brands.
ISO 27001
International standard for information security management systems (ISMS). 114 controls across 14 domains. Certifiable standard.
ISO 27701
Extension to ISO 27001 for privacy information management. Maps to GDPR requirements. Certifiable privacy standard.
NIST Cybersecurity Framework
NIST CSF provides a policy framework for cybersecurity risk management. Five core functions: Identify, Protect, Detect, Respond, Recover.
NIST Privacy Framework
NIST Privacy Framework for managing privacy risk. Complements the Cybersecurity Framework with privacy-specific controls.
CIS Controls
Center for Internet Security Controls. Prioritized set of cybersecurity best practices. 18 control categories with implementation groups.
COBIT
Control Objectives for Information and Related Technologies. IT governance and management framework by ISACA.
CSA STAR
Cloud Security Alliance Security, Trust, Assurance, and Risk. Cloud-specific security certification and assessment program.
FedRAMP
Federal Risk and Authorization Management Program. Standardized security assessment for cloud services used by US federal agencies.
FISMA
Federal Information Security Modernization Act. Requires federal agencies to implement information security programs.
CMMC
Cybersecurity Maturity Model Certification. Required for DoD contractors. Tiered model from basic hygiene to advanced practices.
NYDFS Cybersecurity Regulation
New York Department of Financial Services cybersecurity requirements for financial institutions. 23 NYCRR Part 500.
Framework Endpoints
Every framework above supports these 9 endpoints:
| Method | Endpoint | Description |
|---|---|---|
| GET | /frameworks | List all frameworks |
| GET | /frameworks/{id} | Framework details |
| POST | /frameworks/{id}/check | Run compliance check |
| GET | /frameworks/{id}/requirements | List requirements |
| POST | /frameworks/{id}/assessment | Run gap assessment |
| GET | /frameworks/{id}/controls | Control mappings |
| POST | /frameworks/{id}/generate-policy | Generate compliance policy |
| GET | /frameworks/{id}/remediation | Remediation guidance |
| GET | /frameworks/{id}/evidence | Evidence requirements |
That's 57 frameworks × 9 endpoints = 513 framework endpoints, plus 100+ core API endpoints = 620+ total endpoints.