🛡️

AI Agent Privacy & Compliance Checker

Pick your region, use case, and data types to see which privacy and compliance checklist items apply to your AI agent.

1. Configure your agent

Likely frameworks to consider

How this checker works

  • Region determines which privacy laws, AI acts, and sector rules are in scope.
  • Use case drives the EU AI Act risk class and default framework set.
  • Data type adds extra safeguards for health, financial, biometric, or children's data.
  • Checklist is filtered by applicability, not a generic one-size-fits-all list.

Next steps after the check

  • • Export the open items into a Jira/Linear project or Notion tracker.
  • • Engage a privacy lawyer for high-risk use cases (healthcare, finance, hiring).
  • • Pair this with the Agent Stack Builder to pick security-first vendors.
  • • Re-run the checker whenever your region, use case, or vendor stack changes.

🤖 Use this tool in your agent

✓ Agent-ready code

Copy the snippet below into your agent, newsletter, or script. The tool page at hermesdispatch.dev/tools/ai-agent-compliance-checker/ is the canonical contract: inputs, outputs, and formulas.

python
# Hermes Dispatch Tool — AI Agent Compliance Checker
# Source: https://hermesdispatch.dev/tools/ai-agent-compliance-checker/
# Description: Return compliance requirements for an AI agent by region and use case.
# License: MIT (generated by hermesdispatch.dev)
#
# INSTALL:
#   1. Save this file as ~/.hermes/hermes-agent/tools/ai_agent_compliance_checker.py
#   2. Restart Hermes or run /reset in a session
#   3. The tool auto-registers if Hermes uses auto-discovery of tools/*.py
#
# MANUAL REGISTRY (if auto-discovery is off):
#   from tools.ai_agent_compliance_checker import register
#   register()

import json

DATA = {"regions": [{"slug": "us", "name": "United States", "frameworks": ["SOC 2", "CCPA/CPRA", "HIPAA (if health)"], "notes": "No federal GDPR equivalent; sectoral rules apply."}, {"slug": "eu", "name": "European Union / EEA", "frameworks": ["GDPR", "EU AI Act", "DORA (financial)", "NIS2"], "notes": "Strictest combination: GDPR + AI Act risk classification."}, {"slug": "uk", "name": "United Kingdom", "frameworks": ["UK GDPR", "Data Protection Act 2018", "UK AI regulation (sectoral)"], "notes": "Mirrors GDPR but diverging on AI-specific guidance."}, {"slug": "ca", "name": "Canada", "frameworks": ["PIPEDA / provincial privacy laws", "AIDA (proposed AI law)"], "notes": "Consent and accountability centered."}, {"slug": "au", "name": "Australia", "frameworks": ["Privacy Act 1988", "Australian AI Ethics Framework"], "notes": "APPs + emerging AI-specific obligations."}, {"slug": "global", "name": "Multi-region / Global launch", "frameworks": ["GDPR", "SOC 2", "CCPA/CPRA", "EU AI Act", "PIPEDA"], "notes": "Must satisfy the strictest region you serve."}], "use_cases": [{"slug": "customer-support", "name": "Customer support chatbot", "risk_level": "limited", "default_frameworks": ["GDPR", "SOC 2", "CCPA/CPRA"]}, {"slug": "internal-research", "name": "Internal research / coding assistant", "risk_level": "limited", "default_frameworks": ["SOC 2", "GDPR (employee data)"]}, {"slug": "content-automation", "name": "Marketing / content automation", "risk_level": "limited", "default_frameworks": ["GDPR", "CCPA/CPRA", "Platform ToS"]}, {"slug": "financial-advice", "name": "Financial / investment advice", "risk_level": "high", "default_frameworks": ["GDPR", "SOC 2", "DORA / FINRA", "EU AI Act (high-risk)"]}, {"slug": "healthcare", "name": "Healthcare / diagnostic support", "risk_level": "high", "default_frameworks": ["HIPAA", "GDPR", "EU AI Act (high-risk)", "SOC 2"]}, {"slug": "hr-recruiting", "name": "HR / recruiting automation", "risk_level": "high", "default_frameworks": ["GDPR", "CCPA/CPRA", "EEOC / anti-discrimination", "EU AI Act (high-risk)"]}, {"slug": "public-web-agent", "name": "Public web agent / autonomous actions", "risk_level": "high", "default_frameworks": ["GDPR", "EU AI Act", "CCPA/CPRA", "SOC 2"]}], "data_types": [{"slug": "pii", "name": "Personal identifiers (email, name, IP)", "high_risk": false}, {"slug": "health", "name": "Health / medical data", "high_risk": true}, {"slug": "financial", "name": "Financial / payment data", "high_risk": true}, {"slug": "biometric", "name": "Biometric / identity data", "high_risk": true}, {"slug": "children", "name": "Children's data (COPPA / GDPR child rules)", "high_risk": true}, {"slug": "public-web", "name": "Public web scraping / third-party data", "high_risk": false}], "checklist": [{"id": "privacy-policy", "category": "Transparency & user rights", "text": "Publish a privacy policy that discloses AI use, data collection, and user rights.", "priority": "P0", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "UK GDPR", "CCPA/CPRA", "PIPEDA", "Privacy Act 1988"]}, {"id": "ai-disclosure", "category": "Transparency & user rights", "text": "Disclose when users are interacting with an AI agent (not a human).", "priority": "P0", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["EU AI Act", "GDPR", "Platform ToS", "Australian AI Ethics Framework"]}, {"id": "legal-basis", "category": "Legal basis & consent", "text": "Define a legal basis for every personal-data processing activity (consent, contract, legitimate interest, etc.).", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "UK GDPR", "PIPEDA", "Privacy Act 1988"]}, {"id": "consent-management", "category": "Legal basis & consent", "text": "Provide granular consent / opt-out controls for AI training, profiling, and data sales.", "priority": "P0", "regions": ["eu", "uk", "ca", "us", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "PIPEDA"]}, {"id": "data-minimization", "category": "Data minimization & retention", "text": "Collect only data necessary for the agent's purpose and document retention periods.", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "us", "global"], "frameworks": ["GDPR", "UK GDPR", "PIPEDA", "Privacy Act 1988", "SOC 2"]}, {"id": "retention-deletion", "category": "Data minimization & retention", "text": "Automate deletion or anonymization when retention periods expire or users delete accounts.", "priority": "P1", "regions": ["eu", "uk", "ca", "au", "us", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "SOC 2"]}, {"id": "encryption-rest-transit", "category": "Security & access", "text": "Encrypt data at rest and in transit using modern standards (TLS 1.2+, AES-256).", "priority": "P0", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["SOC 2", "GDPR", "HIPAA", "NIS2"]}, {"id": "access-controls", "category": "Security & access", "text": "Enforce role-based access controls, least privilege, and MFA for systems handling agent data.", "priority": "P0", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["SOC 2", "GDPR", "HIPAA", "NIS2"]}, {"id": "audit-logs", "category": "Security & access", "text": "Maintain immutable audit logs of agent decisions, data access, and administrator actions.", "priority": "P1", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["SOC 2", "GDPR", "HIPAA", "NIS2", "DORA"]}, {"id": "vendor-dpa", "category": "Vendors & subprocessors", "text": "Sign Data Processing Addendas (DPAs) with every AI/LLM vendor and subprocessor.", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "UK GDPR", "PIPEDA", "SOC 2"]}, {"id": "subprocessor-list", "category": "Vendors & subprocessors", "text": "Publish and keep current a list of subprocessors (OpenAI, Anthropic, vector DB, hosting).", "priority": "P1", "regions": ["eu", "uk", "ca", "au", "us", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "SOC 2"]}, {"id": "cross-border-transfers", "category": "Cross-border data", "text": "Use SCCs, adequacy decisions, or approved transfer mechanisms for EU/UK/CA data leaving the region.", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "UK GDPR", "PIPEDA"]}, {"id": "data-localization", "category": "Cross-border data", "text": "Store or process regulated data in approved regions when required (health, government, banking).", "priority": "P1", "regions": ["eu", "ca", "au", "us", "global"], "frameworks": ["GDPR", "PIPEDA", "DORA", "NIS2", "State privacy laws"]}, {"id": "dpia", "category": "Risk assessment", "text": "Conduct a Data Protection Impact Assessment (DPIA) before high-risk AI processing.", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "UK GDPR", "PIPEDA", "EU AI Act"]}, {"id": "ai-act-risk", "category": "Risk assessment", "text": "Classify your AI system under the EU AI Act (prohibited, high-risk, limited-risk, minimal-risk).", "priority": "P0", "regions": ["eu", "global"], "frameworks": ["EU AI Act"]}, {"id": "bias-testing", "category": "AI-specific safeguards", "text": "Test for bias, hallucinations, and unfair outputs before production deployment.", "priority": "P1", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["EU AI Act", "EEOC / anti-discrimination", "Australian AI Ethics Framework"]}, {"id": "human-in-the-loop", "category": "AI-specific safeguards", "text": "Require human review for high-risk or irreversible decisions (hiring, credit, medical).", "priority": "P0", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["EU AI Act", "GDPR", "EEOC", "Australian AI Ethics Framework"]}, {"id": "output-monitoring", "category": "AI-specific safeguards", "text": "Monitor agent outputs in production for toxicity, PII leaks, and policy violations.", "priority": "P1", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["EU AI Act", "SOC 2", "Platform ToS"]}, {"id": "incident-response", "category": "Audit & accountability", "text": "Have a breach / incident response plan with 72-hour notification workflows where required.", "priority": "P0", "regions": ["eu", "uk", "ca", "au", "us", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "HIPAA", "NIS2", "DORA"]}, {"id": "dsr-workflow", "category": "Audit & accountability", "text": "Automate data subject rights requests: access, rectification, erasure, portability, objection.", "priority": "P1", "regions": ["eu", "uk", "ca", "au", "us", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "PIPEDA", "Privacy Act 1988"]}, {"id": "training-data-rights", "category": "AI-specific safeguards", "text": "Verify you have rights to use customer/ scraped data for model training or fine-tuning.", "priority": "P1", "regions": ["us", "eu", "uk", "ca", "au", "global"], "frameworks": ["GDPR", "CCPA/CPRA", "Platform ToS", "Copyright law"]}], "priority_weights": {"P0": 3, "P1": 2, "P2": 1}, "readiness": {"excellent": {"min": 90, "label": "Strong compliance posture", "weeks": "2-4 weeks to audit-ready"}, "good": {"min": 70, "label": "Solid foundation", "weeks": "4-8 weeks to close gaps"}, "needs_work": {"min": 50, "label": "Significant gaps", "weeks": "8-16 weeks with legal/security help"}, "high_risk": {"min": 0, "label": "High risk", "weeks": "16+ weeks; engage counsel immediately"}}}

def _ok(result):
    return json.dumps({"success": True, "data": result}, indent=2)

def _err(message):
    return json.dumps({"success": False, "error": message}, indent=2)


TOOL_NAME = "ai_agent_compliance_checker"
TOOLSET = "agents"

SCHEMA = {
  "type": "function",
  "function": {
    "name": "ai_agent_compliance_checker",
    "description": "Return compliance requirements for an AI agent by region and use case.",
    "parameters": {
      "type": "object",
      "properties": {
        "region": {
          "type": "string",
          "description": "Region slug: us, eu, uk, ca, au, global"
        },
        "use_case": {
          "type": "string",
          "description": "Use case slug: customer-support, internal-research, content-automation, financial-advice, healthcare, hr-recruiting, public-web-agent"
        }
      },
      "required": []
    }
  }
}

def _run(args):
    region = args.get("region", "us")
    use_case = args.get("use_case", "customer-support")
    region_info = next((r for r in DATA["regions"] if r["slug"] == region), DATA["regions"][0])
    use_case_info = next((u for u in DATA["use_cases"] if u["slug"] == use_case), DATA["use_cases"][0])
    checklist = []
    for item in DATA.get("checklist", []):
        checklist.append({"requirement": item, "applies": True})
    return _ok({
        "region": region,
        "region_name": region_info.get("name", region),
        "use_case": use_case,
        "use_case_name": use_case_info.get("name", use_case),
        "risk_level": use_case_info.get("risk_level", "unknown"),
        "key_frameworks": list(set(region_info.get("frameworks", []) + use_case_info.get("default_frameworks", []))),
        "compliance_checklist": checklist,
        "next_steps": ["Review data-processing agreements", "Document model risk assessments", "Add human oversight for high-risk decisions"]
    })

def HANDLER(args):
    try:
        return _run(args)
    except Exception as e:
        return _err(str(e))


def register():
    """Manual registry hook. Import and call this to register with Hermes."""
    try:
        from tools.registry import registry
        registry.register(
            name=TOOL_NAME,
            toolset=TOOLSET,
            schema=SCHEMA,
            handler=HANDLER,
        )
    except ImportError:
        print("Hermes registry not found; skipping manual registration.")

if __name__ == "__main__":
    # CLI smoke test
    print(HANDLER({}))

Want early access to the next locked tool? Subscribe to The Hermes Dispatch.

🚀 Get AI automation insights daily

15:00 MST. One-click unsubscribe.

Subscribe