Privacy Program Assessment
brightleaf.example
Scan ID: DX-SAMPLE-0001 · Illustrative sample · Methodology v1.8 · Regulator Reference v1.7
Overall risk band
Medium Risk
Per ENISA likelihood × impact × sensitivity · generic-SME calibration
1. Jurisdictional exposure
This site’s apparent jurisdictional reach covers: EU / UK / US-CA (storefront ships to the EU, UK and US). Per Methodology v1.8, findings are scored against the most stringent applicable regime for each indicator type.
See Regulator Reference v1.7 for the full regulator list applicable to each finding type.
2. Findings catalogue
High · F2Privacy notice is stale (24+ months)
Last updated 30 months ago. New processors and an EU shipping flow have been added since, so the policy no longer reflects actual processing.
Anchor sources: ICO accountability principle; EDPB transparency guidelines.
Frameworks: NIST PF v1.1 GV.PO-P1; ISO/IEC 27701:2025 A.7.3.2.
Medium · M5No Transparency Center / privacy hub
Privacy information lives on a single policy page with no central hub for notices, cookies, rights and consent records.
Anchor sources: EDPB transparency guidelines.
Frameworks: NIST PF v1.1 CM.PO-P1; ISO/IEC 27701:2025 A.7.3.2.
Medium · M9Cross-border transfer disclosures absent
The storefront ships to the EU, UK and US, but the policy contains no international-transfer language or mechanism (e.g. SCCs).
Anchor sources: EDPB Recommendations 01/2020; ICO international transfer guidance.
Frameworks: EDPB Chapter V guidelines.
Medium · M10No record of processing activities referenced
No ROPA reference was found. Article 30-style records are expected once processing occurs at any scale.
Anchor sources: GDPR Art. 30; LGPD Art. 37; Swiss nFADP Art. 12.
Frameworks: NIST PF v1.1 ID.IM-P1.
Low · L1Cookie policy referenced but not found
The site mentions cookies but exposes no standalone, linkable cookie notice.
Anchor sources: EDPB transparency guidelines.
Frameworks: NIST PF v1.1 CM.PO-P1.
Tracker-behaviour checks F3–F7 and F10 (cookies before consent, Reject All honoured, GPC) are produced by the headless-browser pass — Dxtra's Browser Agent — and are recorded as pending in this sample. They are reported as inconclusive, not as findings.
3. Commendable practices detected · 2
C2 — Maintained sub-processors list (exceeds GDPR Art. 28 baseline — named processors with maintenance). C1 — Dedicated privacy portal (exceeds GDPR Art. 12 ‘easily accessible’). Commendable practices are informational only and do not affect the risk band (Methodology v1.8 · C-catalogue).
4. Composition score (appendix reference)
The presentational composition score for this scan is 59 / 100. It is a secondary summary of finding weights — the risk band above is the authoritative statement. Full weighting detail appears in Appendix A of the generated document.
Important: This assessment is an automated diagnostic indicator based on publicly available information, not a legal opinion. Findings are not determinations of regulatory breach. The scanner cannot see contracts, internal records, processing purposes, or post-authentication areas. Privacy law is jurisdiction-specific and fact-specific — for material privacy decisions, consult a qualified privacy professional.
Methodology: docs.dxtra.ai/methodology/scanner-methodology.html · Regulator Reference: docs.dxtra.ai/methodology/regulator-reference.html · Questions: methodology@dxtra.ai