saccoai-swiss-compliance

This skill audits any website for Swiss legal compliance and generates the missing assets. It covers the full compliance surface: privacy policy (nDSG Art. 19), Impressum (Swiss commercial law), cookie consent mechanics, third-party script loading, and technical security headers.

Provide a URL for an audit-only run. Provide a project path to also generate and integrate missing assets directly into the codebase.

Inputs

Input	Required	Default	Description
Target	Yes	—	Site URL (audit only) or project path (audit + generate + integrate)
Client info	For generate	—	Company name, address, UID number (CHE-xxx.xxx.xxx), contact email, phone
Languages	No	from project	Languages for generated compliance assets
Mode	No	full	audit (report only), generate (create assets only), full (audit + generate + integrate)

Execution Model

Single-agent sequential. No parallelism needed — all phases depend on the previous phase's output. agent-browser handles all crawling in Phase 1.

Discovery

Before running, check if a prior audit exists:

• If .saccoai/compliance/audit.md exists: surface it to the user and ask whether to re-audit or use the cached report.

Phase 1: Audit

Crawl the target site with agent-browser and evaluate every item in the following checklist. For each item, record: pass / fail / partial, the evidence found (or not found), and the remediation step if failing.

Privacy & Data Protection (nDSG)

1. Privacy policy page exists and is linked from every page (check footer and nav on homepage, a content page, and a contact page)
2. Privacy policy covers nDSG Art. 19 mandatory disclosures — verify each is present:
   • Identity and contact details of the data controller
   • Purpose of data processing
   • Recipients or categories of recipients
   • Whether data is transferred abroad (and to which countries)
   • Retention periods or criteria used to determine them
   • Data subject rights: access, rectification, deletion, portability
3. Privacy policy is available in all detected site languages

Impressum / Legal Notice

4. Impressum page exists (required for all Swiss commercial websites)
5. Impressum contains all required fields:
   • Company name and legal form
   • Registered address (street, postcode, city, canton)
   • UID number in format CHE-xxx.xxx.xxx
   • Contact information (email and/or phone)
6. Impressum is reachable from every page (check for footer link)

Cookie Consent

7. Cookie consent banner is shown before any non-essential cookies are set — load the homepage in a fresh browser session (no cookies) and verify the banner appears before any analytics or marketing scripts fire
8. Banner offers granular consent choices (not just "Accept all" — must have at minimum "Accept all / Essential only")
9. Consent preferences are stored and respected on return visits — accept, reload, verify no re-prompt
10. Cookie policy documents all cookies with: name, provider, purpose, duration, and category (essential / analytics / marketing)

Third-Party Services

11. Detect all third-party scripts loaded on the page (Google Analytics, Meta Pixel, HubSpot, Hotjar, LinkedIn Insight, Intercom, etc.)
12. For each detected script, verify it does not fire before consent is granted — check Network tab on a fresh session before interacting with the consent banner
13. Record each script: provider name, script URL, and whether it requires consent before loading

Technical Security

14. HTTPS enforced — check for HTTP redirect to HTTPS and no mixed-content warnings
15. Forms submit over HTTPS — inspect form action URLs
16. Security headers present — check for: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy

Contact & Transparency

17. Contact information is visible somewhere on the site (address, email, or phone)
18. Contact form includes a privacy notice or explicit consent checkbox before submission

Phase 2: Report

Produce .saccoai/compliance/audit.md using this format:

# Compliance Audit — {domain}

**Date**: {date}
**Standard**: Swiss nDSG (Datenschutzgesetz) + Swiss commercial law
**Mode**: {audit | full}

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Privacy Policy (nDSG) | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {brief issue description or "—"} |
| Impressum | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {brief issue description or "—"} |
| Cookie Consent | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {brief issue description or "—"} |
| Third-Party Services | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {N scripts load before consent / "—"} |
| Security | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {brief issue description or "—"} |
| Contact & Transparency | {✅ PASS / ⚠️ PARTIAL / ❌ FAIL} | {brief issue description or "—"} |

**Overall**: {N} critical issues, {M} partial issues, {K} passing

## Detailed Findings

### Privacy Policy (nDSG)

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Check | Result | Evidence | Remediation |
|-------|--------|----------|-------------|
| Policy page exists and is linked | {✅/❌} | {URL found or "not found"} | {step if failing} |
| Data controller identity | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Purpose of processing | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Recipients | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Cross-border transfers | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Retention periods | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Data subject rights | {✅/❌} | {excerpt or "missing"} | {step if failing} |
| Available in all languages | {✅/❌} | {languages found} | {step if failing} |

### Impressum

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Check | Result | Evidence | Remediation |
|-------|--------|----------|-------------|
| Impressum page exists | {✅/❌} | {URL or "not found"} | Add /impressum route |
| Company name and legal form | {✅/❌} | {found text or "missing"} | {step if failing} |
| Registered address | {✅/❌} | {found text or "missing"} | {step if failing} |
| UID number (CHE-xxx.xxx.xxx) | {✅/❌} | {found text or "missing"} | {step if failing} |
| Contact information | {✅/❌} | {found text or "missing"} | {step if failing} |
| Linked from every page | {✅/❌} | {footer link found or "missing"} | Add footer link |

### Cookie Consent

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Check | Result | Evidence | Remediation |
|-------|--------|----------|-------------|
| Banner shown before cookies set | {✅/❌} | {observed or "scripts fired before consent"} | {step if failing} |
| Granular choice offered | {✅/❌} | {button labels found or "accept-all only"} | {step if failing} |
| Preferences stored on return | {✅/❌} | {observed or "re-prompt on reload"} | {step if failing} |
| Cookie policy present | {✅/❌} | {URL or "not found"} | {step if failing} |

### Third-Party Services

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Service | Script URL | Fires Before Consent |
|---------|------------|---------------------|
| {provider} | {url} | {Yes ❌ / No ✅} |

### Security

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Check | Result | Evidence |
|-------|--------|----------|
| HTTPS enforced | {✅/❌} | {redirect observed or "HTTP accessible"} |
| Forms over HTTPS | {✅/❌} | {form action URLs} |
| HSTS header | {✅/❌} | {header value or "missing"} |
| X-Content-Type-Options | {✅/❌} | {header value or "missing"} |
| X-Frame-Options | {✅/❌} | {header value or "missing"} |
| Referrer-Policy | {✅/❌} | {header value or "missing"} |

### Contact & Transparency

**Status**: {✅ PASS / ⚠️ PARTIAL / ❌ FAIL}

| Check | Result | Evidence |
|-------|--------|----------|
| Contact info visible | {✅/❌} | {found text or "not found"} |
| Contact form has privacy notice | {✅/❌} | {observed or "no notice"} |

## What to Generate

{If mode is `full` or `generate`, list the assets that need to be created based on failing checks:}

- [ ] Privacy policy page (`src/app/(marketing)/privacy-policy/page.tsx`)
- [ ] Impressum page (`src/app/(marketing)/impressum/page.tsx`)
- [ ] Cookie consent component + configuration
- [ ] DPA template (`.saccoai/compliance/dpa-template.md`)

Also produce .saccoai/compliance/cookie-inventory.json with the structured third-party service data:

{
  "domain": "{domain}",
  "auditDate": "{ISO date}",
  "services": [
    {
      "provider": "Google Analytics",
      "scriptUrl": "https://www.google-analytics.com/analytics.js",
      "category": "analytics",
      "firesBeforeConsent": true,
      "requiresConsent": true
    }
  ]
}

Phase 3: Generate

For each asset flagged as missing in the Phase 2 report, generate the corresponding file. Only generate assets where the audit found a failing item — do not overwrite existing compliant pages.

If client info was not provided and the mode requires generation, prompt: "I need your company details to generate the compliance pages. Please provide: company name, legal form, registered address, UID number (CHE-xxx.xxx.xxx), contact email, and phone."

Privacy Policy

Generate a complete nDSG-compliant privacy policy as a Next.js page.

Output: src/app/(marketing)/privacy-policy/page.tsx

If multilingual (multiple languages detected or specified in inputs), generate locale variants:

• src/app/[locale]/(marketing)/privacy-policy/page.tsx

The generated page must include all nDSG Art. 19 mandatory sections:

1. Controller identity — company name, address, UID, contact email
2. Purpose of processing — tailored to the services detected on the site (e.g., "We process data to respond to contact form enquiries, to analyse site usage via Google Analytics, and to improve our services.")
3. Recipients — list all third-party services found in Phase 1 (cookie-inventory.json) with their names and privacy policy URLs
4. Cross-border transfers — flag any services that transfer data outside Switzerland (e.g., Google: USA, Meta: USA). For US transfers, note the Standard Contractual Clauses or adequacy decision basis.
5. Retention periods — use standard periods per category: contact form data (2 years), analytics data (per provider policy), marketing data (until consent withdrawn)
6. Data subject rights — access, rectification, erasure, restriction, portability, objection. Include the FDPIC (Federal Data Protection and Information Commissioner) as supervisory authority.
7. Last updated date — set to today's date

The page is rendered as static content (no client components needed). Use the site's existing layout and typography.

Impressum

Generate an Impressum page with all Swiss commercial law required fields.

Output: src/app/(marketing)/impressum/page.tsx

Populate from client info input:

• Company name and legal form (e.g., "Muster AG" or "Max Muster, Einzelunternehmen")
• Registered address (formatted per Swiss postal standard: Street Nr, Postcode City)
• UID number formatted as CHE-xxx.xxx.xxx
• Contact email and phone
• Disclaimer of liability (standard Swiss Haftungsausschluss paragraph)
• Copyright notice for the current year

The page is static content using the site's existing layout.

Cookie Consent

Generate a cookie consent setup for the project. Do not prescribe a specific library — recommend based on what is already installed:

1. Check package.json for existing consent libraries (cookies-next, react-cookie-consent, tarteaucitron, Cookiebot, etc.)
2. If none found, scaffold a lightweight custom implementation using cookies-next for storage + a custom React component for the banner UI.

Output files:

• src/components/cookie-consent/cookie-consent.tsx — the banner component:

  • Shows on first visit before any non-essential scripts load
  • "Accept all" and "Essential only" buttons (minimum — add "Manage preferences" if marketing/analytics categories both exist)
  • Links to the cookie policy page
  • Persists choice to a cookie-consent cookie with a 1-year expiry

• src/components/cookie-consent/cookie-config.ts — the cookie categories and per-cookie inventory (populated from cookie-inventory.json):

  export const cookieCategories = {
    essential: { label: "Essential", required: true, cookies: [...] },
    analytics: { label: "Analytics", required: false, cookies: [...] },
    marketing: { label: "Marketing", required: false, cookies: [...] },
  };
  

• src/components/cookie-consent/consent-gate.tsx — a wrapper component that delays rendering third-party scripts until the appropriate consent category is granted:

  <ConsentGate category="analytics">
    <GoogleAnalytics />
  </ConsentGate>
  

• src/app/(marketing)/cookie-policy/page.tsx — a static cookie policy page listing all cookies from the inventory with name, provider, purpose, duration, and category.

Data Processing Agreement Template

Generate a DPA template for the client's subprocessors, pre-filled with the third-party services detected in Phase 1.

Output: .saccoai/compliance/dpa-template.md

The template includes:

• Parties section (client as Controller, subprocessor as Processor)
• Subject matter and duration of processing
• Nature and purpose of processing
• Type of personal data and categories of data subjects
• Obligations of the processor (security measures, sub-processor restrictions, deletion/return of data)
• Standard Contractual Clauses reference for cross-border transfers
• A pre-filled annex listing each detected third-party service as a sub-processor with their DPA URL (where available)

This is a Markdown document intended for legal review, not a production page.

Phase 4: Integrate

This phase only runs when target is a project path (not a URL) and mode is full.

1. Add compliance routes to the app

   Verify the generated page files from Phase 3 are written to the correct locations:

   • src/app/(marketing)/privacy-policy/page.tsx
   • src/app/(marketing)/impressum/page.tsx
   • src/app/(marketing)/cookie-policy/page.tsx

   If the project uses locale-based routing (detected by checking for [locale] segments or next-intl in package.json), move the pages to the locale-aware path: src/app/[locale]/(marketing)/.

2. Add links to footer navigation

   Locate the footer component (search for footer or Footer in src/components/). Add links to:

   • Privacy Policy → /privacy-policy
   • Impressum → /impressum
   • Cookie Policy → /cookie-policy

   Match the existing link style in the footer — do not introduce new CSS classes or components.

3. Install cookie consent component

   Add the CookieConsent component to the root layout (src/app/layout.tsx):

   import { CookieConsent } from "@/components/cookie-consent/cookie-consent";
   
   // Inside the <body>:
   <CookieConsent />
   

   If using cookies-next, add it to package.json:

   npm install cookies-next
   

4. Wrap third-party scripts in consent gates

   For each third-party script found in Phase 1 that fires before consent:

   • Locate where the script is loaded in the project (search for the script URL or provider name)
   • Wrap the script component or tag with <ConsentGate category="{category}">...</ConsentGate>
   • Common locations: root layout Script tags, src/components/analytics/, src/app/providers.tsx

5. Commit the integration

   git add -A
   git commit -m "feat: add Swiss compliance pages, cookie consent, and footer links"
   

Composition

saccoai-website-rebuild ──→ saccoai-swiss-compliance (after QA, before Deploy)
any live URL ─────────────→ saccoai-swiss-compliance (audit only — mode: audit)
any Next.js project ──────→ saccoai-swiss-compliance (audit + generate + integrate — mode: full)
saccoai-swiss-compliance ──→ saccoai-proposal (compliance gaps feed into proposal context)

Reads .saccoai/compliance/audit.md if it already exists (cached audit). Output feeds into saccoai-proposal for the compliance section of client proposals.

Standalone Usage

Invoke this skill when:

• A client asks "are we GDPR / nDSG compliant?"
• Before launching any site targeting Swiss users
• After adding new third-party integrations (analytics, marketing tools) that may need consent
• When building a proposal and wanting to document the client's compliance gaps
• The user mentions "Datenschutz", "Impressum", "cookie banner", "nDSG", "privacy policy", or "Swiss law"

When invoked standalone, ask for: the site URL or project path, client company info (if generating), and languages. Then run all applicable phases.

Edge Cases

• URL-only mode with no project path: Phases 3 and 4 are skipped. The skill produces only the audit report and DPA template.
• Mode audit: Only Phase 1 and Phase 2 run. Nothing is generated or integrated.
• Mode generate with no prior audit: Run Phase 1 (audit) first, then Phase 3 (generate) using the findings. Never generate assets without first auditing — the generated content depends on what third-party services are detected.
• Client info missing when generate is needed: Prompt for it before starting Phase 3. Do not generate placeholder pages with fake company info.
• Existing compliant pages: If a privacy policy or Impressum page already exists and passed all audit checks, do not overwrite it. Report it as passing and skip generation for that asset.
• Non-Next.js project: Phases 3 and 4 generate Next.js-specific files. If the project uses a different framework, still generate the privacy policy and Impressum content as Markdown files in .saccoai/compliance/ and note that manual integration is required.
• Multiple languages detected: Generate all compliance pages in every detected language. If running in multilingual mode, output locale variants and note that the privacy policy must reference data processing in all active languages.
• UID number not provided: Generate the Impressum with a [UID NUMBER — ADD BEFORE PUBLISHING] placeholder and warn the user that a UID number is legally required.