DxtraBETA
Surface 9 · auditor-facing PDF layout

Same data. Inverted hierarchy.

The web result leads with the score because the owner’s arc is emotional. The PDF leads with the band because the reader is a professional — developer, DPO, counsel, eventually a regulator. Print this page to see the print-ready layout.

Illustrative layout for the fictional Brightleaf Botanicals sample scan. In production this document is generated server-side after the verified work-email magic link is clicked. Use your browser’s print function to preview the print output.
Privacy Program Assessment
brightleaf.example
Scan ID: DX-SAMPLE-0001 · Illustrative sample · Methodology v1.8 · Regulator Reference v1.7
Overall risk band
High Risk
Per ENISA likelihood × impact × sensitivity · generic-SME calibration
High severity
2
Medium
5
Low
1

1. Jurisdictional exposure

This site’s apparent jurisdictional reach covers: EU / UK / US-CA (storefront ships to the EU, UK and US). Per Methodology v1.8, findings are scored against the most stringent applicable regime for each indicator type.

See Regulator Reference v1.7 for the full regulator list applicable to each finding type.

2. Findings catalog

High · F7Ad/marketing pixels fire before consent
Meta Pixel, Google Ads and GA4 loaded on the storefront before any consent interaction, with Google Consent Mode defaulting to granted (gcs=G111).
Anchor sources: PECR Reg.6 (DUAA £17.5M/4%); EDPB Guidelines 05/2020 & 02/2023.
Frameworks: NIST PF v1.1 CT.DM-P1; ISO/IEC 27701:2025 A.7.4.4.
High · F2Privacy notice is stale (24+ months)
Last updated 30 months ago. New processors and an EU shipping flow have been added since, so the notice no longer reflects actual processing.
Anchor sources: ICO accountability principle; EDPB transparency guidelines.
Frameworks: NIST PF v1.1 GV.PO-P1; ISO/IEC 27701:2025 A.7.3.2.
Medium · M2Consent platform present but not gating
A consent management platform is present but served no banner to this vantage and is not gating non-essential tags.
Anchor sources: ePrivacy Art.5(3); PECR Reg.6 (DUAA).
Frameworks: NIST PF v1.1 CT.DM-P1.
Medium · M9Cross-border transfer disclosure absent
The storefront ships to the EU, UK and US, but the notice contains no international-transfer language or mechanism (e.g. SCCs).
Anchor sources: GDPR Art.13(1)(f), Art.44–49; EDPB transfer guidelines.
Frameworks: NIST PF v1.1 CM.PO-P1.
Medium · M10No record of processing activities referenced
No ROPA reference was found. Article 30-style records are expected once processing occurs at any scale.
Anchor sources: GDPR Art.30; LGPD Art.37; Swiss nFADP Art.12.
Frameworks: NIST PF v1.1 ID.IM-P1.
Medium · M13No GPC response disclosure
The notice does not disclose how Global Privacy Control signals are handled. (A US/California nexus was detected.)
Anchor sources: State UOOM mandates; CCPA regs §7025.
Frameworks: NIST PF v1.1 CT.PO-P3.
Medium · M30Form collects personal data with no point-of-collection notice
The contact form collects name, email and message with no consent option and no privacy notice in the form — the site-wide cookie banner does not satisfy this.
Anchor sources: GDPR Art.13; PDPA Notification Obligation; CCPA notice-at-collection §1798.100(b).
Frameworks: NIST PF v1.1 CM.PO-P1; ISO/IEC 27701:2025 A.7.3.2.
Low · L1No standalone cookie policy where promised
The cookie banner references a Cookie Policy, but no standalone cookie policy page resolves.
Anchor sources: EDPB transparency guidelines.
Frameworks: NIST PF v1.1 CM.PO-P1.
Tracker-behavior checks (cookies before consent, Reject All, GPC) are produced by the headless-browser pass — Dxtra's Browser Agent. In this sample the pass completed: F7 (ad/marketing pixels before consent) and M2 (consent platform not gating) above are its results, with the full host list in the tracker inventory.
3. Commendable practices detected · 2
C2 — Maintained sub-processors list (exceeds GDPR Art. 28 baseline — named processors with maintenance). C1 — Dedicated privacy subdomain (privacy.brightleaf.example — exceeds GDPR Art. 12 ‘easily accessible’). Commendable practices are informational only and do not affect the risk band (Methodology v1.8 · C-catalog).

4. Capability maturity (appendix reference)

The capability-maturity indicator for this scan is 27 / 100 — how much of a credible privacy program is evidenced on the public surface, and its distance to the 91/100 verified-badge threshold. It is secondary: the risk band above is the authoritative statement. Full credit detail appears in Appendix A of the generated document.

Important: This assessment is an automated diagnostic indicator based on publicly available information, not a legal opinion. Findings are not determinations of regulatory breach. The scanner cannot see contracts, internal records, processing purposes, or post-authentication areas. Privacy law is jurisdiction-specific and fact-specific — for material privacy decisions, consult a qualified privacy professional.
Methodology: docs.dxtra.ai/methodology/scanner-methodology.html · Regulator Reference: docs.dxtra.ai/methodology/regulator-reference.html · Questions: methodology@dxtra.ai
Privacy_Assessment_brightleaf_sample.pdfPage 1 of 6 · pages 2–6 carry full finding detail, capability map and Appendix A–B

Illustrative layout for a fictional business. Automated diagnostic indicator — not legal advice, not a determination of breach. Methodology v1.8 · Research preview.