Policies & Compliance
Company policies, employee handbooks, website terms of service, and privacy policies. Free templates — download PDF or Word, no signup required (2026).
Acceptable Use Policy
Define permitted and prohibited uses of your organization's IT systems, networks, and digital resources with this US Acceptable Use Policy. Covers computer use, internet access, email, data handling, and disciplinary consequences under applicable law.
Anti-Bribery and Corruption Policy
Create a comprehensive Anti-Bribery and Corruption Policy compliant with the Foreign Corrupt Practices Act (FCPA) of 1977, the Sarbanes-Oxley Act of 2002, and state anti-bribery laws. Covers prohibited conduct, gifts and hospitality thresholds, third party due diligence, books-and-records requirements, confidential reporting, whistleblower protections, training, and enforcement.
Acceptable Use Policy (Australia)
Create an Acceptable Use Policy (AUP) for an Australian organisation. Governs the use of IT systems, internet, email, and company devices by employees and users. Compliant with the Privacy Act 1988 (Cth), Spam Act 2003 (Cth), and Cybercrime Act 2001 (Cth).
Anti-Bribery and Corruption Policy (Australia)
An Anti-Bribery and Corruption Policy is a formal corporate governance document that sets out an organisation's commitment to preventing bribery, corruption, and related misconduct in all of its business activities — domestically in Australia and internationally. It defines what conduct is prohibited, who the policy applies to, how gifts and hospitality must be managed, what due diligence must be conducted on third parties, how suspected breaches should be reported, how whistleblowers will be protected, and what training will be provided to ensure all covered persons understand their obligations. Australian organisations are subject to an interlocking framework of anti-bribery legislation at both the Commonwealth and state and territory levels. The centrepiece of Australia's foreign bribery regime is Division 70 of the Criminal Code Act 1995 (Cth), which makes it a federal criminal offence to offer, provide, or cause to be provided a benefit to a foreign public official with the intention of influencing them in the exercise of their official duties to obtain or retain a business advantage. The maximum penalty for individuals convicted of a foreign bribery offence under Division 70 is 10 years' imprisonment. Corporations can also be held criminally liable for the foreign bribery of their associates (including agents, contractors, and related entities) unless the corporation can demonstrate that it took reasonable precautions to prevent the conduct — a standard that requires having a genuine, documented compliance program in place. The foreign bribery laws were significantly strengthened by the Crimes Legislation Amendment (Combatting Corporate Crime) Act 2024 (Cth), which came into force in February 2024. This Act introduced a new offence of "failure to prevent foreign bribery" (s 70.5A of the Criminal Code Act 1995 (Cth)), under which a body corporate is automatically criminally liable if one of its associates commits a foreign bribery offence, unless the body corporate had in place "adequate procedures" to prevent the conduct. This change substantially increases the compliance burden on Australian companies with international operations and makes a robust, documented Anti-Bribery Policy a legal necessity rather than merely a best practice. Domestic bribery of Australian public officials is separately prohibited by Division 141 of the Criminal Code Act 1995 (Cth) (which applies to Commonwealth public officials) and by state and territory bribery and corruption offences. These include the Crimes Act 1900 (NSW) ss 249B-249E (corrupt benefits), the Criminal Code Act 1899 (Qld) ss 55-58, and equivalent provisions in all other states and territories. Corruption involving elected officials and public sector employees in New South Wales, Queensland, Western Australia, and other states is also subject to investigation by independent commissions including the NSW Independent Commission Against Corruption (ICAC), the Queensland Crime and Corruption Commission (CCC), and the Western Australia Corruption and Crime Commission (CCC). Gifts, entertainment, and hospitality are a common vector for bribery risk, particularly in industries involving close relationships with government clients, procurement decisions, or international counterparties. An Anti-Bribery Policy must clearly define what gifts and hospitality are acceptable (with a monetary threshold), what requires prior approval, what is absolutely prohibited (such as cash gifts), and how all gifts must be recorded in a centralised register. Facilitation payments — small payments to government officials to speed up routine administrative processes — are specifically prohibited under Division 70 of the Criminal Code Act 1995 (Cth) and must be addressed explicitly in the policy. Third-party intermediaries, agents, and representatives present the greatest bribery risk for Australian organisations operating internationally, because they may make corrupt payments on behalf of the organisation without its direct knowledge. Section 70.4 of the Criminal Code Act 1995 (Cth) provides that a body corporate can be liable for the foreign bribery of its "associates" — a category that includes agents — even without the organisation's knowledge, unless it took reasonable precautions. A documented third-party due diligence process is therefore essential. Whistleblower protections are an integral part of any effective Anti-Bribery Policy. Under Part 9.4AAA of the Corporations Act 2001 (Cth), as amended by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, eligible whistleblowers who report suspected bribery or corruption in good faith are entitled to legal protection from detrimental action, confidentiality of their identity, and the ability to seek compensation if they suffer reprisals. This Anti-Bribery and Corruption Policy template is suitable for Australian companies of all sizes — from small proprietary limited companies to ASX-listed public companies — operating in any industry and in any jurisdiction. It is particularly important for organisations with international operations, government clients, complex supply chains, or activities in markets identified by Transparency International as having elevated corruption risk.
Data Processing Agreement (Australia)
As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.
Data Protection Policy (Australia)
Create a comprehensive Data Protection Policy for an Australian organisation. Compliant with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Covers data collection, use, storage, disclosure, access rights, and breach notification.
Data Retention Policy (Australia)
Create a comprehensive Australian Data Retention Policy that complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Telecommunications (Interception and Access) Act 1979 (Cth), the Corporations Act 2001 (Cth), and the Fair Work Act 2009 (Cth). Covers data categories, retention schedules for employee records, financial records, customer records, communications, and contracts, approved destruction and de-identification methods, breach notification obligations under the Notifiable Data Breaches scheme, and accountability procedures. Suitable for businesses, charities, government contractors, and any organisation that holds personal information about customers, employees, or other individuals in Australia.
Diversity, Equity and Inclusion Policy (Australia)
Create a Diversity, Equity and Inclusion (DEI) Policy for Australian organisations compliant with the Fair Work Act 2009 (Cth), Workplace Gender Equality Act 2012 (Cth), Australian Human Rights Commission Act 1986 (Cth), Disability Discrimination Act 1992 (Cth), Racial Discrimination Act 1975 (Cth), Sex Discrimination Act 1984 (Cth), and Age Discrimination Act 2004 (Cth).
Environmental Policy (Australia)
An Environmental Policy is a formal corporate document in which an organisation sets out its commitment to protecting the environment, managing its environmental impacts, and complying with all applicable environmental laws and regulations. For Australian businesses, an Environmental Policy is an essential governance and compliance tool that demonstrates to regulators, clients, investors, employees, and the broader community that the organisation takes its environmental obligations seriously and is actively working to reduce its environmental footprint. Australian organisations are subject to one of the most comprehensive environmental regulatory frameworks in the world, spanning Commonwealth, state, and territory legislation. At the Commonwealth level, the Environment Protection and Biodiversity Conservation Act 1999 (Cth) (the EPBC Act) is the central environmental statute. The EPBC Act protects matters of national environmental significance (MNES), which include listed threatened species and ecological communities, listed migratory species, world and national heritage places, Ramsar-listed wetlands, the Commonwealth marine environment, and nuclear actions. Any action (including a business activity) that is likely to have a significant impact on an MNES requires approval under Part 9 of the EPBC Act from the Minister for the Environment before it may proceed — a process known as an environmental impact assessment. Failure to obtain approval is a strict liability offence under s 142 of the EPBC Act and can attract civil penalties of up to 50,000 penalty units (currently over AUD $10 million) for corporations. The EPBC Act is currently undergoing significant reform. The Nature Positive Plan announced by the Australian Government proposes to replace the EPBC Act with new legislation focused on nature positive outcomes, including the establishment of Environment Protection Australia (EPA) as an independent federal regulator and a new regime for nature repair and biodiversity stewardship. Greenhouse gas emissions and energy reporting are governed at the Commonwealth level by the National Greenhouse and Energy Reporting Act 2007 (Cth) (NGER Act), administered by the Clean Energy Regulator. Corporations or controlling corporations whose operational facilities generate 51,000 tonnes or more of CO2-equivalent greenhouse gas emissions, or produce or consume 200 terajoules or more of energy, per year must register and report annually under the NGER Act. The Safeguard Mechanism — also administered under the NGER Act — applies to facilities with Scope 1 emissions exceeding 100,000 tonnes CO2-e per year, requiring them to keep their net emissions at or below an annually declining baseline. The Safeguard Mechanism was significantly reformed in 2023, with baselines now set to decline by 4.9% per year in line with Australia's Paris Agreement commitments. Australia's national climate commitments are enshrined in the Climate Change Act 2022 (Cth), which established legally binding emissions reduction targets of 43% below 2005 levels by 2030 and net zero by 2050. These targets inform the environmental expectations of regulators, investors, and major commercial counterparties across all sectors of the economy. Each Australian state and territory also has its own comprehensive environmental protection legislation and a dedicated environment protection authority (EPA). These Acts regulate licensed premises, pollution of air, water, and land, noise, waste management, and contaminated land. They include the Protection of the Environment Operations Act 1997 (NSW), Environment Protection Act 1970 (Vic), Environmental Protection Act 1994 (Qld), Environmental Protection Act 1986 (WA), Environment Protection Act 1993 (SA), Environmental Management and Pollution Control Act 1994 (Tas), Environment Protection Act 1997 (ACT), and Waste Management and Pollution Control Act 1998 (NT). Operations that may cause pollution typically require an environment protection licence from the relevant state EPA. Waste management is addressed nationally through the National Waste Policy 2018 — a framework agreed by all Australian governments — which sets a target of achieving an 80% average resource recovery rate across all waste streams by 2030 and moving towards a circular economy. Each state also has specific waste and resource recovery legislation. Biodiversity protection is addressed both at the Commonwealth level (EPBC Act) and at the state and territory level through native vegetation, biodiversity conservation, and nature conservation legislation — including the Biodiversity Conservation Act 2016 (NSW), Flora and Fauna Guarantee Act 1988 (Vic), Nature Conservation Act 1992 (Qld), and equivalent Acts in other jurisdictions. These laws regulate the clearing of native vegetation, the take or harm of protected species, and biodiversity offsets. This Environmental Policy template is suitable for Australian businesses in any industry and any state or territory. It is particularly important for organisations in construction, resources, manufacturing, agriculture, transport, and other industries with significant physical environmental footprints. It is also increasingly expected by institutional investors and ASX-listed companies as part of environmental, social, and governance (ESG) reporting and by tendering authorities in government procurement.
Mobile App Privacy Policy (Australia)
Generate a compliant Mobile App Privacy Policy for Australian iOS and Android apps. Covers the Privacy Act 1988 (Cth), all 13 Australian Privacy Principles, device permissions disclosure, push notifications, in-app purchases, analytics SDKs, children's data protection, App Tracking Transparency (iOS), Google Play Data Safety compliance, and the OAIC complaint process. Tailored for both Apple App Store and Google Play requirements.
Mobile App Terms of Use (Australia)
Create Mobile App Terms of Use compliant with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), Privacy Act 1988 (Cth) and Australian Privacy Principles, Spam Act 2003 (Cth), Copyright Act 1968 (Cth), Electronic Transactions Act 1999 (Cth), and Online Safety Act 2021 (Cth). Covers consumer guarantees for digital products, in-app purchases and auto-renewing subscriptions (ACL unfair terms provisions), user-generated content, acceptable use, data collection consent, Apple App Store and Google Play requirements, account termination, and dispute resolution. Suitable for iOS and Android apps of all categories available to Australian users.
Modern Slavery Statement (Australia)
An Australian Modern Slavery Statement is a mandatory annual disclosure document required from large entities under the Modern Slavery Act 2018 (Cth). It sets out how the entity identifies and addresses the risk of modern slavery in its operations and supply chains, and must be approved by the entity's principal governing body and signed by a responsible member before submission to the Australian Government's Modern Slavery Statements Register. The Modern Slavery Act 2018 (Cth) came into force on 1 January 2019. Under s 5, an entity is a 'reporting entity' if it is an Australian entity or a foreign entity that carries on business in Australia, and has an annual consolidated revenue of at least $100 million. Reporting entities must prepare an annual modern slavery statement covering seven mandatory criteria set out in s 16(1) of the Act. The seven mandatory criteria require the statement to: (a) identify the reporting entity; (b) describe the entity's structure, operations, and supply chains; (c) describe the risks of modern slavery practices in the entity's operations and supply chains, including its owned and controlled entities and its supply chain partners; (d) describe the actions taken by the entity and its owned or controlled entities to assess and address those risks, including due diligence and remediation processes; (e) describe how the entity assesses the effectiveness of its actions; (f) describe the process of consultation with any entities the reporting entity owns or controls; and (g) provide any other information that the entity considers relevant. Under s 16(2), the statement must be approved by the principal governing body of the reporting entity — such as the Board of Directors — and signed by a responsible member of that body. A responsible member is defined as a director of a company, a member of the governing body, or a principal executive officer of the entity. Statements must be submitted to the Australian Government's Modern Slavery Statements Register (administered by the Department of Home Affairs) within six months after the end of the entity's reporting period, per s 14 of the Act. The Register is publicly accessible, meaning statements are available to investors, customers, NGOs, and the media. Modern slavery encompasses a range of serious exploitative practices defined in s 4 of the Act, including: slavery; servitude; forced marriage; forced labour; debt bondage; deceptive recruiting for labour or services; human trafficking; and the worst forms of child labour as defined under the International Labour Organization's Convention 182. These practices often occur in global supply chains in sectors such as manufacturing, agriculture, garments, electronics, and construction, as well as through the use of labour-hire agencies and contract labour. While the Act focuses on transparency and disclosure rather than imposing direct penalties for modern slavery in supply chains, the Australian Border Force (ABF) and the Department of Home Affairs may publish a statement of non-compliance for entities that fail to submit a compliant statement. The reputational, investor, and commercial consequences of non-compliance or poor disclosure are significant. Beyond the legal minimum, best-practice modern slavery governance includes conducting supply chain mapping to identify high-risk tiers and geographies, implementing a Supplier Code of Conduct with enforceable modern slavery provisions, conducting supplier audits and assessments, establishing confidential worker grievance mechanisms accessible to overseas supply chain workers, providing training to procurement teams, and engaging with industry initiatives such as the Responsible Business Alliance or Sedex. This Modern Slavery Statement template covers all seven mandatory criteria under s 16(1) of the Modern Slavery Act 2018 (Cth), including entity identification, structure and supply chain description, risk identification, actions taken, effectiveness assessment, consultation, and Board sign-off. It is suitable for large Australian entities and foreign entities with significant Australian operations required to report under the Act.
Privacy Policy (Australia)
Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.
Refund and Returns Policy (Australia)
Create a legally compliant Refund and Returns Policy for your Australian business under the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)). Unlike other countries, Australia has some of the world's strongest consumer protection laws: 'no refund' policies are illegal for goods or services that fail to meet ACL consumer guarantees. Our template accurately reflects the major failure/minor failure distinction, the repair/replace/refund hierarchy, the mandatory consumer guarantee notice required by the ACCC, change-of-mind return options, and return shipping obligations. Suitable for retail, e-commerce, and service businesses.
Return Policy Template (Australia)
Create a comprehensive Return Policy for Australian businesses, compliant with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)). Covers consumer guarantee rights for faulty goods, change-of-mind returns, refund procedures, exchange policy, online purchases under the ACL, and the business's statutory obligations to consumers.
Subject Access Request (Australia)
Request access to your personal information held by an organisation in Australia. Compliant with the Privacy Act 1988 (Cth) and Australian Privacy Principle 12, which gives individuals the right to access their personal information.
Terms of Service (Australia)
Create enforceable Terms of Service for your Australian website or app under the Competition and Consumer Act 2010 (Cth) and the Australian Consumer Law (ACL). Covers user obligations, limitation of liability, intellectual property, privacy, dispute resolution, and unfair contract term requirements. Suitable for SaaS products, e-commerce sites, online platforms, and digital services.
Website Terms of Use (Australia)
Create compliant Website Terms of Use for your Australian business, drafted in accordance with the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)), the Electronic Transactions Act 1999 (Cth), the Privacy Act 1988 (Cth), and the Online Safety Act 2021 (Cth). Our template covers acceptance mechanisms, intellectual property protections, user obligations, limitation of liability, consumer guarantee disclaimers, and governing law. Unlike generic templates, this document reflects Australian-specific legal requirements — including the mandatory acknowledgement that consumer guarantees under the Australian Consumer Law cannot be excluded.
Whistleblower Policy (Australia)
An Australian Whistleblower Policy is a formal document that explains to employees, officers, contractors, and other eligible persons how they can report suspected misconduct or wrongdoing, and what legal protections apply to them when they do. The policy is required by law for certain companies and must set out the key features of the whistleblower protection regime established under Part 9.4AAA of the Corporations Act 2001 (Cth). The whistleblower protection reforms in the Corporations Act 2001 (Cth) commenced on 1 July 2019, significantly expanding the protections available to whistleblowers in the corporate sector. Under s 1317AI, public companies, large proprietary companies, and proprietary companies that are trustees of registrable superannuation entities must have a whistleblower policy. The policy must be made available to officers and employees of the company. Failure to have a compliant policy is an offence attracting a civil penalty. The regime defines an 'eligible whistleblower' broadly under s 1317AA to include current and former employees, officers, contractors, suppliers, associates of the company, and their relatives or dependants. This wide definition ensures that those with genuine knowledge of misconduct — including former employees and supply chain workers — can come forward and receive protection. A disclosure qualifies for protection under s 1317AA(1) if the eligible whistleblower has reasonable grounds to suspect that the information concerns misconduct, or an improper state of affairs or circumstances, in relation to the company or a related body corporate. This includes suspected contraventions of the Corporations Act or the ASIC Act 2001 (Cth), conduct representing a danger to the public or the financial system, and tax-related misconduct under the Taxation Administration Act 1953 (Cth). The key protections afforded to eligible whistleblowers who make qualifying disclosures include: confidentiality protection under s 1317AAE, making it a criminal offence to disclose the identity of a whistleblower without their consent; protection from detriment under s 1317AD, prohibiting dismissal, demotion, harassment, discrimination, or any other adverse action because of a disclosure; civil and criminal immunity under s 1317AB, meaning a whistleblower cannot be sued or prosecuted in respect of their disclosure; and compensation rights under s 1317AE for any loss, damage, or injury suffered as a result of unlawful detriment. The whistleblower policy must, under s 1317AI(3), include information about: the protections available to whistleblowers; the disclosures to which those protections apply; how disclosures can be made; how the company will support and protect whistleblowers, including confidentiality measures; how the company will investigate disclosures; how the company will ensure fair treatment of employees mentioned in disclosures; and how the policy will be made available to officers and employees. In addition to the Corporations Act regime, whistleblower protections for tax-related disclosures are provided under ss 14ZZC to 14ZZE of the Taxation Administration Act 1953 (Cth), administered by the Australian Taxation Office. The Public Interest Disclosure Act 2013 (Cth) also provides a parallel regime for public sector whistleblowers. Best-practice whistleblower programs include independent external hotlines to allow anonymous reporting, regular training for managers and the Whistleblower Protection Officer on handling disclosures, clear procedures for managing conflicts of interest in investigations, and regular Board-level reporting on whistleblower disclosures. ASIC has published regulatory guidance (RG 270) providing detailed guidance on implementing whistleblower policies in practice. This Whistleblower Policy template covers all mandatory elements required by s 1317AI of the Corporations Act 2001 (Cth), including eligible whistleblowers and disclosures, protections from detriment and breach of confidentiality, how to make a disclosure to internal and external recipients, the investigation process, fair treatment obligations, and Board authorisation.
Whistleblowing Policy (Australia)
Establish a compliant whistleblowing framework for your Australian organisation under the Corporations Act 2001 (Cth) and Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019. Our template covers protected disclosure categories, eligible whistleblowers, confidentiality obligations, anti-retaliation protections, and investigation procedures required by ASIC. Suitable for public companies, large proprietary companies, and any entity seeking best-practice governance.
Acordo de Processamento de Dados (DPA) Brasil
Acordo de Processamento de Dados (DPA — Data Processing Agreement) conforme Art. 39 da LGPD (Lei 13.709/2018). Contrato obrigatório entre controlador e operador que define as obrigações de proteção de dados, as instruções do controlador, as medidas de segurança exigidas, e as responsabilidades do operador no tratamento de dados pessoais.
Corporate Code of Ethics Brazil (Código de Ética Empresarial)
Corporate Code of Ethics for Brazil — aligned with Lei 12.846/2013 Art. 7 VIII (integrity programs), CLT, and corporate governance standards, establishing ethical conduct principles for employees, managers, suppliers, and stakeholders.
Internal Policies Manual Brazil (Manual de Políticas Internas)
Internal Policies Manual for Brazilian companies — governed by CLT Art. 444 and Civil Code Art. 421, consolidating workplace conduct rules, HR procedures, IT use policies, expense reimbursement, conflict of interest, and disciplinary procedures in compliance with labor law.
Anti-Corruption Policy Brazil (Política Anticorrupção)
An Anti-Corruption Policy for Brazil — governed by Lei 12.846/2013 (Lei Anticorrupção) and Decreto 11.129/2022, establishing zero-tolerance standards for bribery, corruption of public officials, and integrity violations, with procedures for compliance, risk assessment and whistleblowing.
Política de Cookies Brasil (LGPD)
Política de Cookies conforme a LGPD (Lei 13.709/2018) e o Marco Civil da Internet (Lei 12.965/2014). Documento que informa os usuários sobre os cookies e tecnologias de rastreamento utilizados no sítio eletrônico, as finalidades, as bases legais (consentimento, legítimo interesse), e as opções de controle disponíveis ao titular.
Anti-Money Laundering Policy Brazil (Política PLD/FT)
Anti-Money Laundering and Counter-Terrorism Financing Policy (PLD/FT) for Brazil — governed by Lei 9.613/1998, COAF Resolution 36/2021, and BACEN/CVM/SUSEP sector regulations, establishing customer due diligence, transaction monitoring, suspicious activity reporting and KYC procedures.
Data Retention Policy Brazil (Política de Retenção de Dados)
Data Retention Policy for Brazil — governed by LGPD Lei 13.709/2018 Art. 16, CLT, tax legislation, and sector-specific regulations, establishing retention schedules, elimination procedures, data minimization principles, and ANPD-compliant governance for personal data lifecycle management.
Integrity and Compliance Program Brazil (Programa de Integridade)
Integrity and Compliance Program for Brazil — structured around the 16 parameters of Decreto 11.129/2022 and Lei 12.846/2013, covering risk assessment, internal controls, training, whistleblowing, and monitoring for public contracting and regulated entities.
Registro de Atividades de Tratamento de Dados Brasil
Registro de Atividades de Tratamento de Dados Pessoais conforme Art. 37 da Lei Geral de Proteção de Dados (LGPD — Lei 13.709/2018). Inventário obrigatório que documenta todas as atividades de tratamento realizadas pelo controlador ou operador, incluindo finalidades, bases legais, categorias de dados, operadores e prazos de retenção.
Relatório de Impacto à Proteção de Dados (RIPD) Brasil
Relatório de Impacto à Proteção de Dados Pessoais (RIPD) conforme exigido pelo Art. 38 da Lei Geral de Proteção de Dados (LGPD — Lei 13.709/2018) e regulamentado pela ANPD. Documenta os riscos das atividades de tratamento de dados pessoais, as medidas técnicas e administrativas adotadas para proteção, e a justificativa de necessidade e proporcionalidade do tratamento.
Website Terms of Use Brazil (Termos de Uso de Site)
Website Terms of Use for Brazil — governed by the Marco Civil da Internet (Lei 12.965/2014) and the LGPD (Lei 13.709/2018), establishing rules for access, content use, intellectual property, limitation of liability, and user data processing.
BYOD Policy (Bring Your Own Device)
Establish rules for employee use of personal devices for work with this US BYOD Policy. Covers acceptable use, security requirements, MDM enrollment, data ownership, privacy expectations, and disciplinary consequences.
Acceptable Use Policy (Canada)
Establish clear rules for employee use of company technology, internet, email, and digital systems in a Canadian workplace. Covers PIPEDA compliance, CASL obligations, monitoring disclosure, prohibited activities, and disciplinary consequences.
Accessibility Policy (Canada)
Create a compliant Canadian Accessibility Policy that meets AODA (Ontario), WCAR (BC), and federal Accessible Canada Act requirements. Covers barrier identification, accommodation procedures, accessible formats, employee training, and feedback processes.
AI Acceptable Use Policy (Canada)
Govern employee use of artificial intelligence tools in Canadian workplaces with a comprehensive AI Acceptable Use Policy. Covers PIPEDA and provincial privacy law obligations, confidentiality risks, accuracy and bias concerns, prohibited uses, and disclosure requirements when AI-generated content is used externally.
Anti-Bribery and Corruption Policy (Canada)
Create a comprehensive Canadian Anti-Bribery and Corruption Policy compliant with the Corruption of Foreign Public Officials Act (CFPOA), the Criminal Code Part IV (bribery and secret commissions), and provincial procurement laws. Covers prohibited conduct, gifts thresholds, third party due diligence, books-and-records requirements, whistleblower protections under Criminal Code s.425.1, and training.
Anti-Discrimination Policy (Canada)
Establish a comprehensive anti-discrimination and harassment-free workplace policy compliant with the Canadian Human Rights Act and provincial human rights codes. Covers protected grounds, complaint procedures, investigation process, and remediation under federal and provincial human rights legislation.
API Terms of Use (Canada)
Protect your Canadian API with legally binding Terms of Use that govern developer access, permitted and prohibited uses, rate limits, intellectual property ownership, liability limitations, and termination rights. Compliant with PIPEDA, CASL, and applicable Canadian contract law.
Code of Conduct (Canada)
Establish workplace conduct standards for a Canadian business. Covers Canadian Human Rights Act obligations, Canada Labour Code (federally regulated) or provincial Employment Standards Act compliance, harassment and discrimination prevention, conflicts of interest, confidentiality, and disciplinary procedures.
Data Retention Policy (Canada)
Create a comprehensive Canadian Data Retention Policy compliant with PIPEDA Principle 5, provincial privacy laws (PIPA BC, ATIPPA NL), CRA retention requirements, and the Canada Business Corporations Act. Covers retention schedules for employee, financial, customer, and health records, secure destruction, legal holds, and individual data rights.
Diversity, Equity and Inclusion Policy (Canada)
Create a comprehensive Canadian Diversity, Equity and Inclusion (DEI) Policy compliant with the Canadian Human Rights Act, Employment Equity Act, Accessible Canada Act, Pay Equity Act, and provincial human rights codes. Covers protected grounds, recruitment commitments, duty to accommodate, harassment prevention, employment equity, training requirements, monitoring and reporting, and complaint procedures.
Drug and Alcohol Policy (Canada)
Establish a workplace drug and alcohol policy compliant with Canadian human rights law, occupational health and safety legislation, and the Cannabis Act. Covers safety-sensitive roles, accommodation of addiction as disability, testing protocols, and discipline procedures for Canadian employers.
Environmental Policy Statement (Canada)
Create a comprehensive Canadian Environmental Policy Statement compliant with CEPA 1999, the Impact Assessment Act 2019, the Canadian Net-Zero Emissions Accountability Act, and provincial environmental legislation. Covers emission reduction targets, NPRI reporting, waste management, water quality, carbon pricing, and incident reporting.
Fire Risk Assessment (Canada)
Create a comprehensive Canadian Fire Risk Assessment compliant with the National Fire Code of Canada 2020, provincial fire safety legislation, CAN/ULC-S524, and provincial OH&S regulations. Covers fire detection, fire fighting equipment, means of egress, hazard identification, fire safety plans, and accessibility requirements.
First Aid Policy (Canada)
Create a comprehensive Canadian workplace First Aid Policy compliant with the Canada Labour Code Part II, provincial OHS regulations, CSA Z1220, and WSIB/WCB requirements. Covers first aid attendant designations, kit locations, AED provisions, emergency procedures, training requirements, and incident reporting.
Internet & Email Policy (Canada)
Establish acceptable use rules for company internet and email systems in Canada. Covers CASL compliance, electronic monitoring disclosure, privacy, and disciplinary consequences.
Lone Worker Policy (Canada)
Create a comprehensive Canadian Lone Worker Policy compliant with the Canada Labour Code Part II, provincial OH&S acts (Alberta OHS s.393, Ontario OHSA s.25, BC WorkSafe Part 4), and CCOHS lone worker guidance. Covers lone worker definitions, hazard assessments, communication procedures, check-in systems, prohibited activities, training, and emergency protocols.
Manual Handling Risk Assessment (Canada)
Create a comprehensive Canadian Manual Handling Risk Assessment compliant with the Canada Labour Code Part II, the Canada Occupational Health and Safety Regulations (SOR/86-304), CCOHS ergonomic guidelines, and provincial OH&S regulations. Covers task description, load assessment, environment factors, risk evaluation, control measures, and action plans.
Modern Slavery Statement (Canada)
Publish a modern slavery and forced labour statement as required by Canada's Fighting Against Forced Labour and Child Labour in Supply Chains Act (Bill S-211). Covers supply chain due diligence, risk assessment, remediation policies, and annual reporting obligations for qualifying Canadian entities.
PIPEDA Privacy Breach Report (Canada)
A Canadian PIPEDA Privacy Breach Report for organizations to report breaches of security safeguards to the Office of the Privacy Commissioner of Canada (OPC) and notify affected individuals. Complies with the mandatory breach notification requirements under PIPEDA and the Security Breach of Personal Information Regulations (SOR/2018-64).
Privacy Breach Notification — PIPEDA (Canada)
Notify the OPC and affected individuals of a privacy breach under PIPEDA s.10.1 and the Breach of Security Safeguards Regulations (SOR/2018-64). Covers breach description, real risk of significant harm assessment, containment actions, and 24-month record-keeping obligation.
Privacy Impact Assessment (PIA) — Canada
Conduct a Privacy Impact Assessment (PIA) for a new project, system, or initiative under PIPEDA and the Treasury Board PIA Directive. Covers personal information flows, risk analysis, PIPEDA ten Fair Information Principles compliance, and approval documentation.
Employee Privacy Notice (Canada)
Inform employees about how their personal information is collected, used, and disclosed in the Canadian workplace. Covers PIPEDA obligations, provincial privacy law (Alberta PIPA, BC PIPA, Quebec Law 25), workplace monitoring, payroll data, and employee rights.
Privacy Policy (Canada)
Canadian privacy policy compliant with PIPEDA, Quebec Law 25, and provincial privacy legislation (AB PIPA, BC PIPA), including CASL anti-spam requirements.
Return Policy Template (Canada)
Create a Canadian Return Policy compliant with provincial Consumer Protection Acts, the Competition Act, and PIPEDA. Define return windows, refund methods, shipping responsibilities, and non-returnable items under Canadian law. Download as PDF or Word.
Social Media Policy (Canada)
Create a comprehensive Canadian Social Media Policy compliant with PIPEDA, the Canada Labour Code, Canadian Human Rights Act, CASL for marketing, and Charter s.2(b) freedom of expression. Covers personal and company account guidelines, privacy-compliant monitoring, confidentiality, disciplinary consequences, and approval process.
Transfer Pricing Policy (Canada)
A transfer pricing policy document for Canadian multinational enterprises, establishing arm's length pricing principles, selected transfer pricing methods, and documentation requirements under the Income Tax Act and CRA guidelines.
Whistleblower Policy (Canada)
Create a comprehensive Canadian Whistleblower Policy compliant with the Criminal Code s.425.1, Public Servants Disclosure Protection Act (PSDPA), Canada Business Corporations Act, and provincial securities whistleblower programs. Covers designated compliance officers, confidential reporting, anonymous reporting, investigation procedures, anti-reprisal protections, and external regulatory agency reporting.
Working From Home Policy (Canada)
Establish a clear remote work policy for Canadian employees. Covers eligibility, equipment, expenses, data security, and provincial employment standards compliance.
Workplace Safety Assessment (Canada)
Create a comprehensive Canadian Workplace Safety Assessment compliant with the Canada Labour Code Part II, the Canada Occupational Health and Safety Regulations (SOR/86-304), WHMIS 2015, CCOHS guidelines, and provincial OH&S legislation. Covers hazard identification, risk evaluation, hierarchy of controls, and corrective action plans.
Showing 60 of 456 available policies & compliance templates. Browse by country for the full set: USA, UK, Canada, Australia and 20 more.
Related Legal Guides
Frequently Asked Questions
Yes, every policies & compliance template on Forms Legal is 100% free to download as PDF or Word. No registration, no email required, no paywall. We make money through optional add-on services, never by gating the templates themselves.
Each policies & compliance template is structured to follow the relevant statutes and standard market practice. Forms Legal templates reference specific laws (e.g. BGB, ZGB, USC, Companies Act) and are reviewed against the editorial guidelines published at /editorial-guidelines. They are intended as starting points; for high-stakes matters we recommend a final review by a licensed attorney.
No account is required. Click any template on Forms Legal, fill out the optional wizard fields (or skip them to get a blank template), and download immediately as PDF or Word. The wizard preview is provided for convenience — you can always edit the downloaded file in your own software.
Yes. Every policies & compliance template downloads as both PDF and editable Microsoft Word (.docx) format. Open the .docx in Word, Google Docs, LibreOffice or any Word-compatible editor and customize freely. The wizard fields you fill on the page are also pre-populated into the downloaded file.
Both PDF (signature-ready, fixed layout) and Microsoft Word .docx (fully editable). The PDF is best for print or e-signature flows. The Word version is best when you need to add jurisdiction-specific clauses, change party names in bulk, or integrate the template into your firm's standard document set.
Yes. Forms Legal reviews all policies & compliance templates against current statutory references and amends them when laws change. Major updates include the German NachwG 2022 reform, EU AI Act 2025 references, US Privacy framework changes, and per-jurisdiction tax-year refreshes. The "Last reviewed" date is shown at the top of each template page.