# Global Source Map and Validation Notes

This file lists the source stack used for the global web/mobile/AI/quantum extension. Official regulator, government, standards-body, platform, and intergovernmental sources are preferred. Secondary legal references are included only as research starting points and must be verified against official local law and local counsel before launch.

## UNCTAD-GCT — UNCTAD Global Cyberlaw Tracker

- Type: primary/intergovernmental
- URL: https://unctad.org/topic/ecommerce-and-digital-economy/ecommerce-law-reform/summary-adoption-e-commerce-legislation-worldwide
- Use in kit: 195-country coverage; e-commerce, data protection/privacy, cybercrime, consumer protection, e-transactions and indirect tax status.

## UN-MEMBER-STATES — United Nations Member States

- Type: primary/intergovernmental
- URL: https://www.un.org/en/about-us/member-states
- Use in kit: Country universe definition: 193 UN Member States plus two UN observer states for this kit's 195-country matrix.

## DLA-DPLOW — DLA Piper Data Protection Laws of the World

- Type: secondary/legal reference
- URL: https://www.dlapiperdataprotection.com/
- Use in kit: Jurisdiction-specific privacy law research starting point; must be verified against official local law and counsel.

## APPLE-GUIDELINES — Apple App Store Review Guidelines

- Type: platform primary
- URL: https://developer.apple.com/app-store/review/guidelines/
- Use in kit: App Store legal, privacy, safety, data collection, user-generated content, payments, and review gates.

## APPLE-PRIVACY-DETAILS — Apple App Privacy Details

- Type: platform primary
- URL: https://developer.apple.com/app-store/app-privacy-details/
- Use in kit: App privacy labels, data-type inventory, third-party SDK declarations, privacy manifests and SDK signatures.

## APPLE-APP-REVIEW — Apple Prepare Your App for Review

- Type: platform primary
- URL: https://developer.apple.com/distribute/app-review/
- Use in kit: Privacy policy content, user permission purpose strings, review preparation.

## GOOGLE-USER-DATA — Google Play User Data Policy

- Type: platform primary
- URL: https://support.google.com/googleplay/android-developer/answer/10144311?hl=en
- Use in kit: Privacy policy, disclosure, consent, sensitive permissions, and user data handling.

## GOOGLE-DATA-SAFETY — Google Play Data Safety Section

- Type: platform primary
- URL: https://support.google.com/googleplay/android-developer/answer/10787469?hl=en
- Use in kit: Data safety disclosure form and data collection/sharing/security labels.

## GOOGLE-AI-GEN — Google Play AI-Generated Content Policy

- Type: platform primary
- URL: https://support.google.com/googleplay/android-developer/answer/14094294?hl=en
- Use in kit: Generative AI content safety and user feedback/reporting gates.

## SAMSUNG-DIST — Samsung Galaxy Store Distribution Guide

- Type: platform primary
- URL: https://developer.samsung.com/galaxy-store/distribution-guide.html
- Use in kit: Galaxy Store consent, minimum permissions, privacy URL, advertising/push consent, security and IP requirements.

## SAMSUNG-GSTORE — Samsung Galaxy Store developer page

- Type: platform primary
- URL: https://developer.samsung.com/galaxy-store
- Use in kit: Galaxy Store Data Safety tab requirement for new and updated apps starting September 24, 2025.

## SAMSUNG-API — Samsung Galaxy Store Content Publish API Reference

- Type: platform primary
- URL: https://developer.samsung.com/galaxy-store/galaxy-store-developer-api/content-publish-api/reference.html
- Use in kit: Privacy policy URL field and kids category privacy URL requirement.

## AMAZON-PRIVACY-LABELS — Amazon Appstore Privacy Labels

- Type: platform primary
- URL: https://developer.amazon.com/docs/app-submission/appstore-privacy-labels.html
- Use in kit: Amazon privacy questionnaire, privacy policy URL, user data privacy labels.

## AMAZON-USER-DATA — Amazon Appstore User Data Privacy Policy

- Type: platform primary
- URL: https://developer.amazon.com/docs/policy-center/user-data-privacy.html
- Use in kit: Amazon Appstore user data privacy policy and labels.

## AMAZON-CONTENT — Amazon Appstore Content Policy

- Type: platform primary
- URL: https://developer.amazon.com/docs/policy-center/understanding-content-policy.html
- Use in kit: Restricted content, IP, deception and prohibited app content.

## MICROSOFT-STORE-POLICY — Microsoft Store Policies

- Type: platform primary
- URL: https://learn.microsoft.com/en-us/windows/apps/publish/store-policies
- Use in kit: Personal information, policy, security, content and Store distribution requirements.

## MICROSOFT-ADA — Microsoft App Developer Agreement

- Type: platform primary
- URL: https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/store/documents/legal/ada/fy26/MS.Store.ADAv8.10.EN.US.pdf
- Use in kit: Crash/error and analytics data restrictions; annual audit obligation where Microsoft customer personal information is exposed.

## HUAWEI-PRIVACY — Huawei AppGallery User Privacy Review Guidelines

- Type: platform primary
- URL: https://developer.huawei.com/consumer/en/doc/app/50104-07
- Use in kit: Privacy policy link, consent, withdrawal, minimization, marketing toggle, security and disclosure requirements.

## HUAWEI-APPGALLERY — Huawei AppGallery developer page

- Type: platform primary
- URL: https://developer.huawei.com/consumer/en/appgallery/
- Use in kit: AppGallery Connect publication flow and localized metadata gates.

## FTC-PRIVSEC — FTC Privacy and Security guidance

- Type: US primary regulator
- URL: https://www.ftc.gov/business-guidance/privacy-security
- Use in kit: US baseline for truthful privacy claims, reasonable data security, health data and breach obligations.

## FTC-HBNR — FTC Health Breach Notification Rule

- Type: US primary regulator
- URL: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule
- Use in kit: Health app and PHR vendor breach notice gates outside HIPAA.

## CPPA-CCPA — California Privacy Protection Agency CCPA materials

- Type: US state primary regulator
- URL: https://cppa.ca.gov/regulations/
- Use in kit: CCPA/CPRA, Delete Act, data broker, ADMT/risk/audit rulemaking and GPC posture.

## HHS-HIPAA-SECURITY — HHS HIPAA Security Rule

- Type: US primary regulator
- URL: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- Use in kit: Administrative, physical and technical safeguards for ePHI.

## HHS-TRACKING — HHS OCR Online Tracking Technologies guidance

- Type: US primary regulator
- URL: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
- Use in kit: HIPAA tracking technology risk review for web and mobile apps.

## FDA-DIGITAL-HEALTH — FDA Digital Health guidance hub

- Type: US primary regulator
- URL: https://www.fda.gov/medical-devices/digital-health-center-excellence/guidances-digital-health-content
- Use in kit: Device software, clinical decision support, SaMD and healthtech product classification review.

## NIST-CSF — NIST Cybersecurity Framework 2.0

- Type: standard primary
- URL: https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final
- Use in kit: Cybersecurity governance, risk, supply-chain and control taxonomy.

## OWASP-ASVS — OWASP Application Security Verification Standard

- Type: standard primary
- URL: https://owasp.org/www-project-application-security-verification-standard/
- Use in kit: Web app and API technical security verification controls.

## OWASP-MASVS — OWASP Mobile Application Security Verification Standard

- Type: standard primary
- URL: https://mas.owasp.org/MASVS/
- Use in kit: Mobile app security verification controls.

## NIST-AI-RMF — NIST AI Risk Management Framework and Generative AI Profile

- Type: standard primary
- URL: https://www.nist.gov/itl/ai-risk-management-framework
- Use in kit: AI governance, mapping, measuring and management, including generative AI risks.

## EU-AI-ACT — European Commission AI Act page

- Type: EU primary
- URL: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- Use in kit: Risk-based AI developer/deployer obligations for EU/EEA market operations.

## OECD-AI — OECD AI Principles

- Type: intergovernmental primary
- URL: https://www.oecd.org/en/topics/sub-issues/ai-principles.html
- Use in kit: Global trustworthy AI principles, human rights, transparency, robustness and accountability.

## NIST-PQC — NIST Post-Quantum Cryptography project

- Type: standard primary
- URL: https://csrc.nist.gov/projects/post-quantum-cryptography
- Use in kit: FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA and PQC migration references.

## CISA-PQC — CISA Quantum-Readiness: Migration to PQC

- Type: US primary guidance
- URL: https://www.cisa.gov/resources-tools/resources/quantum-readiness-migration-post-quantum-cryptography
- Use in kit: Quantum-readiness roadmap, cryptographic inventory, migration planning.

## OMB-M-26-15 — OMB M-26-15 Execution of the Migration to Post-Quantum Cryptography

- Type: US federal primary
- URL: https://www.whitehouse.gov/wp-content/uploads/2026/06/M-26-15-Execution-of-the-Migration-to-Post-Quantum-Cryptography.pdf
- Use in kit: Federal agency PQC migration planning and governance timeline; relevant for federal contractors and federal-facing systems.

## EU-GDPR — EU GDPR legal framework

- Type: EU primary
- URL: https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en
- Use in kit: GDPR controller/processor, rights, lawful basis and cross-border transfer baseline.

## EDPB-EPRIVACY — EDPB Guidelines on Art. 5(3) ePrivacy Directive

- Type: EU primary regulator
- URL: https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_v2_en_0.pdf
- Use in kit: Cookie and similar tracking/storage/access to user device guidance.

## UK-GDPR — UK ICO GDPR guidance

- Type: UK primary regulator
- URL: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
- Use in kit: UK GDPR and Data Protection Act implementation.

## CANADA-PIPEDA — Office of the Privacy Commissioner of Canada PIPEDA guidance

- Type: Canada primary regulator
- URL: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/
- Use in kit: Canadian commercial privacy law obligations.

## INDIA-DPDP — India MeitY DPDP Rules 2025

- Type: India primary ministry
- URL: https://www.meity.gov.in/documents/act-and-policies/digital-personal-data-protection-rules-2025-gDOxUjMtQWa?pageTitle=Digital-Personal-Data-Protection-Rules-2025
- Use in kit: India DPDP Act/Rules operational privacy gates.

## BRAZIL-LGPD — Brazil LGPD official legislative text

- Type: Brazil official statutory source
- URL: https://normas.leg.br/?urn=urn%3Alex%3Abr%3Afederal%3Alei%3A2018-08-14%3B13709
- Use in kit: Official Portuguese LGPD text for Brazil privacy obligations; translations and summaries must be verified by counsel.

## CHINA-PIPL — China PIPL English reference and official-law verification note

- Type: statutory translation/reference; verify official Chinese text
- URL: https://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm
- Use in kit: China personal information processing and extraterritorial trigger baseline; official Chinese text and CAC measures must be verified before launch.

## AUSTRALIA-APP — OAIC Australian Privacy Principles

- Type: Australia primary regulator
- URL: https://www.oaic.gov.au/privacy/australian-privacy-principles
- Use in kit: Australian Privacy Act and 13 APPs.

## JAPAN-APPI — Japan APPI English translation

- Type: Japan statutory translation
- URL: https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en
- Use in kit: Japan APPI personal information obligations.

## KOREA-PIPA — Korea Personal Information Protection Act translation

- Type: Korea statutory translation
- URL: https://elaw.klri.re.kr/eng_service/lawView.do?hseq=53044&lang=ENG
- Use in kit: South Korea PIPA obligations; verify against latest Korean text and PIPC updates.

## SINGAPORE-PDPA — Singapore PDPA overview

- Type: Singapore primary regulator
- URL: https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
- Use in kit: Singapore PDPA collection/use/disclosure obligations.

## SOUTHAFRICA-POPIA — South Africa Information Regulator POPIA page

- Type: South Africa primary regulator
- URL: https://inforegulator.org.za/
- Use in kit: South Africa POPIA lawful processing and regulator authority.

