Free instruments · methodology

Audit the instrument, not just the verdict.

How the Regulation 10 Classifier and the DPIA Builder are built: which texts they encode, how the logic is verified, how rulesets are versioned, what the integrity hashes prove, and where the instruments' limits are.

§ 01

Sources — enacted texts, first-hand

Every question, obligation and clause quotation in the instruments is encoded from the primary texts, not from law-firm summaries:

  • DIFC Data Protection Regulations, Consolidated Version No. 2 — Regulation 10 as enacted 1 September 2023 (DIFC legal database).
  • DIFC Data Protection Law No. 5 of 2020, July 2025 consolidation — Articles 20–21 (DPIA and prior consultation) and the Schedule 1 definitions of High Risk Processing Activities and Special Categories of Personal Data.
  • The Commissioner's published Regulation 10 documents — the Accreditation & Certification Framework, the Accelerator, and the Advisory Committee charter — inform the status notes (for example the ASO appointment-gap expectation).

Where the instruments state that something is not yet operative— the 10.3.3 certification requirements — that statement traces to the enacted text's own guidance and the Commissioner's published documents, and it is part of the answer, not a disclaimer.

§ 02

Method — deterministic, clause-traced

The classifiers are hardcoded decision logic: the same answers under the same ruleset produce the same result, every time. There is no model, no scoring heuristic, and no hidden weighting. Every gate carries its clause, and the verbatim provision is one tap away — the point is that you can audit the instrument, not trust it.

The logic ships with an automated test suite covering every verdict path, the chapeau conditions (commercial use, application-or-website service), each High Risk Processing limb, the Article 20(9) exemption precedence, the risk-rating matrix and the Article 21(1) prior-consultation trigger.

§ 03

Ruleset versioning

Current ruleset: DIFC DP Regulations Consolidated No. 2 (Reg 10, enacted 1 Sep 2023) · DP Law No. 5 of 2020 (Jul 2025 consolidation). Every export names it.

Consultation Paper No. 3 of 2026 (closed 18 July 2026) proposes amendments to Regulation 10 — a Safety design concept, detailed ASO obligations — and a new Regulation 11 giving the Commissioner power to recognise certification schemes by publication. When the amendments are enacted, the instruments will encode them as a new ruleset version with a change log on this page; assessments made under the current ruleset remain labelled as such.

§ 04

Integrity — verifiable records

A completed assessment serialises to a canonical record (stable field order) and is hashed with SHA-256 in your browser. The hash appears on the result and in every export. What it proves: that a given record — answers, ruleset, label, date — has not been altered since it was produced, and that anyone re-entering the same answers under the same ruleset reproduces it. What it does not prove: that the answers were true. The instrument is deterministic; honesty is yours.

Saved assessment files embed their hash; the instruments and the Book verify it on import and refuse silently-altered files. An amended assessment records the hash it supersedes.

§ 05

Privacy — browser-only, by construction

The instruments run entirely in your browser. Answers, DPIA drafts, and the Book are held in your browser's local storage on your machine; nothing you type is transmitted to Stoneset or anyone else. Moving work between machines happens through files you download and carry yourself. This page and the instruments are served as static pages.

§ 06

Limitations — read before relying

  • Structured drafting support, not legal advice. The instruments encode the texts; they do not exercise judgment about your facts.
  • Two High Risk Processing limbs — “materially increased risk” and “considerable amount” — require judgment the instrument cannot make for you. The guidance under each question states the considerations; the call is yours.
  • The Commissioner's 10.3.3 audit and certification requirements were not yet promulgated at this ruleset's date; the certification-path content describes the published Framework, not an operative scheme.
  • The instruments cover DIFC Regulation 10 and DP Law Articles 20–21. They are not an assessment under the UAE federal PDPL, the EU AI Act, or any other regime.