◆ Accepting Q2 2026 Engagements

Full-Spectrum AI Compliance Auditing

Nexus Guard is a five-layer compliance audit covering Singapore's PDPA, IMDA governance frameworks, MAS guidelines, and the EU AI Act. We assess your entire digital presence for AI-related regulatory exposure — and deliver a DEFCON-scored liability report with a full remediation roadmap.

Book a Consultation → See the 5 Layers
DEFCON Liability Score
D1
Critical
D2
High Risk
D3
Moderate
D4
Low Risk
D5
Fortress
Every audit produces a single liability score from 0-100, mapped to a DEFCON level. Certain findings trigger automatic DEFCON 1 regardless of overall score.
The Problem

Most Singapore Businesses Are Exposed — and Don't Know It

AI-related obligations in Singapore are now enforced through PDPA and sector-specific rules. PDPC fines are regular, the EU AI Act's transparency obligations reach any Singapore company with EU users or data subjects, and IMDA and MAS frameworks are increasingly referenced by regulators and in enforcement reasoning. At the same time:

  • AI platforms are scraping your website to train models — often without consent
  • Chatbots are interacting with customers without clear AI disclosure
  • Information gaps on your site cause AI to fabricate facts about your business
"Compliance isn't a line item you cut. It's the line between operating and not operating."

Nexus Guard closes this gap: a single comprehensive audit that maps your entire AI-related regulatory exposure, scores it against current enforcement standards, and gives you a concrete plan to fix it.

SGD 1M+
Maximum PDPA penalty per violation — or 10% of annual turnover
€35M
Maximum EU AI Act penalty — or 7% of global turnover
Aug 2026
EU AI Act Article 50 enforcement begins for transparency obligations
3 Days
PDPA mandatory breach notification window — missing it is a violation
The Audit

Five Layers of AI Compliance Assessment

Each layer covers a distinct category of regulatory exposure. Together, they map your complete AI governance posture — from data protection to deepfake vulnerability.

Layer 01

AI Training Data Protection

"Is your proprietary content being scraped to train competitors' AI models?"
Scoring weight: 15%

We analyse whether your website is protected against AI data harvesting. Most businesses have no idea that OpenAI, Anthropic, Google, Meta, and others are actively crawling their content to train foundation models — often without consent.

  • robots.txt analysis — all 15+ known AI crawlers checked
  • TDMRep protocol (EU copyright opt-out mechanism)
  • NoAI meta tags and image metadata flags
  • Terms of Service AI training restrictions
Layer 02

Hallucination Liability

"What information gaps on your site are causing AI to fabricate facts about your business?"
Scoring weight: 15%

When your website doesn't provide clear information, AI doesn't stay silent — it guesses. We identify every information gap that creates fabrication risk, from missing pricing to unclear corporate structure, and map them to the specific hallucinations they produce.

  • Ground truth density — are your policies machine-readable?
  • Schema.org entity resolution (Organization, LocalBusiness, UEN)
  • Information completeness audit (founding date, ownership, personnel)
  • Pricing and refund policy visibility assessment
Layer 03

Consumer Transparency

"Does your website meet AI transparency requirements under Singapore and EU law?"
Scoring weight: 15%

The EU AI Act requires chatbots to disclose they are AI. The PDPA requires disclosure of automated decision-making. We check every customer-facing AI touchpoint for compliance — and assess your exposure if you serve EU customers from Singapore.

  • Chatbot detection and AI disclosure compliance
  • AI-generated content labelling assessment
  • Automated decision-making disclosure (PDPA)
  • C2PA Content Credentials and provenance verification
Layer 04

Data Protection (PDPA)

"Are your data handling practices compliant with Singapore's Personal Data Protection Act?"
Scoring weight: 25%

This is the heaviest-weighted layer because PDPA carries the most immediate enforcement risk. We audit your entire data collection apparatus — from cookie consent to breach notification readiness — against current PDPC enforcement standards, not just the letter of the law.

  • Privacy Policy presence, completeness, and AI processing disclosure
  • Cookie consent mechanisms — opt-in, granularity, withdrawal
  • Contact information completeness (address, phone, email, DPO)
  • Data subject rights and breach notification preparedness
Layer 05

Technical Security

"Does your infrastructure meet the baseline technical requirements for data protection?"
Scoring weight: 15%

Technical security underpins every other layer. A data protection policy means nothing if the underlying infrastructure is compromised. We check the visible security posture of your web presence — including indicators of prior breaches.

  • HTTPS/TLS certificate validity and expiry
  • HSTS and security header configuration
  • Public breach history (Have I Been Pwned)
  • WAF/firewall presence and AI crawler access patterns
The Score

DEFCON Liability Scoring

Every audit produces a weighted liability score from 0-100, mapped to a DEFCON level. The score accounts for the relative severity of different compliance categories — PDPA carries the most weight because it carries the most enforcement risk.

For companies serving EU customers, an additional EU AI Act Readiness dimension (15%) is applied across Consumer Transparency and Data Protection layers, adjusting the weights accordingly. This isn't a separate layer — it's a cross-cutting regulatory lens.

Certain findings are so severe that they trigger an automatic DEFCON 1 classification regardless of the overall score.

CategoryWeight
Data Protection (PDPA)25%
AI Training Protection15%
Hallucination Liability15%
Consumer Transparency15%
Technical Security15%
EU AI Act Readiness (cross-cutting, if applicable)15%

Automatic DEFCON 1 Triggers

Any one of these findings immediately classifies the audit as DEFCON 1 — Critical, regardless of the numerical score.

  • No Privacy Policy present on the website
  • No robots.txt — all AI crawlers have unrestricted access to your content
  • Chatbot deployed without AI disclosure (for companies serving EU customers)
  • Personal data collected or displayed on non-HTTPS pages
  • Public data breach within the last 12 months
  • Collection of children's data without age verification or enhanced safeguards
The Engagement

A Two-Week Audit, Not a Two-Minute Scan

Compliance auditing isn't something you automate and forget. Nexus Guard is a structured, analyst-led engagement that combines automated scanning with human review, regulatory interpretation, and hands-on remediation. The two-week timeline exists because thoroughness protects you — shortcuts don't.

Day 1–2 · Intake

Scoping & Discovery

  • 30-minute consultation to understand your business and regulatory exposure
  • Jurisdiction mapping: PDPA baseline, EU AI Act, MAS (if financial services)
  • Framework selection and audit scope confirmation
Scoping call Jurisdiction mapping Framework selection
Day 3–6 · Assessment

Five-Layer Deep Scan

  • Automated crawl: robots.txt, schema, chatbots, security headers, consent
  • Human analyst review: confirm findings, add regulatory context
  • Coverage: 15+ AI crawlers, 40+ data points per domain
Automated scan Analyst review 15+ AI crawlers 40+ data points
Day 7–9 · Analysis

Scoring & Regulatory Mapping

  • Findings scored against DEFCON liability framework
  • Each issue mapped to specific regulation, penalty, and enforcement precedent
  • Singapore-specific, citation-backed risk assessment — not generic advice
DEFCON scoring Regulatory citations Penalty exposure calc
Day 10–12 · Remediation

Fixes & Implementation Roadmap

  • Ready-to-deploy fixes: schema, robots.txt, privacy policy, chatbot disclosure
  • Phased remediation roadmap prioritised by enforcement risk
  • Implementation code and configuration templates included
Schema.org implementations robots.txt template Policy frameworks Remediation roadmap
Day 13–14 · Delivery

Report & Presentation

  • Full DEFCON-scored PDF report with regulatory citations
  • 60-minute walkthrough with your legal and technical teams
  • Implementation Q&A and priority agreement
Full PDF report 60-minute walkthrough Implementation Q&A
The Deliverable

A Board-Ready Compliance Report

Every Nexus Guard engagement produces a comprehensive, regulation-cited report designed to be handed directly to your board, your legal counsel, or your regulator. Not a dashboard. Not a score with no context. A document that explains what's wrong, why it matters, what it could cost, and exactly how to fix it.

  • 01Cover — DEFCON level, overall score, jurisdictions assessed
  • 02Executive Summary — Risk overview, top 3 findings, financial exposure
  • 03AI Training Exposure — Who's scraping your content and what's leaking
  • 04Hallucination Liability — Information gaps and what AI fabricates
  • 05Consumer Transparency — Chatbot disclosure, content labelling, deepfakes
  • 06PDPA Compliance — Legal pages, consent, contact completeness
  • 07EU AI Act Readiness — Article 50 requirements (if applicable)
  • 08Remediation Plan — Week 1, Month 1, Quarter 1, Ongoing
  • AAppendix — Technical findings, citations, implementation code
Nexus Guard Compliance Report
[Company Name]
DEFCON 2 — HIGH RISK
Overall Liability Score: 34/100 · Jurisdictions: SG, EU
Critical No robots.txt — all 15+ AI crawlers have unrestricted access
Critical Chatbot deployed without AI disclosure (EU Article 50)
High Privacy Policy missing AI processing disclosure (PDPA 2024)
High Cookie consent pre-checked — not valid opt-in under PDPA
Medium No Schema.org UEN — entity confusion risk in AI systems
Priority Remediation — Week 1
Deploy robots.txt blocking all known AI crawlers (template provided)
Add AI disclosure to chatbot first-interaction flow
Update Privacy Policy with AI processing section (draft provided)
Fix cookie consent to opt-in with granular controls
Who This Is For

Built for Regulated Industries

Nexus Guard is designed for organisations where compliance isn't optional — where fines, enforcement actions, and regulatory scrutiny are part of the operating environment.

Law Firms

Offer Nexus Guard as a compliance advisory service to your clients. White-label the findings. Turn regulatory risk into a recurring retainer.

"Your clients' chatbots are violating EU law. Show them before the PDPC does."

Financial Services

MAS-regulated entities are expected to meet AI risk management guidelines issued December 2024. Nexus Guard maps your exposure against these guidelines specifically.

"MAS sets the standard. Your AI governance posture is auditable."

Healthcare

Sensitive patient data, YMYL content, and AI hallucination risk make healthcare providers uniquely exposed. When AI fabricates a doctor, the liability is yours.

"ChatGPT invented a doctor at your clinic. The patient booked an appointment."

E-Commerce

If you sell to EU customers, Article 50 applies to you. Content labelling, chatbot disclosure, and cross-border data transfers — all within scope.

"Your Singapore store ships to the EU. EU AI Act doesn't care where your server is."

Education

Children's data protections, AI-generated content policies, and the accuracy of information presented to students and parents create overlapping compliance requirements.

"Your school's website is training GPT. Your students' data may be in the model."

Professional Services

Accountants, consultants, and advisory firms handle sensitive client data. A breach notification failure or inadequate consent mechanism puts your licence at risk.

"You advise clients on risk. Who audits yours?"

Know Your Liability Score

Every business we've audited has had at least one finding they didn't know existed. Most have had several. The question isn't whether you have exposure — it's how much.

Book a consultation to scope your Nexus Guard engagement. We'll discuss your jurisdictions, your industry, your AI touchpoints — and whether a full compliance audit is the right next step.

30-minute scoping call — no obligation Assessment customised to your regulatory environment Full report with remediation delivered in 2 weeks Includes ready-to-deploy implementation code

Book a Consultation

Tell us about your business and we'll schedule a 30-minute scoping call to discuss your compliance posture.

We'll respond within 24 hours with available slots.

📄 Download a redacted sample report (PDF)