feat: Document Templates v2 — 11 migrations + scope-based generator

Complete overhaul of document generator templates based on paragraph-by-paragraph legal review of attorney-drafted templates (TOM, AVV, AGB, DSI, Community Guidelines, Nutzungsbedingungen, Widerrufsbelehrung, Cookie-Richtlinie). Templates (11 migrations 087-097): - 087: TOM-Dokumentation v2 (11 categories incl. Trennungskontrolle) - 088: AVV Art. 28 DSGVO (complete, §§ 1-11, 3 annexes) - 089: Cross-document updates (Löschkonzept DIN 66399, VVT recipients) - 090: AGB SaaS/Shop v2 (18 §§, B2B/B2C, IoT, physical goods, IP protection) - 091: Community Guidelines v2 (3 tones, 11 modular categories, DSA-compliant) - 092: Media & Content modules (MStV, AI Act Art. 50, UWG, Pressekodex) - 093: DSI/Privacy Policy v2 (Art. 13 complete, shop+corporate modules) - 094: Nutzungsbedingungen (Terms of Use, UGC, tipping, wallet, CC licenses) - 095: Widerrufsbelehrung (SaaS + physical + IoT bundle + combo) - 096: Social Media DSI (Facebook, YouTube, LinkedIn, TikTok, Meta Pixel) - 097: Cookie-Richtlinie v2 (TDDDG § 25, consent banner, browser links) Frontend (generator): - scopeDefaults.ts: L1-L4 scope-based defaults from Compliance Scope Engine - contextBridge.ts: TOMCtx + DPACtx interfaces (70+ new fields) - contextBridge-helpers.ts: 35+ placeholder mappings for TOM/DPA/AGB - _constants.ts: 120+ new generator fields (TOM, DPA, AGB, community, media, social, nutzungsbedingungen, widerruf, cookie, shop, IoT) - page.tsx: Auto-prefill TOM/DPA from scope engine decision Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-01 01:18:33 +02:00
parent 58957a4aaa
commit bae59e2ce0
16 changed files with 3271 additions and 0 deletions
@@ -22,6 +22,11 @@ export const CATEGORIES: { key: string; label: string; types: string[] | null }[
    'dsr_process_art15', 'dsr_process_art16', 'dsr_process_art17',
    'dsr_process_art18', 'dsr_process_art19', 'dsr_process_art20', 'dsr_process_art21',
  ]},
+  { key: 'terms_of_use', label: 'Nutzungsbedingungen', types: ['terms_of_use'] },
+  { key: 'tom', label: 'TOM', types: ['tom_documentation'] },
+  { key: 'media', label: 'Medien/Content', types: ['media_content_policy'] },
+  { key: 'social_media', label: 'Social Media DSI', types: ['social_media_dsi'] },
+  { key: 'module_docs', label: 'Konzepte', types: ['vvt_register', 'loeschkonzept', 'pflichtenregister', 'it_security_concept', 'data_protection_concept', 'backup_recovery_concept', 'logging_concept', 'incident_response_plan', 'access_control_concept', 'risk_management_concept'] },
 ]

 // =============================================================================
@@ -41,6 +46,8 @@ export const SECTION_LABELS: Record<keyof TemplateContext, string> = {
  CONSENT:   'Cookie / Einwilligung',
  HOSTING:   'Hosting-Provider',
  FEATURES:  'Dokument-Features & Textbausteine',
+  TOM:       'TOM-Dokumentation',
+  DPA:       'AVV / Auftragsverarbeitung',
 }

 export type FieldType = 'text' | 'email' | 'number' | 'select' | 'textarea' | 'boolean'
@@ -186,6 +193,169 @@ export const SECTION_FIELDS: Record<keyof TemplateContext, FieldDef[]> = {
    { key: 'EDITORIAL_RESPONSIBLE_ADDRESS', label: 'V.i.S.d.P. Adresse' },
    { key: 'HAS_DISPUTE_RESOLUTION', label: 'Streitbeilegungshinweis', type: 'boolean' },
    { key: 'DISPUTE_RESOLUTION_TEXT', label: 'Streitbeilegungstext', type: 'textarea', span: true },
+    // ── SaaS AGB v2 ─────────────────────────────────────────────────────────
+    { key: 'B2B_ONLY', label: 'Nur B2B (keine Verbraucher)', type: 'boolean' },
+    { key: 'HAS_END_USERS', label: 'Endkunden-Weitergabe (B2B2C)', type: 'boolean' },
+    { key: 'HAS_MODULAR_PACKAGES', label: 'Modulare Leistungspakete', type: 'boolean' },
+    { key: 'HAS_STORAGE', label: 'Speicherplatz als Leistung', type: 'boolean' },
+    { key: 'HAS_STORAGE_LIMITS', label: 'Speicherplatz begrenzt', type: 'boolean' },
+    { key: 'HAS_TRIAL', label: 'Kostenlose Testphase', type: 'boolean' },
+    { key: 'TRIAL_DAYS', label: 'Testphase (Tage)', type: 'select', opts: ['7', '14', '30'] },
+    { key: 'HAS_PRICE_ADJUSTMENT', label: 'Preisanpassungsklausel', type: 'boolean' },
+    { key: 'PRICE_ADJUSTMENT_NOTICE_WEEKS', label: 'Ankündigung Preisanpassung (Wo.)', type: 'select', opts: ['4', '8', '12'] },
+    { key: 'PRICE_INCREASE_THRESHOLD_PERCENT', label: 'Schwelle Sonderkündigung (%)', type: 'select', opts: ['5', '10', '15'] },
+    { key: 'HAS_UPLOAD', label: 'Datei-Upload Funktion', type: 'boolean' },
+    { key: 'NO_AUDIT_PROOF_STORAGE', label: 'Keine revisionssichere Speicherung', type: 'boolean' },
+    { key: 'HAS_API_ACCESS', label: 'API-Zugang', type: 'boolean' },
+    { key: 'HAS_MAINTENANCE_ACCESS', label: 'Fernwartungszugang (On-Premise)', type: 'boolean' },
+    { key: 'HAS_MAX_DOWNTIME', label: 'Max. Ausfalldauer begrenzt', type: 'boolean' },
+    { key: 'MAX_DOWNTIME_DAYS', label: 'Max. Ausfalldauer (Tage)', type: 'number' },
+    { key: 'HAS_IP_INDEMNIFICATION', label: 'IP-Freistellung (Schutzrechte)', type: 'boolean' },
+    { key: 'LIABILITY_MULTIPLIER', label: 'Haftungsdeckel (x Jahreslizenz)', type: 'select', opts: ['1', '2', '3'] },
+    { key: 'HAS_REFERENCE_MARKETING', label: 'Referenzmarketing (Logo-Nutzung)', type: 'boolean' },
+    { key: 'HAS_WHITELABEL', label: 'Whitelabel-Paket vorhanden', type: 'boolean' },
+    { key: 'HAS_FORCE_MAJEURE', label: 'Force-Majeure-Klausel', type: 'boolean' },
+    { key: 'HAS_COMMUNITY_GUIDELINES', label: 'Community Guidelines als Bestandteil', type: 'boolean' },
+    // ── Community Guidelines (modular) ──────────────────────────────────────
+    { key: 'TONE_FRIENDLY', label: 'Ton: Freundlich/Einladend', type: 'boolean' },
+    { key: 'TONE_EDITORIAL', label: 'Ton: Editorial/Sachlich', type: 'boolean' },
+    { key: 'TONE_FORMAL', label: 'Ton: Formal/Juristisch', type: 'boolean' },
+    { key: 'HAS_MEDIA_UPLOADS', label: 'Plattform: Medien-Uploads (Bilder/Videos)', type: 'boolean' },
+    { key: 'HAS_MESSAGING', label: 'Plattform: Messaging/Chat', type: 'boolean' },
+    { key: 'HAS_MARKETPLACE', label: 'Plattform: Marketplace/Handel', type: 'boolean' },
+    { key: 'DETAILED_ILLEGAL', label: '↳ Details: Rechtswidrige Inhalte', type: 'boolean' },
+    { key: 'DETAILED_HATE_SPEECH', label: '↳ Details: Hassrede', type: 'boolean' },
+    { key: 'DETAILED_FRAUD', label: '↳ Details: Betrug/Deepfakes', type: 'boolean' },
+    { key: 'EXCEPTIONS_FRAUD', label: '↳ Ausnahmen: Parodie/Satire/Kunst', type: 'boolean' },
+    { key: 'DETAILED_PRIVACY', label: '↳ Details: Sicherheit/Privatsphäre', type: 'boolean' },
+    { key: 'DETAILED_VIOLENCE', label: '↳ Details: Gewalt (bei Medien-Uploads)', type: 'boolean' },
+    { key: 'EXCEPTIONS_VIOLENCE', label: '↳ Ausnahmen: Kampfsport/Journalismus/Kunst', type: 'boolean' },
+    { key: 'DETAILED_PORNOGRAPHY', label: '↳ Details: Pornografie (bei Medien-Uploads)', type: 'boolean' },
+    { key: 'EXCEPTIONS_PORNOGRAPHY', label: '↳ Ausnahmen: Bodypainting/Stillen/Medizin', type: 'boolean' },
+    { key: 'DETAILED_SELF_HARM', label: '↳ Details: Suizid/Selbstverletzung', type: 'boolean' },
+    { key: 'EXCEPTIONS_SELF_HARM', label: '↳ Ausnahmen: Prävention/Journalismus', type: 'boolean' },
+    { key: 'DETAILED_EXPLOITATION', label: '↳ Details: Ausbeutung/Missbrauch/CSAM', type: 'boolean' },
+    { key: 'DETAILED_HARASSMENT', label: '↳ Details: Sexuelle Belästigung (bei Messaging)', type: 'boolean' },
+    { key: 'DETAILED_DANGEROUS_PRODUCTS', label: '↳ Details: Gefährliche Produkte (bei Marketplace)', type: 'boolean' },
+    { key: 'DETAILED_TERRORISM', label: '↳ Details: Terrorismus/Gefährliche Gruppen', type: 'boolean' },
+    { key: 'DETAILED_DANGEROUS_ACTIVITIES', label: '↳ Details: Gefährdende Aktivitäten', type: 'boolean' },
+    { key: 'GUIDELINES_URL', label: 'URL der Richtlinien' },
+    // ── Medien & Content Module ─────────────────────────────────────────────
+    { key: 'IS_JOURNALISTIC_MEDIA', label: 'Journalistisches Medium (MStV §§ 18-22)', type: 'boolean' },
+    { key: 'EDITORIAL_EMAIL', label: 'Redaktions-E-Mail (Gegendarstellung)', type: 'email' },
+    { key: 'HAS_AI_GENERATED_CONTENT', label: 'KI-generierte Inhalte (AI Act Art. 50)', type: 'boolean' },
+    { key: 'DETAILED_AI_LABELING', label: '↳ Detaillierte KI-Kennzeichnungstabelle', type: 'boolean' },
+    { key: 'HAS_SPONSORED_CONTENT', label: 'Bezahlte/werbliche Inhalte (§ 5a UWG)', type: 'boolean' },
+    { key: 'HAS_PRESS_COUNCIL', label: 'Pressekodex-Selbstverpflichtung (Presserat)', type: 'boolean' },
+    // ── Nutzungsbedingungen ─────────────────────────────────────────────────
+    { key: 'HAS_UGC', label: 'User Generated Content', type: 'boolean' },
+    { key: 'HAS_CONTENT_LICENSING', label: 'Content Licensing (Nutzer-zu-Nutzer)', type: 'boolean' },
+    { key: 'HAS_TDM_OPTOUT', label: 'Text- und Data-Mining Opt-out', type: 'boolean' },
+    { key: 'HAS_CONTENT_AUTHENTICITY', label: 'Content Authenticity (kryptogr. Herkunft)', type: 'boolean' },
+    { key: 'HAS_TIPPING', label: 'Tipping/Anerkennungsfunktion', type: 'boolean' },
+    { key: 'HAS_CRYPTO_PAYMENTS', label: 'Krypto-Zahlungen', type: 'boolean' },
+    { key: 'HAS_INTEGRATED_WALLET', label: 'Integriertes Wallet (Non-Custodial)', type: 'boolean' },
+    { key: 'HAS_IDENTITY_VERIFICATION', label: 'Identitätsprüfung erforderlich', type: 'boolean' },
+    { key: 'HAS_COPYRIGHT_TAKEDOWN', label: 'Copyright Takedown-Verfahren', type: 'boolean' },
+    { key: 'HAS_PAID_USER_ACCOUNTS', label: 'Kostenpflichtige Nutzeraccounts', type: 'boolean' },
+    { key: 'HAS_EU_USERS', label: 'EU-weite Nutzer (Verbraucherschutz)', type: 'boolean' },
+    { key: 'MFA_REQUIRED', label: 'MFA verpflichtend für Nutzer', type: 'boolean' },
+    { key: 'DATA_EXPORT_BEFORE_DELETION', label: 'Datenexport vor Kontolöschung', type: 'boolean' },
+    { key: 'EXPORT_BEFORE_DELETION_DAYS', label: 'Exportfrist (Tage)', type: 'select', opts: ['7', '14', '30'] },
+    { key: 'MIN_AGE', label: 'Mindestalter', type: 'select', opts: ['13', '16', '18'] },
+    { key: 'ALLOWS_MINORS', label: 'Minderjährige mit Eltern-Einwilligung', type: 'boolean' },
+    { key: 'TIPPING_FEE_PERCENT', label: 'Tipping-Gebühr (%)', type: 'number' },
+    { key: 'SUPPORTED_CURRENCIES', label: 'Unterstützte Währungen/Token' },
+    // ── Widerrufsbelehrung ──────────────────────────────────────────────────
+    { key: 'HAS_PHYSICAL_GOODS', label: 'Physische Waren (Rücksendung)', type: 'boolean' },
+    { key: 'HAS_COMBO_PACKAGE', label: 'Kombi-Paket (Hardware + Software)', type: 'boolean' },
+    { key: 'HAS_DIGITAL_CONTENT', label: 'Digitale Inhalte (§ 356 Abs. 5 BGB)', type: 'boolean' },
+    { key: 'HAS_SAAS_SERVICE', label: 'SaaS-Dienstleistung (§ 356 Abs. 4 BGB)', type: 'boolean' },
+    { key: 'HAS_IOT_BUNDLE', label: 'Verbundenes Produkt (Hardware + App/Cloud)', type: 'boolean' },
+    { key: 'IOT_SEPARATE_CONTRACTS', label: '↳ HW und Cloud getrennt widerrufbar', type: 'boolean' },
+    { key: 'RETURN_ADDRESS', label: 'Rücksendeadresse (Servicecenter)' },
+    // ── Social Media DSI ────────────────────────────────────────────────────
+    { key: 'HAS_FACEBOOK', label: 'Facebook & Instagram', type: 'boolean' },
+    { key: 'HAS_YOUTUBE', label: 'YouTube', type: 'boolean' },
+    { key: 'HAS_LINKEDIN', label: 'LinkedIn', type: 'boolean' },
+    { key: 'HAS_TIKTOK', label: 'TikTok', type: 'boolean' },
+    { key: 'HAS_X_TWITTER', label: 'X (Twitter)', type: 'boolean' },
+    { key: 'HAS_META_PIXEL', label: 'Meta Pixel (Konversionsmessung)', type: 'boolean' },
+    { key: 'HAS_RECRUITING_VIA_SOCIAL', label: 'Personalgewinnung über Social Media', type: 'boolean' },
+    { key: 'SOCIAL_MEDIA_PLATFORMS_LIST', label: 'Plattform-Liste (Text)', type: 'textarea', span: true },
+    // ── DSI Erweiterungen ───────────────────────────────────────────────────
+    { key: 'DSI_TITLE', label: 'Titel', type: 'select', opts: ['Datenschutzerklaerung', 'Datenschutzinformation'] },
+    { key: 'SERVICE_SCOPE_DESCRIPTION', label: 'Geltungsbereich (z.B. "die App xy" / "den Online-Shop")' },
+    { key: 'HAS_ONLINE_SHOP', label: 'Online-Shop Funktionen', type: 'boolean' },
+    { key: 'HAS_PICKUP_STATION', label: 'Abholstationen', type: 'boolean' },
+    { key: 'HAS_SUBSCRIPTION', label: 'Abonnement-Modell', type: 'boolean' },
+    { key: 'HAS_PRODUCT_REVIEWS', label: 'Produktbewertungen', type: 'boolean' },
+    { key: 'HAS_PARENT_COMPANY', label: 'Konzernstruktur (Mutter-/Tochtergesellschaft)', type: 'boolean' },
+    { key: 'HAS_LOCATION', label: 'Standortdaten erhoben', type: 'boolean' },
+    { key: 'HAS_E2E_ENCRYPTION', label: 'Ende-zu-Ende-Verschlüsselung (Messaging)', type: 'boolean' },
+    { key: 'DETAILED_RIGHTS', label: 'Ausführliche Rechte-Beschreibung', type: 'boolean' },
+    { key: 'PROCESSOR_LIST_URL', label: 'URL Auftragsverarbeiter-Liste' },
+  ],
+}
+
+  // ── TOM ─────────────────────────────────────────────────────────────────
+  TOM: [
+    { key: 'ISB_NAME', label: 'IT-Sicherheitsbeauftragter' },
+    { key: 'GF_NAME', label: 'Geschäftsführung' },
+    { key: 'DOCUMENT_VERSION', label: 'Dokumentversion' },
+    { key: 'NEXT_REVIEW_DATE', label: 'Nächste Prüfung (JJJJ-MM-TT)' },
+    { key: 'HAS_MFA', label: 'Multi-Faktor-Authentifizierung aktiv', type: 'boolean' },
+    { key: 'HAS_USB_LOCKED', label: 'USB-Schnittstellen physisch gesperrt', type: 'boolean' },
+    { key: 'HAS_MOBILE_MEDIA', label: 'Mobile Datenträger im Einsatz', type: 'boolean' },
+    { key: 'HAS_FOUR_EYES_DELETE', label: 'Vier-Augen-Prinzip für Löschungen', type: 'boolean' },
+    { key: 'LOG_RETENTION_MONTHS', label: 'Log-Aufbewahrung (Monate)', type: 'select', opts: ['3', '6', '12', '24'] },
+    { key: 'DIN_66399_LEVEL', label: 'Vernichtungsstufe (DIN 66399)', type: 'select', opts: ['1', '2', '3', '4', '5', '6', '7'] },
+    { key: 'HAS_EXTERNAL_DESTRUCTION', label: 'Externer Vernichtungsdienstleister', type: 'boolean' },
+    { key: 'HAS_PHYSICAL_TRANSPORT', label: 'Physischer Datenträgertransport', type: 'boolean' },
+    { key: 'HAS_THIRD_COUNTRY_TRANSFER', label: 'Datenübermittlung in Drittländer', type: 'boolean' },
+    { key: 'AVAILABILITY_TARGET', label: 'Verfügbarkeitsziel', type: 'select', opts: ['99.0', '99.5', '99.9', '99.99'] },
+    { key: 'HAS_USV', label: 'USV vorhanden', type: 'boolean' },
+    { key: 'HAS_REDUNDANCY', label: 'Redundante Systeme / Failover', type: 'boolean' },
+    { key: 'HAS_GEO_REDUNDANCY', label: 'Georedundanter Standort', type: 'boolean' },
+    { key: 'HAS_OWN_SERVER_ROOM', label: 'Eigener Serverraum', type: 'boolean' },
+    { key: 'HAS_CLOUD_SERVICES', label: 'Cloud-Dienste im Einsatz', type: 'boolean' },
+    { key: 'HAS_MULTI_TENANT', label: 'Multi-Tenant-System', type: 'boolean' },
+    { key: 'SEPARATION_TYPE', label: 'Art der Mandantentrennung', type: 'select', opts: ['logisch', 'physisch', 'eigene Infrastruktur'] },
+    { key: 'HAS_TEST_DATA_ANONYMIZED', label: 'Testdaten anonymisiert/synthetisch', type: 'boolean' },
+  ],
+  // ── DPA / AVV ─────────────────────────────────────────────────────────
+  DPA: [
+    { key: 'AG_NAME', label: 'Auftraggeber (Name/Firma)' },
+    { key: 'AG_STRASSE', label: 'Auftraggeber Straße' },
+    { key: 'AG_PLZ_ORT', label: 'Auftraggeber PLZ Ort' },
+    { key: 'AN_NAME', label: 'Auftragnehmer (Name/Firma)' },
+    { key: 'AN_STRASSE', label: 'Auftragnehmer Straße' },
+    { key: 'AN_PLZ_ORT', label: 'Auftragnehmer PLZ Ort' },
+    { key: 'VERARBEITUNGSGEGENSTAND', label: 'Gegenstand der Verarbeitung', type: 'textarea', span: true },
+    { key: 'VERARBEITUNGSZWECK', label: 'Zweck der Verarbeitung', type: 'textarea', span: true },
+    { key: 'VERARBEITUNGSARTEN', label: 'Art der Verarbeitung (Erheben, Speichern, …)', type: 'textarea', span: true },
+    { key: 'DATENKATEGORIEN', label: 'Datenkategorien', type: 'textarea', span: true },
+    { key: 'PERSONENKATEGORIEN', label: 'Betroffene Personenkategorien', type: 'textarea', span: true },
+    { key: 'BREACH_NOTIFICATION_HOURS', label: 'Meldefrist Datenschutzverletzung (h)', type: 'select', opts: ['12', '24', '48'] },
+    { key: 'INSTRUCTION_RETENTION_YEARS', label: 'Aufbewahrung Weisungen (Jahre)', type: 'select', opts: ['3', '5', '10'] },
+    { key: 'SUB_PROCESSOR_NOTICE_WEEKS', label: 'Ankündigung Sub-AV (Wochen)', type: 'select', opts: ['2', '4', '6'] },
+    { key: 'SUB_PROCESSOR_OBJECTION_WEEKS', label: 'Widerspruchsfrist Sub-AV (Wochen)', type: 'select', opts: ['2', '4'] },
+    { key: 'DATA_EXPORT_FORMAT', label: 'Datenformat bei Rückgabe', type: 'select', opts: ['CSV/JSON', 'CSV', 'JSON', 'XML', 'nach Vereinbarung'] },
+    { key: 'RETURN_CHOICE_WEEKS', label: 'Frist Rückgabe-Wahl (Wochen)', type: 'select', opts: ['2', '4', '8'] },
+    { key: 'DELETION_DAYS', label: 'Löschfrist nach Vertragsende (Tage)', type: 'select', opts: ['30', '60', '90'] },
+    { key: 'AN_DSB_NAME', label: 'DSB Auftragnehmer Name' },
+    { key: 'AN_DSB_EMAIL', label: 'DSB Auftragnehmer E-Mail', type: 'email' },
+    { key: 'VERTRAGSDATUM', label: 'Vertragsdatum (JJJJ-MM-TT)' },
+    { key: 'GERICHTSSTAND', label: 'Gerichtsstand' },
+    { key: 'HAS_LIABILITY_PROTECTION', label: 'Haftungsschutz bei Weisung (§ 4.1a)', type: 'boolean' },
+    { key: 'HAS_SUPPORT_COST_CLAUSE', label: 'Kostenregelung Unterstützung (§ 7.4)', type: 'boolean' },
+    { key: 'HAS_SUB_PROCESSOR_SILENCE_APPROVAL', label: 'Zustimmungsfiktion bei Sub-AV (§ 8.2a)', type: 'boolean' },
+    { key: 'HAS_SUB_PROCESSOR_TERMINATION_RIGHT', label: 'Kündigungsrecht bei Sub-AV-Widerspruch (§ 8.3)', type: 'boolean' },
+    { key: 'HAS_REACTIVATION_PERIOD', label: 'Reaktivierungszeitraum (§ 10.1)', type: 'boolean' },
+    { key: 'REACTIVATION_MONTHS', label: 'Reaktivierung (Monate)', type: 'select', opts: ['1', '3', '6'] },
+    { key: 'HAS_RETURN_COST_CLAUSE', label: 'Kosten für Datenrückgabe (§ 10.5)', type: 'boolean' },
+    { key: 'HAS_GERICHTSSTAND_CLAUSE', label: 'Gerichtsstandklausel (§ 11.1)', type: 'boolean' },
+    { key: 'HAS_UNILATERAL_CHANGE_RIGHT', label: '⚠️ Einseitiges Änderungsrecht AN (§ 11.6)', type: 'boolean' },
  ],
 }

@@ -9,6 +9,8 @@ import type {
  TemplateContext,
  ProviderCtx,
  ComputedFlags,
+  TOMCtx,
+  DPACtx,
 } from './contextBridge'

 // =============================================================================
@@ -44,6 +46,8 @@ export function contextToPlaceholders(ctx: TemplateContext): Record<string, stri
  const con = ctx.CONSENT
  const h = ctx.HOSTING
  const f = ctx.FEATURES
+  const tom = ctx.TOM
+  const dpa = ctx.DPA

  const address = providerAddress(p)

@@ -180,6 +184,46 @@ export function contextToPlaceholders(ctx: TemplateContext): Record<string, stri
    '{{LIMITATION_CAP_TEXT}}':           str(f.LIMITATION_CAP_TEXT),
    '{{CONSUMER_WITHDRAWAL_TEXT}}':      str(f.CONSUMER_WITHDRAWAL_TEXT),
    '{{SUPPORT_CHANNELS_TEXT}}':         str(f.SUPPORT_CHANNELS_TEXT),
+
+    // --- TOM ---
+    '{{ISB_NAME}}':              str(tom.ISB_NAME),
+    '{{GF_NAME}}':               str(tom.GF_NAME),
+    '{{DOCUMENT_VERSION}}':      str(tom.DOCUMENT_VERSION),
+    '{{NEXT_REVIEW_DATE}}':      str(tom.NEXT_REVIEW_DATE),
+
+    // --- DPA / AVV ---
+    '{{AG_NAME}}':               str(dpa.AG_NAME) || str(c.LEGAL_NAME),
+    '{{AG_STRASSE}}':            str(dpa.AG_STRASSE) || str(c.ADDRESS_LINE),
+    '{{AG_PLZ_ORT}}':            str(dpa.AG_PLZ_ORT) || [c.POSTAL_CODE, c.CITY].filter(Boolean).join(' '),
+    '{{AN_NAME}}':               str(dpa.AN_NAME) || str(p.LEGAL_NAME),
+    '{{AN_STRASSE}}':            str(dpa.AN_STRASSE) || str(p.ADDRESS_LINE),
+    '{{AN_PLZ_ORT}}':            str(dpa.AN_PLZ_ORT) || [p.POSTAL_CODE, p.CITY].filter(Boolean).join(' '),
+    '{{VERARBEITUNGSGEGENSTAND}}': str(dpa.VERARBEITUNGSGEGENSTAND),
+    '{{VERARBEITUNGSZWECK}}':    str(dpa.VERARBEITUNGSZWECK),
+    '{{VERARBEITUNGSARTEN}}':    str(dpa.VERARBEITUNGSARTEN),
+    '{{DATENKATEGORIEN}}':       str(dpa.DATENKATEGORIEN),
+    '{{PERSONENKATEGORIEN}}':    str(dpa.PERSONENKATEGORIEN),
+    '{{BREACH_NOTIFICATION_HOURS}}': str(dpa.BREACH_NOTIFICATION_HOURS) || str(sec.INCIDENT_NOTICE_HOURS),
+    '{{INSTRUCTION_RETENTION_YEARS}}': str(dpa.INSTRUCTION_RETENTION_YEARS),
+    '{{SUB_PROCESSOR_NOTICE_WEEKS}}': str(dpa.SUB_PROCESSOR_NOTICE_WEEKS),
+    '{{SUB_PROCESSOR_OBJECTION_WEEKS}}': str(dpa.SUB_PROCESSOR_OBJECTION_WEEKS),
+    '{{DATA_EXPORT_FORMAT}}':    str(dpa.DATA_EXPORT_FORMAT),
+    '{{RETURN_CHOICE_WEEKS}}':   str(dpa.RETURN_CHOICE_WEEKS),
+    '{{DELETION_DAYS}}':         str(dpa.DELETION_DAYS),
+    '{{REACTIVATION_MONTHS}}':   str(dpa.REACTIVATION_MONTHS),
+    '{{TERMINATION_WEEKS}}':     str(dpa.TERMINATION_WEEKS),
+    '{{CHANGE_NOTICE_WEEKS}}':   str(dpa.CHANGE_NOTICE_WEEKS),
+    '{{THIRD_COUNTRY_OBJECTION_WEEKS}}': str(dpa.THIRD_COUNTRY_OBJECTION_WEEKS),
+    '{{AN_DSB_NAME}}':           str(dpa.AN_DSB_NAME) || str(prv.DPO_NAME),
+    '{{AN_DSB_EMAIL}}':          str(dpa.AN_DSB_EMAIL) || str(prv.DPO_EMAIL),
+    '{{AG_ORT}}':                str(dpa.AG_ORT),
+    '{{AN_ORT}}':                str(dpa.AN_ORT),
+    '{{VERTRAGSDATUM}}':         str(dpa.VERTRAGSDATUM) || str(l.VERSION_DATE),
+    '{{AG_UNTERZEICHNER_NAME}}': str(dpa.AG_UNTERZEICHNER_NAME),
+    '{{AG_UNTERZEICHNER_FUNKTION}}': str(dpa.AG_UNTERZEICHNER_FUNKTION),
+    '{{AN_UNTERZEICHNER_NAME}}': str(dpa.AN_UNTERZEICHNER_NAME) || str(p.CEO_NAME),
+    '{{AN_UNTERZEICHNER_FUNKTION}}': str(dpa.AN_UNTERZEICHNER_FUNKTION),
+    '{{GERICHTSSTAND}}':         str(dpa.GERICHTSSTAND) || str(l.JURISDICTION_CITY),
  }
 }

@@ -217,6 +261,8 @@ const SECTION_COVERS: Record<keyof TemplateContext, string[]> = {
  CONSENT:   ['{{WEBSITE_NAME}}', '{{ANALYTICS_TOOLS}}', '{{MARKETING_PARTNERS}}', '{{ANALYTICS_TOOLS_LIST}}', '{{MARKETING_PARTNERS_LIST}}'],
  HOSTING:   ['{{HOSTING_PROVIDER_NAME}}', '{{HOSTING_PROVIDER_COUNTRY}}', '{{HOSTING_PROVIDER_CONTRACT_TYPE}}'],
  FEATURES:  ['{{CONSENT_WITHDRAWAL_PATH}}', '{{SECURITY_MEASURES_SUMMARY}}', '{{DATA_SUBJECT_REQUEST_CHANNEL}}', '{{TRANSFER_GUARDS}}', '{{REGULATED_PROFESSION_TEXT}}', '{{EDITORIAL_RESPONSIBLE_NAME}}', '{{EDITORIAL_RESPONSIBLE_ADDRESS}}', '{{DISPUTE_RESOLUTION_TEXT}}', '{{NEWSLETTER_PROVIDER_DETAIL}}', '{{PAYMENT_PROVIDER_DETAIL}}', '{{SOCIAL_MEDIA_DETAIL}}', '{{ANALYTICS_TOOLS_DETAIL}}', '{{MARKETING_TOOLS_DETAIL}}', '{{CMP_NAME}}', '{{PRICES_TEXT}}', '{{PAYMENT_TERMS_TEXT}}', '{{CONTRACT_TERM_TEXT}}', '{{SLA_URL}}', '{{EXPORT_POLICY_TEXT}}', '{{LIMITATION_CAP_TEXT}}', '{{CONSUMER_WITHDRAWAL_TEXT}}', '{{SUPPORT_CHANNELS_TEXT}}'],
+  TOM:       ['{{ISB_NAME}}', '{{GF_NAME}}', '{{DOCUMENT_VERSION}}', '{{NEXT_REVIEW_DATE}}'],
+  DPA:       ['{{AG_NAME}}', '{{AG_STRASSE}}', '{{AG_PLZ_ORT}}', '{{AN_NAME}}', '{{AN_STRASSE}}', '{{AN_PLZ_ORT}}', '{{VERARBEITUNGSGEGENSTAND}}', '{{VERARBEITUNGSZWECK}}', '{{VERARBEITUNGSARTEN}}', '{{DATENKATEGORIEN}}', '{{PERSONENKATEGORIEN}}', '{{BREACH_NOTIFICATION_HOURS}}', '{{INSTRUCTION_RETENTION_YEARS}}', '{{SUB_PROCESSOR_NOTICE_WEEKS}}', '{{SUB_PROCESSOR_OBJECTION_WEEKS}}', '{{DATA_EXPORT_FORMAT}}', '{{RETURN_CHOICE_WEEKS}}', '{{DELETION_DAYS}}', '{{REACTIVATION_MONTHS}}', '{{TERMINATION_WEEKS}}', '{{AN_DSB_NAME}}', '{{AN_DSB_EMAIL}}', '{{AG_ORT}}', '{{AN_ORT}}', '{{VERTRAGSDATUM}}', '{{AG_UNTERZEICHNER_NAME}}', '{{AG_UNTERZEICHNER_FUNKTION}}', '{{AN_UNTERZEICHNER_NAME}}', '{{AN_UNTERZEICHNER_FUNKTION}}', '{{GERICHTSSTAND}}'],
 }

 /**
@@ -167,6 +167,84 @@ export interface FeaturesCtx {
  SUPPORT_CHANNELS_TEXT: string
 }

+export interface TOMCtx {
+  ISB_NAME: string
+  GF_NAME: string
+  DOCUMENT_VERSION: string
+  NEXT_REVIEW_DATE: string
+  // Conditional blocks
+  HAS_PHYSICAL_TRANSPORT: boolean
+  HAS_THIRD_COUNTRY_TRANSFER: boolean
+  HAS_CLOUD_SERVICES: boolean
+  HAS_MFA: boolean
+  HAS_USB_LOCKED: boolean
+  HAS_MOBILE_MEDIA: boolean
+  HAS_FOUR_EYES_DELETE: boolean
+  HAS_EXTERNAL_DESTRUCTION: boolean
+  HAS_REDUNDANCY: boolean
+  HAS_GEO_REDUNDANCY: boolean
+  HAS_USV: boolean
+  HAS_OWN_SERVER_ROOM: boolean
+  HAS_MULTI_TENANT: boolean
+  HAS_TEST_DATA_ANONYMIZED: boolean
+  // Selects
+  LOG_RETENTION_MONTHS: number | ''
+  DIN_66399_LEVEL: string
+  AVAILABILITY_TARGET: string
+  SEPARATION_TYPE: string
+}
+
+export interface DPACtx {
+  // Parties
+  AG_NAME: string
+  AG_STRASSE: string
+  AG_PLZ_ORT: string
+  AN_NAME: string
+  AN_STRASSE: string
+  AN_PLZ_ORT: string
+  // Processing details
+  VERARBEITUNGSGEGENSTAND: string
+  VERARBEITUNGSZWECK: string
+  VERARBEITUNGSARTEN: string
+  DATENKATEGORIEN: string
+  PERSONENKATEGORIEN: string
+  // Timings
+  BREACH_NOTIFICATION_HOURS: number | ''
+  INSTRUCTION_RETENTION_YEARS: number | ''
+  SUB_PROCESSOR_NOTICE_WEEKS: number | ''
+  SUB_PROCESSOR_OBJECTION_WEEKS: number | ''
+  RETURN_CHOICE_WEEKS: number | ''
+  DELETION_DAYS: number | ''
+  REACTIVATION_MONTHS: number | ''
+  TERMINATION_WEEKS: number | ''
+  CHANGE_NOTICE_WEEKS: number | ''
+  THIRD_COUNTRY_OBJECTION_WEEKS: number | ''
+  // Data return
+  DATA_EXPORT_FORMAT: string
+  // DSB
+  AN_DSB_NAME: string
+  AN_DSB_EMAIL: string
+  // Signatures
+  AG_ORT: string
+  AN_ORT: string
+  VERTRAGSDATUM: string
+  AG_UNTERZEICHNER_NAME: string
+  AG_UNTERZEICHNER_FUNKTION: string
+  AN_UNTERZEICHNER_NAME: string
+  AN_UNTERZEICHNER_FUNKTION: string
+  GERICHTSSTAND: string
+  // Optional clauses
+  HAS_LIABILITY_PROTECTION: boolean
+  HAS_SUPPORT_COST_CLAUSE: boolean
+  HAS_SUB_PROCESSOR_SILENCE_APPROVAL: boolean
+  HAS_SUB_PROCESSOR_TERMINATION_RIGHT: boolean
+  HAS_REACTIVATION_PERIOD: boolean
+  HAS_RETURN_COST_CLAUSE: boolean
+  HAS_GERICHTSSTAND_CLAUSE: boolean
+  HAS_UNILATERAL_CHANGE_RIGHT: boolean
+  HAS_THIRD_COUNTRY_OBJECTION: boolean
+}
+
 export interface TemplateContext {
  PROVIDER: ProviderCtx
  CUSTOMER: CustomerCtx
@@ -180,6 +258,8 @@ export interface TemplateContext {
  CONSENT: ConsentCtx
  HOSTING: HostingCtx
  FEATURES: FeaturesCtx
+  TOM: TOMCtx
+  DPA: DPACtx
 }

 export interface ComputedFlags {
@@ -263,6 +343,37 @@ export const EMPTY_CONTEXT: TemplateContext = {
    LIMITATION_CAP_TEXT: '', HAS_WITHDRAWAL: false, CONSUMER_WITHDRAWAL_TEXT: '',
    SUPPORT_CHANNELS_TEXT: '',
  },
+  TOM: {
+    ISB_NAME: '', GF_NAME: '', DOCUMENT_VERSION: '1.0.0', NEXT_REVIEW_DATE: '',
+    HAS_PHYSICAL_TRANSPORT: false, HAS_THIRD_COUNTRY_TRANSFER: false,
+    HAS_CLOUD_SERVICES: false, HAS_MFA: true, HAS_USB_LOCKED: false,
+    HAS_MOBILE_MEDIA: false, HAS_FOUR_EYES_DELETE: false,
+    HAS_EXTERNAL_DESTRUCTION: false, HAS_REDUNDANCY: false,
+    HAS_GEO_REDUNDANCY: false, HAS_USV: true, HAS_OWN_SERVER_ROOM: false,
+    HAS_MULTI_TENANT: false, HAS_TEST_DATA_ANONYMIZED: true,
+    LOG_RETENTION_MONTHS: 6, DIN_66399_LEVEL: '3',
+    AVAILABILITY_TARGET: '99.5', SEPARATION_TYPE: 'logisch',
+  },
+  DPA: {
+    AG_NAME: '', AG_STRASSE: '', AG_PLZ_ORT: '',
+    AN_NAME: '', AN_STRASSE: '', AN_PLZ_ORT: '',
+    VERARBEITUNGSGEGENSTAND: '', VERARBEITUNGSZWECK: '', VERARBEITUNGSARTEN: '',
+    DATENKATEGORIEN: '', PERSONENKATEGORIEN: '',
+    BREACH_NOTIFICATION_HOURS: 24, INSTRUCTION_RETENTION_YEARS: 3,
+    SUB_PROCESSOR_NOTICE_WEEKS: 2, SUB_PROCESSOR_OBJECTION_WEEKS: 2,
+    RETURN_CHOICE_WEEKS: 4, DELETION_DAYS: 90, REACTIVATION_MONTHS: 3,
+    TERMINATION_WEEKS: 4, CHANGE_NOTICE_WEEKS: 4, THIRD_COUNTRY_OBJECTION_WEEKS: 3,
+    DATA_EXPORT_FORMAT: 'CSV/JSON', AN_DSB_NAME: '', AN_DSB_EMAIL: '',
+    AG_ORT: '', AN_ORT: '', VERTRAGSDATUM: '',
+    AG_UNTERZEICHNER_NAME: '', AG_UNTERZEICHNER_FUNKTION: 'Geschaeftsfuehrer',
+    AN_UNTERZEICHNER_NAME: '', AN_UNTERZEICHNER_FUNKTION: 'Geschaeftsfuehrer',
+    GERICHTSSTAND: '',
+    HAS_LIABILITY_PROTECTION: false, HAS_SUPPORT_COST_CLAUSE: false,
+    HAS_SUB_PROCESSOR_SILENCE_APPROVAL: true, HAS_SUB_PROCESSOR_TERMINATION_RIGHT: false,
+    HAS_REACTIVATION_PERIOD: true, HAS_RETURN_COST_CLAUSE: false,
+    HAS_GERICHTSSTAND_CLAUSE: true, HAS_UNILATERAL_CHANGE_RIGHT: false,
+    HAS_THIRD_COUNTRY_OBJECTION: false,
+  },
 }

 // =============================================================================
@@ -11,6 +11,7 @@ import { generateAllPlaceholders } from '@/lib/sdk/document-generator/datapoint-
 import { loadAllTemplates } from './searchTemplates'
 import { TemplateContext, EMPTY_CONTEXT } from './contextBridge'
 import { CATEGORIES } from './_constants'
+import { getGeneratorDefaults, getProfileLabel } from './scopeDefaults'
 import TemplateLibrary from './_components/TemplateLibrary'
 import GeneratorSection from './_components/GeneratorSection'

@@ -86,6 +87,19 @@ function DocumentGeneratorPageInner() {
    }
  }, [state?.companyProfile])

+  // Pre-fill TOM/DPA context from Compliance Scope Engine
+  useEffect(() => {
+    const scopeLevel = state?.complianceScope?.determinedLevel
+    if (scopeLevel) {
+      const defaults = getGeneratorDefaults(scopeLevel, state?.companyProfile as never)
+      setContext((prev) => ({
+        ...prev,
+        TOM: { ...prev.TOM, ...defaults.tom },
+        DPA: { ...prev.DPA, ...defaults.dpa },
+      }))
+    }
+  }, [state?.complianceScope?.determinedLevel, state?.companyProfile])
+
  // Pre-fill extra placeholders from Einwilligungen data points
  useEffect(() => {
    if (selectedDataPointsData && selectedDataPointsData.length > 0) {
@@ -0,0 +1,270 @@
+/**
+ * Scope-basierte Generator-Defaults
+ *
+ * Nimmt ScopeDecision.determinedLevel + CompanyProfile und liefert
+ * vorausgefuellte TOM/DPA-Context-Werte. Alle Felder bleiben vom
+ * Kunden aenderbar — die Defaults sind Empfehlungen.
+ *
+ * Mapping:
+ *   L1 = Lean Startup (≤10 MA, Cloud-only, Home Office)
+ *   L2 = KMU Standard (11-249 MA)
+ *   L3 = Erweitert (risikoreich oder >100 MA)
+ *   L4 = Zertifizierungsbereit (≥250 MA oder regulierte Branche)
+ */
+
+import type { ComplianceDepthLevel } from '../../lib/sdk/compliance-scope-types/core-levels'
+import type { CompanyProfile } from '../../lib/sdk/types'
+import type { TOMCtx, DPACtx } from './contextBridge'
+
+// ============================================================================
+// TOM Defaults per Level
+// ============================================================================
+
+const TOM_DEFAULTS: Record<ComplianceDepthLevel, Partial<TOMCtx>> = {
+  L1: {
+    // Lean Startup: Cloud-only, kein eigener Serverraum, Home Office
+    HAS_MFA: true,
+    HAS_USB_LOCKED: false,
+    HAS_MOBILE_MEDIA: false,
+    HAS_FOUR_EYES_DELETE: false,
+    HAS_EXTERNAL_DESTRUCTION: false,
+    HAS_PHYSICAL_TRANSPORT: false,
+    HAS_THIRD_COUNTRY_TRANSFER: false,
+    HAS_CLOUD_SERVICES: true,
+    HAS_REDUNDANCY: false,
+    HAS_GEO_REDUNDANCY: false,
+    HAS_USV: false,
+    HAS_OWN_SERVER_ROOM: false,
+    HAS_MULTI_TENANT: false,
+    HAS_TEST_DATA_ANONYMIZED: true,
+    LOG_RETENTION_MONTHS: 3,
+    DIN_66399_LEVEL: '3',
+    AVAILABILITY_TARGET: '99.0',
+    SEPARATION_TYPE: 'logisch',
+  },
+  L2: {
+    // KMU Standard
+    HAS_MFA: true,
+    HAS_USB_LOCKED: false,
+    HAS_MOBILE_MEDIA: false,
+    HAS_FOUR_EYES_DELETE: false,
+    HAS_EXTERNAL_DESTRUCTION: false,
+    HAS_PHYSICAL_TRANSPORT: false,
+    HAS_THIRD_COUNTRY_TRANSFER: false,
+    HAS_CLOUD_SERVICES: true,
+    HAS_REDUNDANCY: false,
+    HAS_GEO_REDUNDANCY: false,
+    HAS_USV: false,
+    HAS_OWN_SERVER_ROOM: false,
+    HAS_MULTI_TENANT: false,
+    HAS_TEST_DATA_ANONYMIZED: true,
+    LOG_RETENTION_MONTHS: 6,
+    DIN_66399_LEVEL: '3',
+    AVAILABILITY_TARGET: '99.5',
+    SEPARATION_TYPE: 'logisch',
+  },
+  L3: {
+    // Erweitert
+    HAS_MFA: true,
+    HAS_USB_LOCKED: false,
+    HAS_MOBILE_MEDIA: false,
+    HAS_FOUR_EYES_DELETE: true,
+    HAS_EXTERNAL_DESTRUCTION: true,
+    HAS_PHYSICAL_TRANSPORT: false,
+    HAS_THIRD_COUNTRY_TRANSFER: false,
+    HAS_CLOUD_SERVICES: true,
+    HAS_REDUNDANCY: true,
+    HAS_GEO_REDUNDANCY: false,
+    HAS_USV: true,
+    HAS_OWN_SERVER_ROOM: true,
+    HAS_MULTI_TENANT: true,
+    HAS_TEST_DATA_ANONYMIZED: true,
+    LOG_RETENTION_MONTHS: 12,
+    DIN_66399_LEVEL: '4',
+    AVAILABILITY_TARGET: '99.9',
+    SEPARATION_TYPE: 'logisch',
+  },
+  L4: {
+    // Zertifizierungsbereit / Enterprise
+    HAS_MFA: true,
+    HAS_USB_LOCKED: true,
+    HAS_MOBILE_MEDIA: false,
+    HAS_FOUR_EYES_DELETE: true,
+    HAS_EXTERNAL_DESTRUCTION: true,
+    HAS_PHYSICAL_TRANSPORT: false,
+    HAS_THIRD_COUNTRY_TRANSFER: false,
+    HAS_CLOUD_SERVICES: true,
+    HAS_REDUNDANCY: true,
+    HAS_GEO_REDUNDANCY: true,
+    HAS_USV: true,
+    HAS_OWN_SERVER_ROOM: true,
+    HAS_MULTI_TENANT: true,
+    HAS_TEST_DATA_ANONYMIZED: true,
+    LOG_RETENTION_MONTHS: 24,
+    DIN_66399_LEVEL: '5',
+    AVAILABILITY_TARGET: '99.99',
+    SEPARATION_TYPE: 'logisch',
+  },
+}
+
+// ============================================================================
+// DPA Defaults per Level
+// ============================================================================
+
+const DPA_DEFAULTS: Record<ComplianceDepthLevel, Partial<DPACtx>> = {
+  L1: {
+    BREACH_NOTIFICATION_HOURS: 48,
+    INSTRUCTION_RETENTION_YEARS: 3,
+    SUB_PROCESSOR_NOTICE_WEEKS: 2,
+    SUB_PROCESSOR_OBJECTION_WEEKS: 2,
+    DATA_EXPORT_FORMAT: 'CSV/JSON',
+    RETURN_CHOICE_WEEKS: 4,
+    DELETION_DAYS: 90,
+    HAS_LIABILITY_PROTECTION: false,
+    HAS_SUPPORT_COST_CLAUSE: false,
+    HAS_SUB_PROCESSOR_SILENCE_APPROVAL: true,
+    HAS_SUB_PROCESSOR_TERMINATION_RIGHT: false,
+    HAS_REACTIVATION_PERIOD: true,
+    REACTIVATION_MONTHS: 3,
+    HAS_RETURN_COST_CLAUSE: false,
+    HAS_GERICHTSSTAND_CLAUSE: false,
+    HAS_UNILATERAL_CHANGE_RIGHT: false,
+    HAS_THIRD_COUNTRY_OBJECTION: false,
+  },
+  L2: {
+    BREACH_NOTIFICATION_HOURS: 24,
+    INSTRUCTION_RETENTION_YEARS: 3,
+    SUB_PROCESSOR_NOTICE_WEEKS: 4,
+    SUB_PROCESSOR_OBJECTION_WEEKS: 2,
+    DATA_EXPORT_FORMAT: 'CSV/JSON',
+    RETURN_CHOICE_WEEKS: 4,
+    DELETION_DAYS: 90,
+    HAS_LIABILITY_PROTECTION: false,
+    HAS_SUPPORT_COST_CLAUSE: false,
+    HAS_SUB_PROCESSOR_SILENCE_APPROVAL: true,
+    HAS_SUB_PROCESSOR_TERMINATION_RIGHT: false,
+    HAS_REACTIVATION_PERIOD: true,
+    REACTIVATION_MONTHS: 3,
+    HAS_RETURN_COST_CLAUSE: false,
+    HAS_GERICHTSSTAND_CLAUSE: true,
+    HAS_UNILATERAL_CHANGE_RIGHT: false,
+    HAS_THIRD_COUNTRY_OBJECTION: false,
+  },
+  L3: {
+    BREACH_NOTIFICATION_HOURS: 24,
+    INSTRUCTION_RETENTION_YEARS: 5,
+    SUB_PROCESSOR_NOTICE_WEEKS: 4,
+    SUB_PROCESSOR_OBJECTION_WEEKS: 4,
+    DATA_EXPORT_FORMAT: 'CSV/JSON',
+    RETURN_CHOICE_WEEKS: 4,
+    DELETION_DAYS: 60,
+    HAS_LIABILITY_PROTECTION: true,
+    HAS_SUPPORT_COST_CLAUSE: true,
+    HAS_SUB_PROCESSOR_SILENCE_APPROVAL: true,
+    HAS_SUB_PROCESSOR_TERMINATION_RIGHT: true,
+    HAS_REACTIVATION_PERIOD: true,
+    REACTIVATION_MONTHS: 3,
+    HAS_RETURN_COST_CLAUSE: true,
+    HAS_GERICHTSSTAND_CLAUSE: true,
+    HAS_UNILATERAL_CHANGE_RIGHT: false,
+    HAS_THIRD_COUNTRY_OBJECTION: false,
+  },
+  L4: {
+    BREACH_NOTIFICATION_HOURS: 12,
+    INSTRUCTION_RETENTION_YEARS: 5,
+    SUB_PROCESSOR_NOTICE_WEEKS: 6,
+    SUB_PROCESSOR_OBJECTION_WEEKS: 4,
+    DATA_EXPORT_FORMAT: 'CSV/JSON',
+    RETURN_CHOICE_WEEKS: 8,
+    DELETION_DAYS: 30,
+    HAS_LIABILITY_PROTECTION: true,
+    HAS_SUPPORT_COST_CLAUSE: true,
+    HAS_SUB_PROCESSOR_SILENCE_APPROVAL: false,
+    HAS_SUB_PROCESSOR_TERMINATION_RIGHT: true,
+    HAS_REACTIVATION_PERIOD: false,
+    REACTIVATION_MONTHS: 3,
+    HAS_RETURN_COST_CLAUSE: true,
+    HAS_GERICHTSSTAND_CLAUSE: true,
+    HAS_UNILATERAL_CHANGE_RIGHT: false,
+    HAS_THIRD_COUNTRY_OBJECTION: false,
+  },
+}
+
+// ============================================================================
+// Public API
+// ============================================================================
+
+export interface GeneratorDefaults {
+  tom: Partial<TOMCtx>
+  dpa: Partial<DPACtx>
+  /** Which fields were set by the scope engine (for UI highlighting) */
+  scopeSet: Set<string>
+}
+
+/**
+ * Berechnet Generator-Defaults basierend auf dem Compliance-Level
+ * und dem CompanyProfile. Alle Werte sind Vorschlaege — der Kunde
+ * kann sie aendern.
+ */
+export function getGeneratorDefaults(
+  level: ComplianceDepthLevel,
+  profile?: CompanyProfile | null,
+): GeneratorDefaults {
+  const tomBase = { ...TOM_DEFAULTS[level] }
+  const dpaBase = { ...DPA_DEFAULTS[level] }
+  const scopeSet = new Set<string>()
+
+  // CompanyProfile-Felder in TOM/DPA uebernehmen
+  if (profile) {
+    if (profile.company_name) {
+      dpaBase.AN_NAME = profile.company_name
+      scopeSet.add('DPA.AN_NAME')
+    }
+    if (profile.address) {
+      dpaBase.AN_STRASSE = profile.address
+      scopeSet.add('DPA.AN_STRASSE')
+    }
+    if (profile.city && profile.postal_code) {
+      dpaBase.AN_PLZ_ORT = `${profile.postal_code} ${profile.city}`
+      scopeSet.add('DPA.AN_PLZ_ORT')
+    }
+    if (profile.dpo_name) {
+      tomBase.ISB_NAME = tomBase.ISB_NAME || ''
+      dpaBase.AN_DSB_NAME = profile.dpo_name
+      scopeSet.add('DPA.AN_DSB_NAME')
+    }
+    if (profile.dpo_email) {
+      dpaBase.AN_DSB_EMAIL = profile.dpo_email
+      scopeSet.add('DPA.AN_DSB_EMAIL')
+    }
+    if (profile.ceo_name) {
+      dpaBase.AN_UNTERZEICHNER_NAME = profile.ceo_name
+      tomBase.GF_NAME = profile.ceo_name
+      scopeSet.add('DPA.AN_UNTERZEICHNER_NAME')
+      scopeSet.add('TOM.GF_NAME')
+    }
+  }
+
+  // Alle gesetzten TOM/DPA Felder als scope-set markieren
+  for (const key of Object.keys(tomBase)) {
+    scopeSet.add(`TOM.${key}`)
+  }
+  for (const key of Object.keys(dpaBase)) {
+    scopeSet.add(`DPA.${key}`)
+  }
+
+  return { tom: tomBase, dpa: dpaBase, scopeSet }
+}
+
+/**
+ * Gibt das empfohlene Profil-Label zurueck (fuer UI-Anzeige).
+ */
+export function getProfileLabel(level: ComplianceDepthLevel): string {
+  const labels: Record<ComplianceDepthLevel, string> = {
+    L1: 'Startup / Kleinstunternehmen',
+    L2: 'KMU Standard',
+    L3: 'Erweiterte Compliance',
+    L4: 'Zertifizierungsbereit / Enterprise',
+  }
+  return labels[level]
+}