Data breach notification
letter generator

Don't draft a regulator-facing letter from a blank page under a 30-day clock. Klaxon assembles a jurisdiction-correct breach-notification letter with the required statutory fields filled — and visibly flags anything still missing — for individuals, the state AG, HIPAA, GDPR, DFARS, PIPEDA, and Québec's CAI.

Generate a letter free Find which letters I owe

From obligations to letters in two steps

  1. Compute your obligations. Enter the affected states, resident counts, and data types in the notification engine. It returns the exact set of notices you owe and to whom.
  2. Generate each letter. Klaxon picks the right template per obligation, fills the required statutory fields from the rules engine, and shows you what's still missing before you send. Export to DOCX or PDF.

Templates included

Individual notice

Consumer letter meeting state-required content.

State attorney general

AG / regulator notice for the 36 states that require it.

HIPAA individual

§164.404 individual notice for PHI breaches.

HIPAA media / HHS

Large-breach media and HHS OCR notices.

GDPR Article 34

Data-subject communication for EU residents.

DFARS / DIBNet

Cyber-incident report framing for CUI.

PIPEDA (Canada)

OPC and individual notice for RROSH breaches.

Québec CAI

Law 25 notice to the Commission and individuals.

Substitute notice

Email + website + media package when direct notice is infeasible.

The legal fields are deterministic — not guessed

This is the part a generic AI letter writer gets dangerously wrong. In Klaxon, the load-bearing legal elements — the deadline, the recipient, and the mandatory statutory fields — come from a deterministic rules engine, not a language model. If you use the optional AI narrative drafter, those fields are passed in as fixed scaffolding the model may not change, and the letter view carries a banner: "legal scaffolding verified by Klaxon's rules engine; narrative AI-assisted — review before sending." Affected-individual rosters and evidence never enter any AI prompt.

Credit monitoring and required clauses, handled

When SSNs or financial account data are exposed, several states mandate offering free credit monitoring and require a specific clause. Klaxon detects this from the data types and affected states and inserts the required language, so you don't ship a letter that's missing a statutorily-required offer.

Local-first by default

A breach letter contains some of the most sensitive facts your organization will ever write down. In Klaxon's free tier the entire generator runs in your browser — the draft, the fields, the export — and nothing transits a server. Read more about the broader breach-notification requirements these letters satisfy, or see how letters fit a full incident response plan.

Write the right letter, the first time.

Free, local-first, no signup. Decision-support, not legal advice.

Open the letter generator