---

name: compliance-architecture description: Enterprise-grade compliance architecture for SOC 2, HIPAA, GDPR, PCI-DSS. Provides compliance checklists, security controls, audit guidance, and regulatory requirements for serverless and cloud architectures. Activates for compliance, HIPAA, SOC2, SOC 2, GDPR, PCI-DSS, PCI DSS, regulatory, healthcare data, payment card, data protection, audit, security standards, regulated industry, BAA, business associate agreement, DPIA, data protection impact assessment.

Compliance Architecture Expert

I'm a specialist in enterprise compliance architecture across regulated industries. I help you design systems that meet regulatory requirements while maintaining operational efficiency.

When to Use This Skill

Ask me when you need help with:

• SOC 2 Type II compliance for SaaS applications
• HIPAA compliance for healthcare data systems
• GDPR compliance for European data protection
• PCI-DSS compliance for payment card processing
• Security architecture for regulated industries
• Audit preparation and evidence collection
• Compliance validation for serverless/cloud deployments

My Expertise

SOC 2 Type II Compliance

Core Requirements for Serverless:

1. Encryption Standards

   • Encryption at rest: All data in databases, S3, DynamoDB encrypted
   • Encryption in transit: TLS 1.2+ for all API communications
   • Key management: Customer-managed keys (KMS, Key Vault, GCP KMS)
   • Regular key rotation: Annual minimum or per compliance policy

2. Access Logging and Retention

   • CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
   • Minimum retention: 90 days (24 months recommended)
   • Centralized log aggregation: ELK Stack, Splunk, or cloud-native
   • Immutable audit logs: Write-once storage for compliance evidence
   • Real-time alerting on unauthorized access attempts

3. Access Controls

   • Least privilege IAM roles and policies
   • No wildcard (*) permissions on sensitive resources
   • Role-based access control (RBAC) by team/department
   • Multi-factor authentication (MFA) for humans
   • Service-to-service authentication via temporary credentials

4. Change Management

   • Documented change procedures with approval workflow
   • Separation of duties: Developers, reviewers, approval authority
   • Automated testing in CI/CD before production deployment
   • Change logs with timestamps, author, and justification
   • Rollback procedures documented and tested

HIPAA Compliance

Healthcare Data Protection Requirements:

1. Business Associate Agreement (BAA)

   • Mandatory: Cloud provider must sign BAA before deployment
   • Covers: AWS, Azure, GCP, managed services
   • Do not use: Generic SaaS platforms without BAA

2. Encryption Requirements

   • Encryption at rest: AWS KMS, Azure Key Vault, or GCP KMS
   • Customer-managed keys (CMK): Not provider-managed default keys
   • Encryption in transit: TLS 1.2+ for all PHI transfers
   • Database encryption: All databases holding PHI (RDS, DynamoDB)
   • S3/Blob encryption: All healthcare data storage

3. Audit Logging

   • CloudTrail/Activity Log: All access to PHI systems
   • Application logging: Access, modification, deletion events
   • Retention: Minimum 6 years (state laws may require longer)
   • Immutable storage: Prevent audit log tampering

4. Network Isolation

   • VPC for database and processing: No public endpoints
   • Security groups: Whitelist only necessary ports
   • NACLs: Network ACLs for additional layer
   • Private subnets: Database and sensitive compute resources
   • VPN/Bastion for administrative access

5. No Public Endpoints

   • API Gateway: Private endpoints, not public
   • Lambda: Invoke only from VPC or authenticated clients
   • Databases: Private subnets only
   • S3: Block public access, bucket policies deny public

GDPR Compliance

European Data Protection Regulations:

1. Data Residency Controls

   • EU data: Must reside in EU regions (eu-west-1, eu-central-1)
   • Data localization: No automatic replication outside EU
   • Backup regions: Only EU-based backup locations
   • Processing: Ensure data processors operate in EU
   • Documentation: Mapping of data to region/controller

2. Right to Erasure (Data Deletion)

   • Deletion capabilities: Systems must support complete data removal
   • Orphaned data: Periodic scans for disconnected/abandoned data
   • Backup deletion: Timely deletion from backup systems
   • Third-party deletion: Data deletion from all processors
   • Compliance evidence: Document deletion execution and timing
   • Foreign keys: Cascade deletes or documented orphaned records

3. Consent Management

   • Consent records: Timestamp and version of every consent
   • Granular consent: Separate for marketing, analytics, processing
   • Easy withdrawal: Simple mechanisms to withdraw consent
   • Documentation: Proof of consent for audits
   • Cookie management: Consent before non-essential tracking

4. Data Portability

   • Export formats: JSON, CSV, or standard formats
   • Completeness: All data subject to export request
   • Machine-readable: Structured data in machine-readable format
   • Timing: Provide within 30 days of request
   • No fees: Free data export (no extraction charges)

5. Privacy by Design

   • Data minimization: Collect only necessary data
   • Purpose limitation: Use data only for stated purposes
   • Retention policies: Delete when no longer needed
   • Default privacy: Private by default, not opt-in later
   • Impact assessments: DPIA for new processing activities

PCI-DSS Compliance

Payment Card Data Protection (v3.2.1 or later):

1. Tokenization Requirements

   • Never store raw card data: PAN, CVV, expiration
   • Tokenization service: Stripe, Square, or PCI-compliant provider
   • Token storage only: Systems never handle raw card data
   • Scope reduction: Tokenization dramatically reduces PCI scope

2. Encryption Requirements

   • Encryption at rest: All card data and keys in secure storage
   • Encryption in transit: TLS 1.2+ minimum for all payments
   • Key management: HSM (Hardware Security Module) recommended
   • Key rotation: Annual minimum or per compliance policy
   • Test keys: Separate test environment keys

3. Network Segmentation

   • Cardholder data environment (CDE): Isolated network segment
   • Firewalls: Between CDE and non-CDE systems
   • Intrusion detection: IDS monitoring for CDE
   • Testing: Regular penetration testing (quarterly minimum)

4. Regular Security Audits

   • Quarterly vulnerability scans: External scanning service
   • Annual penetration testing: By approved assessor
   • Compliance validation: Annual SAQ or audit
   • Incident response testing: Test breach response procedures

5. Secure Card Data Handling

   • No storage of sensitive authentication data: CVC/CVV, PIN
   • No storage of magnetic stripe data after auth
   • Transaction logging: All card interactions logged
   • Access controls: Minimize people accessing card data

Security Misconfiguration Warnings

Common Serverless Security Issues:

❌ Public S3 Buckets

WRONG:
- S3 bucket with public read access
- "Block public access" disabled
- Bucket policy allows s3:GetObject to "*"

CORRECT:
- Block public access: enabled
- Bucket policy: Only CloudFront, VPC endpoints, specific IAM roles
- Encryption: enabled with customer-managed keys

❌ Overly Permissive IAM Policies

WRONG:
{
  "Effect": "Allow",
  "Action": "s3:*",           # WILDCARD ACTION
  "Resource": "*"             # WILDCARD RESOURCE
}

CORRECT:
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::specific-bucket/specific-prefix/*",
  "Condition": {
    "IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
  }
}

❌ Hardcoded Secrets

WRONG:
const apiKey = "sk_test_123456789abcdef";  // In code or env vars

CORRECT:
// AWS
const secret = await secretsManager.getSecretValue('api-key');

// Azure
const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultUrl, credential);

// GCP
const [version] = await client.accessSecretVersion({name: secretName});

❌ Unencrypted Databases

WRONG:
- RDS without encryption
- DynamoDB without encryption
- DocumentDB without encryption

CORRECT:
- All databases encrypted at rest
- Customer-managed keys in KMS
- Encryption enabled during creation
- Cannot be disabled after creation

❌ Missing HTTPS Enforcement

WRONG:
- API Gateway accepting HTTP traffic
- No redirect from HTTP to HTTPS
- Clients can connect via unencrypted channel

CORRECT:
- API Gateway: minimum TLS 1.2
- Redirect HTTP → HTTPS (301)
- Client certificates for additional security
- HSTS header: Strict-Transport-Security

❌ Exposed Environment Variables

WRONG:
export DATABASE_PASSWORD="MyPassword123"
console.log(process.env.DATABASE_PASSWORD)  # In logs

CORRECT:
- Use AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
- Inject as secret environment variables (redacted in logs)
- Never log secrets or sensitive configuration
- Rotate secrets annually

❌ Missing Network Isolation

WRONG:
- Lambda in public subnet with NAT
- Database accessible from internet
- No security groups restricting access

CORRECT:
- Lambda in private subnet
- Database in private subnet
- Security groups: Lambda → Database only
- No route to Internet Gateway from database subnet

Production Security Checklist

Before deploying to production, verify all items:

Identity & Access

• IAM roles: Least privilege principle applied
• No wildcard permissions: All permissions specific to resource/action
• Cross-account access: No trusting wildcard principals
• API keys: Rotated annually (or per policy)
• MFA: Enabled for all human users
• Service accounts: Using temporary credentials (STS)
• Resource-based policies: Scoped to specific principals

Secrets Management

• Database passwords: In Secrets Manager, not code
• API keys: In Secrets Manager, not environment variables
• Keys rotated: Annually or per compliance requirement
• Audit logging: All secret access logged and monitored
• Access restricted: Only authorized applications/users
• Old versions: Deleted or marked deprecated

Encryption

• Encryption at rest: Enabled for all databases and storage
• Customer-managed keys: Using KMS, Key Vault, or equivalent
• Encryption in transit: TLS 1.2+ for all APIs
• Certificate validation: Proper SSL/TLS certificate chains
• Key rotation: Automatic or scheduled rotation configured
• Backward compatibility: Can decrypt older encrypted data

Network Security

• VPC: Sensitive resources in private subnets
• Security groups: Whitelisting only necessary ports
• NACLs: Network ACLs for additional layer
• NAT Gateway: For private subnet outbound traffic
• No public endpoints: Databases, caches in private subnets
• VPN/Bastion: For administrative access
• HTTPS enforcement: Redirect HTTP to HTTPS

Data Protection

• PII classification: Data tagged and tracked
• Backup encryption: Backups encrypted with KMS keys
• Backup testing: Regular restore tests from backups
• Data retention: Policies documented and enforced
• Data deletion: Procedures tested for GDPR/compliance
• Sensitive data: No logs, error messages, or metrics
• Database activity monitoring: Enabled for compliance

Logging & Monitoring

• CloudTrail/Activity Logs: Enabled and retained 90+ days
• Application logging: Access, modification, deletion events
• Log aggregation: Centralized in ELK, Splunk, or cloud solution
• Immutable logs: Write-once storage for audit trails
• Alerting: Real-time alerts for security events
• Log retention: Per compliance requirement (90 days minimum)
• Log analysis: Regular review for anomalies

Deployment & CI/CD

• Code scanning: SAST tools in CI/CD pipeline
• Dependency scanning: SCA for vulnerable dependencies
• Container scanning: Image scanning before deployment
• Secrets scanning: Detect hardcoded secrets
• Approval workflow: Required before production deployment
• Automated testing: Security tests in pipeline
• Change logs: All changes documented with justification

Compliance & Auditing

• Compliance framework: Selected (SOC 2, HIPAA, GDPR, PCI-DSS)
• BAA signed: If healthcare data (HIPAA required)
• Security policy: Documented and communicated
• Incident response: Plan documented and tested
• Vulnerability disclosure: Process for reporting issues
• Regular assessments: Penetration testing scheduled
• Documentation: All security controls documented

Testing

• Security tests: Unit and integration security tests
• Penetration testing: Quarterly or annually
• Chaos engineering: Test recovery from security incidents
• Compliance validation: Annual audit or SAQ
• Incident simulations: Quarterly breach response drills

When to Request Compliance Architecture

Request my help when:

1. User mentions regulated industry (healthcare, finance, payment processing)
2. Project involves customer data, personal information, or sensitive records
3. Requirements specify SOC 2, HIPAA, GDPR, PCI-DSS, or other compliance
4. User asks about security best practices or data protection
5. Deployment involves cross-border data transfer

Integration with Security Agent

Coordinate with Security Agent for:

• Detailed threat modeling and risk assessment
• Security architecture review and hardening
• Incident response planning and testing
• Penetration testing coordination
• Vulnerability management processes

---

Remember: Compliance is not a checkbox exercise - it's about building secure, trustworthy systems that protect user data and meet legal obligations.