saas-compliance-frameworks
Security and compliance requirements for SaaS applications. Covers SOC 2, GDPR, HIPAA, and common compliance patterns with implementation guidance.
Best use case
saas-compliance-frameworks is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security and compliance requirements for SaaS applications. Covers SOC 2, GDPR, HIPAA, and common compliance patterns with implementation guidance.
Teams using saas-compliance-frameworks should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/saas-compliance-frameworks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How saas-compliance-frameworks Compares
| Feature / Agent | saas-compliance-frameworks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security and compliance requirements for SaaS applications. Covers SOC 2, GDPR, HIPAA, and common compliance patterns with implementation guidance.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# SaaS Compliance Frameworks Skill
Guidance for implementing security and compliance requirements in SaaS applications.
## When to Use This Skill
Use this skill when:
- **Saas Compliance Frameworks tasks** - Working on security and compliance requirements for saas applications. covers soc 2, gdpr, hipaa, and common compliance patterns with implementation guidance
- **Planning or design** - Need guidance on Saas Compliance Frameworks approaches
- **Best practices** - Want to follow established patterns and standards
## Overview
SaaS applications serving enterprise customers typically need compliance certifications. This skill covers the major frameworks and their implementation requirements.
## Framework Comparison
```text
+------------------------------------------------------------------+
| Compliance Framework Overview |
+------------------------------------------------------------------+
| Framework | Focus Area | Required By | Audit |
+-----------+-------------------+--------------------------+--------+
| SOC 2 | Security controls | Enterprise B2B | Annual |
| GDPR | Data privacy | EU customers/data | N/A |
| HIPAA | Health data | Healthcare/PHI | Annual |
| PCI DSS | Payment data | Card payments | Annual |
| ISO 27001 | InfoSec mgmt | Enterprise/Government | Annual |
| CCPA | Privacy (CA) | California consumers | N/A |
+-----------+-------------------+--------------------------+--------+
```
## SOC 2
### Trust Service Criteria
```text
SOC 2 Trust Service Criteria:
+------------------------------------------------------------------+
| Criteria | Focus | Key Controls |
+----------------+--------------------------+----------------------+
| Security | Protection from | Access control, |
| (Required) | unauthorized access | encryption, firewall |
+----------------+--------------------------+----------------------+
| Availability | System uptime and | Monitoring, DR/BC, |
| | accessibility | SLAs, redundancy |
+----------------+--------------------------+----------------------+
| Processing | Complete, accurate | QA, validation, |
| Integrity | processing | error handling |
+----------------+--------------------------+----------------------+
| Confidentiality| Protection of | Encryption, access |
| | confidential info | restrictions, DLP |
+----------------+--------------------------+----------------------+
| Privacy | Collection, use, and | Consent, data rights,|
| | retention of PII | retention policies |
+----------------+--------------------------+----------------------+
```
### SOC 2 Implementation Checklist
```text
Security Controls:
[ ] Multi-factor authentication (MFA) for all users
[ ] Role-based access control (RBAC)
[ ] Encryption at rest (AES-256)
[ ] Encryption in transit (TLS 1.2+)
[ ] Network segmentation/firewalls
[ ] Vulnerability scanning (regular)
[ ] Penetration testing (annual)
[ ] Security awareness training
[ ] Incident response plan
[ ] Vendor security assessments
Availability Controls:
[ ] Uptime monitoring and alerting
[ ] Disaster recovery plan
[ ] Regular backups (tested)
[ ] Redundant infrastructure
[ ] Documented SLAs
[ ] Capacity planning
Processing Integrity:
[ ] Input validation
[ ] Error handling and logging
[ ] Data integrity checks
[ ] Change management process
[ ] QA/testing procedures
Confidentiality:
[ ] Data classification policy
[ ] Access logging and monitoring
[ ] Secure data disposal
[ ] NDA with vendors
[ ] DLP controls (if applicable)
```
### SOC 2 Type I vs Type II
```text
Comparison:
+------------------------------------------------------------------+
| Aspect | Type I | Type II |
+-----------------+---------------------+--------------------------+
| Scope | Point-in-time | Period of time (6-12 mo) |
| Proves | Controls designed | Controls operating |
| Duration | 1-2 months | 6-12 months observation |
| Cost | Lower | Higher |
| Trust Level | Lower | Higher (preferred) |
| Start With | Type I first | Then Type II |
+------------------------------------------------------------------+
```
## GDPR
### Key Requirements
```text
GDPR Principles:
+------------------------------------------------------------------+
| Principle | Requirement |
+---------------------+--------------------------------------------+
| Lawfulness | Valid legal basis for processing |
| Purpose Limitation | Collect for specified, explicit purposes |
| Data Minimization | Only collect what's necessary |
| Accuracy | Keep data accurate and up to date |
| Storage Limitation | Don't keep longer than needed |
| Integrity | Protect against unauthorized processing |
| Accountability | Demonstrate compliance |
+------------------------------------------------------------------+
```
### Data Subject Rights
```csharp
// Interface for handling data subject requests
public interface IDataSubjectRequestHandler
{
// Right to Access (Art. 15)
Task<PersonalDataExport> ExportPersonalDataAsync(
Guid userId,
CancellationToken ct = default);
// Right to Erasure / Right to be Forgotten (Art. 17)
Task<DeletionResult> DeletePersonalDataAsync(
Guid userId,
CancellationToken ct = default);
// Right to Rectification (Art. 16)
Task UpdatePersonalDataAsync(
Guid userId,
PersonalDataUpdate update,
CancellationToken ct = default);
// Right to Data Portability (Art. 20)
Task<byte[]> ExportPortableDataAsync(
Guid userId,
string format = "json", // or "csv"
CancellationToken ct = default);
// Right to Restriction (Art. 18)
Task RestrictProcessingAsync(
Guid userId,
CancellationToken ct = default);
}
```
### GDPR Implementation Patterns
```csharp
// Personal data inventory tracking
public sealed record PersonalDataField
{
public required string FieldName { get; init; }
public required string DataCategory { get; init; } // "identity", "contact", "financial"
public required string LegalBasis { get; init; } // "consent", "contract", "legitimate_interest"
public required string RetentionPeriod { get; init; }
public required bool IsRequired { get; init; }
public string? Purpose { get; init; }
}
// Consent management
public sealed record ConsentRecord
{
public required Guid UserId { get; init; }
public required string Purpose { get; init; }
public required bool Granted { get; init; }
public required DateTimeOffset Timestamp { get; init; }
public required string Source { get; init; } // "signup_form", "settings", "api"
public required string Version { get; init; } // Policy version
public string? IpAddress { get; init; }
}
// Data retention enforcement
public sealed class DataRetentionService(IDbContext db, ILogger<DataRetentionService> logger)
{
public async Task EnforceRetentionPoliciesAsync(CancellationToken ct)
{
// Delete expired personal data based on retention policies
var policies = await GetRetentionPoliciesAsync(ct);
foreach (var policy in policies)
{
var cutoffDate = DateTimeOffset.UtcNow - policy.RetentionPeriod;
var deleted = await db.Set<PersonalData>()
.Where(d => d.Category == policy.Category)
.Where(d => d.LastActivityDate < cutoffDate)
.Where(d => !d.HasLegalHold)
.ExecuteDeleteAsync(ct);
logger.LogInformation(
"Deleted {Count} records for category {Category} older than {Cutoff}",
deleted, policy.Category, cutoffDate);
}
}
}
```
## HIPAA
### Protected Health Information (PHI)
```text
PHI Identifiers (18 types):
+------------------------------------------------------------------+
| Category | Examples |
+-----------------+------------------------------------------------+
| Direct | Name, SSN, medical record #, health plan # |
| Geographic | Address, city, state, ZIP (if <20K population) |
| Temporal | Dates (birth, admission, discharge, death) |
| Contact | Phone, fax, email, URLs, IP addresses |
| Biometric | Fingerprints, voice prints, photos |
| Unique | Account #, vehicle ID, device serial # |
+------------------------------------------------------------------+
```
### HIPAA Safeguards
```text
Administrative Safeguards:
[ ] Security Officer designation
[ ] Risk analysis (annual)
[ ] Workforce training
[ ] Access management procedures
[ ] Incident response procedures
[ ] Business Associate Agreements (BAAs)
[ ] Contingency planning
Physical Safeguards:
[ ] Facility access controls
[ ] Workstation security
[ ] Device/media controls
[ ] Disposal procedures
Technical Safeguards:
[ ] Access controls (unique user ID, auto-logoff)
[ ] Audit controls (logging)
[ ] Integrity controls (checksums)
[ ] Transmission security (encryption)
[ ] Authentication
```
### HIPAA Implementation
```csharp
// PHI access logging (required for audit controls)
public sealed class PhiAccessLogger(IAuditRepository repository)
{
public async Task LogAccessAsync(PhiAccessEvent accessEvent)
{
await repository.LogAsync(new AuditEntry
{
Timestamp = DateTimeOffset.UtcNow,
UserId = accessEvent.UserId,
Action = accessEvent.Action, // "view", "modify", "export", "delete"
ResourceType = "PHI",
ResourceId = accessEvent.PatientId,
Details = accessEvent.Details,
IpAddress = accessEvent.IpAddress,
Success = accessEvent.Success
});
}
}
// Minimum necessary access enforcement
public sealed class PhiAccessPolicy
{
public static bool CanAccess(
UserRole role,
PhiCategory category,
AccessType accessType)
{
// Implement minimum necessary principle
return (role, category, accessType) switch
{
(UserRole.Clinician, _, AccessType.Read) => true,
(UserRole.Clinician, _, AccessType.Write) => true,
(UserRole.BillingStaff, PhiCategory.Billing, _) => true,
(UserRole.BillingStaff, PhiCategory.Clinical, _) => false,
(UserRole.Admin, _, AccessType.Read) => true,
(UserRole.Admin, _, AccessType.Write) => false, // Admin shouldn't modify PHI
_ => false
};
}
}
```
## Cross-Framework Controls
### Common Requirements
```text
Controls Required by Multiple Frameworks:
+------------------------------------------------------------------+
| Control | SOC 2 | GDPR | HIPAA | PCI | ISO 27001 |
+------------------------+-------+------+-------+------+-----------+
| Encryption at rest | X | X | X | X | X |
| Encryption in transit | X | X | X | X | X |
| Access control (RBAC) | X | X | X | X | X |
| Audit logging | X | X | X | X | X |
| Incident response | X | X | X | X | X |
| Vendor management | X | X | X | X | X |
| Security training | X | | X | X | X |
| MFA | X | | | X | X |
| Vulnerability scanning | X | | X | X | X |
| Penetration testing | X | | | X | X |
| Backup and recovery | X | | X | X | X |
| Data classification | X | X | X | X | X |
+------------------------+-------+------+-------+------+-----------+
```
### Multi-Tenant Compliance
```text
Tenant Isolation for Compliance:
+------------------------------------------------------------------+
| Compliance Need | Isolation Level | Pattern |
+--------------------------+------------------+--------------------+
| SOC 2 (standard) | Logical (Pool) | RLS + audit |
| HIPAA BAA | Logical minimum | RLS + encryption |
| HIPAA (strict) | Database/Silo | Separate DB |
| PCI DSS | Segment network | Network isolation |
| Data sovereignty (GDPR) | Regional deploy | Geo-specific infra |
+------------------------------------------------------------------+
```
## Compliance Monitoring
### Continuous Compliance
```csharp
public interface IComplianceMonitor
{
// Run compliance checks
Task<ComplianceReport> RunChecksAsync(
string framework,
CancellationToken ct = default);
// Check specific control
Task<ControlResult> CheckControlAsync(
string controlId,
CancellationToken ct = default);
// Get compliance score
Task<ComplianceScore> GetScoreAsync(
string framework,
CancellationToken ct = default);
}
public sealed record ComplianceScore
{
public required string Framework { get; init; }
public required int TotalControls { get; init; }
public required int PassingControls { get; init; }
public required int FailingControls { get; init; }
public required int NotApplicable { get; init; }
public decimal PercentCompliant => TotalControls > 0
? (decimal)PassingControls / TotalControls * 100
: 0;
}
```
## References
Load for detailed implementation:
- `references/soc2-requirements.md` - SOC 2 control details
- `references/gdpr-implementation.md` - GDPR technical implementation
- `references/hipaa-checklist.md` - HIPAA safeguards checklist
## Related Skills
- `audit-logging` - Immutable audit trails
- `tenant-data-isolation` - Data isolation patterns
- `data-residency` - Geographic data requirements
## MCP Research
For current compliance guidance:
```text
perplexity: "SOC 2 Type II 2024 requirements" "SaaS compliance best practices"
microsoft-learn: "Azure compliance" "SOC 2 Azure" "HIPAA Azure"
```Related Skills
security-compliance
Guides security professionals in implementing defense-in-depth security architectures, achieving compliance with industry frameworks (SOC2, ISO27001, GDPR, HIPAA), conducting threat modeling and risk assessments, managing security operations and incident response, and embedding security throughout the SDLC.
security-compliance-compliance-check
You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards. Perform compliance audits and provide im...
QE Security Compliance
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
pci-compliance
Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
legal-compliance-agent
Generate legally compliant privacy policies, terms of service, HIPAA documentation, and compliance pages for healthcare SaaS platforms. Ensures Google Play/App Store approval and GDPR/HIPAA compliance.
industry-compliance
Use this skill when you need industry-specific regulatory compliance for Banking & Finance (FFIEC, FINRA, Basel III, PSD2, DORA), Healthcare & Life Sciences (FDA 21 CFR Part 11, HITRUST CSF, HL7 FHIR security, GxP), Hi-Tech & Semiconductors (ITAR, EAR, CMMC), or Retail/Consumer (PCI-DSS, CPRA). Trigger for sector-specific compliance programs, regulated industry deployments, or when standard frameworks alone are insufficient.
grc-compliance
This skill should be used when the user asks to "GRC", "governance", "risk", "compliance", "audit", "policy", "control", "risk assessment", "SOX", "GDPR", or any ServiceNow GRC development.
Data Privacy Compliance
Data privacy and regulatory compliance specialist for GDPR, CCPA, HIPAA, and international data protection laws. Use when implementing privacy controls, conducting data protection impact assessments, ensuring regulatory compliance, or managing data subject rights. Expert in consent management, data minimization, and privacy-by-design principles.
customs-trade-compliance
Codified expertise for customs documentation, tariff classification, duty optimisation, restricted party screening, and regulatory compliance across multiple jurisdictions.
compliance-manager
Guardrails for edits to core/security/compliance-manager.js that preserve PCI/GDPR/PSD2/SOX/HIPAA controls (masking, encryption, SCA, consent checks, and audit logging). Use when changing compliance validators, security handling, or audit flows.
compliance-frameworks
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
compliance-evaluator
This skill should be used when evaluating translation compliance with legal, regulatory, and content safety requirements. It checks for prohibited terms, required disclaimers, and region-specific restrictions based on risk profiles.