Compliance Frameworks, Audits and Standards
10 min read Β· Updated 2026-04-25
Compliance is the part of security you canβt engineer your way out of. Whatever your security posture, an auditor will eventually look at your processes, your architecture, your data flows, and your evidence. Designing for compliance from day one is dramatically cheaper than retrofitting.
This lesson covers the major frameworks SaaS companies typically encounter, what they actually require, and how to architect for them.
SOC 2 β The Default for B2B SaaS
SOC 2 (System and Organization Controls) is the most common compliance framework for B2B SaaS. Most enterprise customers will ask for a SOC 2 report before signing.
The Trust Service Criteria
SOC 2 evaluates against five βTrust Service Criteriaβ β pick which apply:
Security (always required)
Information protected against unauthorized access. Foundation criterion.
Availability (optional)
System available for operation as committed. SLAs, uptime, capacity planning.
Processing Integrity (optional)
System processing complete, valid, accurate, timely, authorized.
Confidentiality (optional)
Confidential information protected. Mostly relevant if you handle confidential data beyond personal info.
Privacy (optional)
Personal information collected, used, retained, disclosed per privacy notice. Less common β most companies cover privacy via GDPR/CCPA instead.
Most SaaS companies start with Security only, then add Availability and others as customer demands grow.
Type I vs. Type II
SOC 2 Type I
Snapshot
Auditor verifies controls are designed correctly at a point in time. 1-2 weeks. Cheaper. First step.
SOC 2 Type II
Operating effectiveness over time
Auditor verifies controls operated correctly over a 6-12 month window. The one customers actually want. Annual.
What auditors look for
Documented policies
Information security policy, incident response, access control, change management. Written, approved, reviewed annually.
Access controls
Least privilege. MFA for admin access. Periodic access reviews. Provisioning/deprovisioning processes.
Logging and monitoring
Centralized logging. Anomaly detection. Alerting. Audit trail for privileged actions.
Change management
Code reviews, CI/CD, deployment approvals, rollback procedures.
Incident response
Documented IR plan. Tabletop exercises. Postmortems. Customer notification procedures.
Vulnerability management
Scanning, patching, penetration testing. Track and remediate findings.
Tooling
SOC 2 tooling has matured significantly:
- Drata, Vanta, Secureframe β automated SOC 2 platforms. Connect to your infrastructure; auto-collect evidence; manage policies. Most early-stage companies use one of these.
- Audit firms β A-LIGN, Schellman, BDO. Many specialize in SOC 2 for tech companies. Pick one familiar with cloud-native architectures.
GDPR β EU Personal Data
GDPR (General Data Protection Regulation) governs personal data of EU residents. Applies to any organization processing EU personal data, regardless of where the org is based.
Key principles
Lawful basis
Need a specific legal basis for processing β consent, contract, legitimate interest, legal obligation, vital interest, public task. Document which.
Purpose limitation
Use data only for the purpose it was collected for. New purposes need new legal basis.
Data minimization
Collect only what you need. Don't hoard data "just in case."
Storage limitation
Keep data only as long as needed. Document retention periods. Delete what's past expiration.
Integrity and confidentiality
Protect data with appropriate technical measures (encryption, access control, etc.).
Accountability
Demonstrate compliance β documentation, records of processing, DPIAs for high-risk processing.
Data Subject Rights
GDPR gives individuals specific rights you must support:
Right of access
"Show me all the data you have about me." Must respond within 30 days.
Right to rectification
"Fix incorrect data."
Right to erasure ("right to be forgotten")
"Delete all my data." Must propagate through every system β including backups, logs, derived data.
Right to restriction
"Stop processing my data while we sort this out."
Right to portability
"Give me my data in a portable format I can move to another service."
Right to object
"Stop using my data for marketing / profiling."
Architectural implications
Data residency
EU data should stay in EU. Multi-region setup with EU customer data in EU regions only. Region-per-tenant for big customers.
Personal data inventory
Know where every piece of personal data lives. Critical for fulfilling rights requests.
Deletion infrastructure
Tooling that propagates a deletion request through every system. Often a separate service that orchestrates.
Privacy by design
Build privacy into systems from the start β not bolted on. Pseudonymization, encryption, minimal collection.
Breach notification
If you suffer a personal-data breach:
- Notify your DPA (Data Protection Authority) within 72 hours of becoming aware.
- Notify affected individuals βwithout undue delayβ if high risk to their rights.
- Document everything β what was breached, when, what you did.
HIPAA β US Healthcare
HIPAA (Health Insurance Portability and Accountability Act) governs Protected Health Information (PHI) in the US. Required if you handle PHI on behalf of healthcare providers, insurers, or related entities.
Security Rule
Specific technical, administrative, and physical safeguards. Encryption (at rest and in transit), access controls, audit logging, contingency planning.
Privacy Rule
Limits on use/disclosure of PHI. Minimum necessary standard.
BAA β Business Associate Agreement
Required contract between covered entities and any service handling PHI. SaaS serving healthcare must offer BAAs.
Breach Notification Rule
Specific procedures and timelines for notifying patients and HHS.
If you serve healthcare customers, AWS, GCP, and Azure all have HIPAA-eligible services and offer BAAs. Use only those services.
PCI DSS β Payment Cards
PCI DSS (Payment Card Industry Data Security Standard) governs handling of cardholder data. Required for any organization processing, storing, or transmitting credit card data.
Tokenization
Replace card numbers with tokens. Original stored in PCI-compliant vault. Application sees only tokens.
Encryption
Card data encrypted at rest and in transit with strong cryptography (AES-256, TLS 1.2+).
Network segmentation
Cardholder data environment (CDE) isolated from rest of infrastructure. Reduces audit scope.
Logging and monitoring
All access to cardholder data logged. Daily log review. File integrity monitoring on critical systems.
ISO 27001
International standard for information security management systems (ISMS). Common alongside SOC 2 for international customers.
Risk-based approach
Identify information assets, assess risks, implement controls. Documentation-heavy.
93 controls
Annex A controls covering organizational, people, physical, and technological aspects.
Continual improvement
Plan-Do-Check-Act cycle. Annual surveillance audits, recertification every 3 years.
Strong fit for international
Better recognized internationally than SOC 2. EU and Asia-Pacific customers often prefer it.
CCPA / CPRA β California Privacy
US state-level privacy regulation, modeled loosely on GDPR.
- Right to know what personal information is collected.
- Right to delete.
- Right to opt out of sale.
- Right to non-discrimination for exercising rights.
Practically: if youβre GDPR-compliant, CCPA compliance is mostly a documentation exercise.
Practical Compliance Strategy for Early-Stage SaaS
Start with SOC 2 Type II
The most-asked-for. Use Drata/Vanta to manage. Plan 6-9 months from start to first report.
Add GDPR readiness
Privacy notice, cookie consent, data subject rights tooling, EU data residency option for EU customers.
Use payment processors
Stripe / Braintree handle PCI. Don't store card data directly unless you absolutely must.
HIPAA only if needed
Adds significant operational overhead. Only pursue if healthcare is your target market.
ISO 27001 for international
Add when European or Asia-Pacific enterprise customers ask.
Compliance automation
Drata, Vanta, Secureframe, Tugboat Logic. Automate evidence collection from day one.
Architectural Patterns for Compliance
A few patterns that pay for themselves:
Region-per-tenant
Each tenant's data lives in their geographic region. Satisfies data residency for GDPR and emerging regulations.
Data lineage tracking
Know what data is where, derived from what, used for what. Enables impact analysis during audits and incidents.
Centralized deletion service
A service that orchestrates "delete user X" across all systems. Critical for GDPR right to erasure.
Immutable audit logs
Append-only audit trail in S3 with object lock or equivalent. Tamper-evident; auditors love it.
Vendor management
Track all third-party processors. DPAs / BAAs in place. Annual security questionnaires for high-risk vendors.
Continuous compliance monitoring
Drata/Vanta-style automated checks. Catch drift before it's an audit finding.
Recap
- Compliance and security overlap but arenβt the same. Engineer both.
- SOC 2 Type II is the default for B2B SaaS. Use Drata/Vanta. Plan 6-9 months.
- GDPR for EU personal data: data subject rights, deletion, breach notification. Architect for these.
- HIPAA for US healthcare. PCI DSS for cardholder data β use payment processors to stay out of scope.
- ISO 27001 for international customers. CCPA / CPRA mostly piggybacks on GDPR.
- Architectural patterns: region-per-tenant, data lineage tracking, centralized deletion, immutable audit logs, vendor management, continuous monitoring.
- The goal isnβt passing one audit β itβs building a compliance posture thatβs sustainable as you grow.