Skip to main content

Compliance Framework

Compliance Framework Document

Project: {{PROJECT_NAME}} Version: {{VERSION}} Date: {{DATE}} Author: {{AUTHOR}} Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}} Classification: Confidential

Document History

Version Date Author Changes
0.1 {{DATE}} {{AUTHOR}} Initial draft

1. Applicable Regulations

Regulation Applicability Effective Date Certification Target
GDPR Yes — processes EU personal data May 25, 2018 Compliance (not certified)
PCI-DSS v4.0 {{YES/NO}} — {{REASON}} {{DATE}} SAQ-{{LEVEL}} / ROC
SOC 2 Type II {{YES/NO}} {{DATE}} Annual report
ISO 27001:2022 {{YES/NO}} {{DATE}} Certification by {{DATE}}
HIPAA {{YES/NO}} — {{REASON}}
NIS2 {{YES/NO}} — EU critical infrastructure Oct 17, 2024
{{LOCAL_REGULATION}} {{YES/NO}}

Compliance Owner: {{NAME}} ({{ROLE}}, {{EMAIL}}) External Auditor: {{AUDITOR_FIRM}} Last Audit: {{DATE}} | Next Audit: {{DATE}}

2. GDPR Compliance

2.1 Requirements Summary

Article Requirement Our Implementation
Art. 5 Data minimization, purpose limitation Collect only necessary fields; documented purposes
Art. 6 Lawful basis for processing See §2.2
Art. 7 Consent must be specific, informed, unambiguous Consent management system — see §3
Art. 13/14 Privacy notice at point of collection Privacy policy linked at registration + data collection
Art. 17 Right to erasure /api/users/me DELETE → anonymization job
Art. 20 Right to data portability Data export feature — JSON/CSV format
Art. 25 Privacy by design and default PbD review required for new features
Art. 32 Appropriate security measures See security-architecture.md
Art. 33 72-hour breach notification to supervisory authority Breach response plan — see data-breach-response-plan.md
Art. 34 Communication to data subjects Templates in breach response plan
Art. 35 DPIA for high-risk processing DPIA required — see data-protection-impact-assessment.md
Art. 37 DPO designation {{DPO_NAME}} — {{DPO_EMAIL}}
Art. 44 Cross-border transfers SCCs in place — see §2.4

2.2 Lawful Basis Inventory

Processing Activity Lawful Basis Legal Basis Document Retention
Account creation and management Contract (Art. 6.1.b) Terms of Service Duration + 2 years
Service delivery Contract (Art. 6.1.b) Terms of Service Duration + 2 years
Marketing emails Consent (Art. 6.1.a) Consent record in DB Until consent withdrawn
Security logging Legitimate interest (Art. 6.1.f) LIA documented 1 year
Analytics Legitimate interest (Art. 6.1.f) LIA documented, anonymized 2 years
Legal obligations Legal obligation (Art. 6.1.c) {{REGULATION}} {{PERIOD}}

2.3 Controls Mapping

Control Requirement Evidence
Privacy policy Art. 13/14 Published at {{URL}}, version-controlled
Cookie consent ePrivacy + Art. 7 Consent management tool: {{TOOL}}
Right to erasure endpoint Art. 17 DELETE /api/users/me → anonymize job
Data export endpoint Art. 20 GET /api/users/me/export → JSON/CSV
DPIA process Art. 35 Process doc + DPIA template
Breach response plan Art. 33 data-breach-response-plan.md
DPO contact Art. 37 dpo@{{DOMAIN}} — {{DPO_NAME}}
Data processing records Art. 30 This document + DPIA register
Processor agreements Art. 28 DPAs with all processors

2.4 Data Subject Rights — Implementation

Right Endpoint / Process SLA Automated?
Access (Subject Access Request) GET /api/users/me/data-export 30 days Partial
Rectification PATCH /api/users/me Immediate Yes
Erasure DELETE /api/users/me → anonymize 30 days Yes
Portability GET /api/users/me/export?format=json Immediate Yes
Restriction of processing POST /api/users/me/restrict → flag 30 days Partial
Objection to processing Support request → manual review 30 days No
Automated decision making N/A — no automated decisions with legal effect N/A N/A

3. PCI-DSS Compliance (if applicable)

3.1 Cardholder Data Environment (CDE) Scope

Approach: {{FULL_CDE / OUTSOURCE_TO_PROVIDER}}

Payment provider: {{PAYMENT_PROVIDER}} — tokenizes card data before transmission CDE systems in scope: {{NONE / LIST_SYSTEMS}} SAQ level: SAQ-A (no direct card data) | SAQ-D (full scope)

3.2 PCI-DSS Requirements Matrix

Requirement Description Our Control Status
1 Network security controls VPC + security groups + WAF
2 Secure configurations Hardened AMIs + IaC
3 Protect stored account data Tokenization (provider handles)
4 Protect cardholder data in transit TLS 1.3 everywhere
5 Protect against malware Endpoint protection + container scanning
6 Secure systems and software SAST + SCA + patch management
7 Restrict access by business need RBAC + least privilege
8 User identification and authentication MFA required for CDE access
9 Restrict physical access Cloud provider responsibility N/A
10 Log and monitor access SIEM + audit logs
11 Security testing Quarterly ASV scans + annual pen test
12 Organizational policies This document + security policies

4. SOC 2 Type II Compliance

4.1 Trust Service Criteria Coverage

TSC Criteria Our Controls Evidence
CC1: Control Environment Organizational structure, accountability Policies + training records {{EVIDENCE_LOCATION}}
CC2: Communication Internal/external communication Policy docs + security awareness {{EVIDENCE_LOCATION}}
CC3: Risk Assessment Risk identification and analysis Risk register + quarterly review {{EVIDENCE_LOCATION}}
CC4: Monitoring Monitoring controls SIEM + dashboards + alerting {{EVIDENCE_LOCATION}}
CC5: Control Activities Security controls implemented See security-architecture.md {{EVIDENCE_LOCATION}}
CC6: Logical Access Access control RBAC + MFA + access reviews {{EVIDENCE_LOCATION}}
CC7: System Operations System monitoring and incident mgmt Runbooks + incident process {{EVIDENCE_LOCATION}}
CC8: Change Management Change control process PR review + deployment pipeline {{EVIDENCE_LOCATION}}
CC9: Risk Mitigation Risk mitigation Vendor review + insurance {{EVIDENCE_LOCATION}}
A1: Availability System availability SLA + redundancy {{EVIDENCE_LOCATION}}
C1: Confidentiality Data confidentiality Encryption + access control {{EVIDENCE_LOCATION}}
P1-P8: Privacy Privacy practices (if in scope) GDPR controls + privacy policy {{EVIDENCE_LOCATION}}

5. Data Classification Scheme

Level Label Description Examples Controls Required
L1 Public Intended for public access Marketing content, public docs None
L2 Internal Internal use only, low sensitivity Internal wikis, non-PII analytics Access control
L3 Confidential Sensitive business or personal data User PII, contracts, financial data Encryption + access control + logging
L4 Restricted Highest sensitivity, regulatory implications Payment data, health data, credentials, secrets Field-level encryption + MFA + strict access + audit

Data labeling: All API responses include X-Data-Classification header when returning L3/L4 data.

-- Every consent decision is immutable — new record per change
CREATE TABLE user_consents (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    user_id UUID NOT NULL REFERENCES users(id),
    consent_type VARCHAR(100) NOT NULL,
    granted BOOLEAN NOT NULL,
    version VARCHAR(20) NOT NULL,  -- Policy version consented to
    ip_address INET,
    user_agent TEXT,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
    -- No updated_at: immutable record
);

7. Cross-Border Data Transfer Compliance

Transfer From To Legal Mechanism DPA Signed Reference
{{TRANSFER_1}} EEA US SCCs (2021 EU-US) Yes — {{DATE}} {{DOC_REF}}
{{TRANSFER_2}} EEA UK Adequacy decision N/A ICO guidance
{{TRANSFER_3}} EEA {{COUNTRY}} {{MECHANISM}} {{YES/NO}} {{DOC_REF}}

Third-party processor agreements: All processors handling EU personal data have executed a Data Processing Agreement (DPA) compliant with GDPR Art. 28. Registry: {{DPA_REGISTRY_LOCATION}}

8. Audit Schedule & Methodology

Audit Type Frequency Scope Owner Last Done Next Due
Internal access review Quarterly All user accounts + permissions Security team {{DATE}} {{DATE}}
Vulnerability assessment Quarterly External attack surface Security team / external {{DATE}} {{DATE}}
Penetration test Annual Full scope External firm {{DATE}} {{DATE}}
Third-party risk review Annual All critical vendors Compliance team {{DATE}} {{DATE}}
Business continuity drill Annual DR/BCP scenarios Operations {{DATE}} {{DATE}}
SOC 2 audit Annual Full TSC External auditor {{DATE}} {{DATE}}
GDPR compliance review Annual All processing activities DPO {{DATE}} {{DATE}}

9. Compliance Training Requirements

Training Audience Frequency Format Completion Tracking
Security awareness All staff Annual + onboarding Online ({{PLATFORM}}) {{TRACKING_TOOL}}
GDPR fundamentals All staff handling personal data Annual Online {{TRACKING_TOOL}}
Secure coding Engineering Annual Workshop + online {{TRACKING_TOOL}}
Incident response Engineering + Management Annual Tabletop exercise Manual log
PCI-DSS (if applicable) CDE team Annual Online {{TRACKING_TOOL}}

10. Third-Party Compliance Requirements

10.1 Vendor Risk Tiers

Tier Definition Review Frequency Requirements
Critical Access to production data or systems Annual SOC 2 Type II + DPA + pen test report
High Process personal data, no production access Annual SOC 2 Type II or ISO 27001 + DPA
Medium Business tools, no personal data Biennial Security questionnaire
Low Non-sensitive tools Risk-based Self-assessment

10.2 Critical Vendor Compliance Register

Vendor Service Tier Last Review Certifications DPA Signed
{{VENDOR_1}} {{SERVICE}} Critical {{DATE}} SOC 2 Type II, ISO 27001 Yes
{{VENDOR_2}} {{SERVICE}} High {{DATE}} SOC 2 Type II Yes
{{CLOUD_PROVIDER}} Infrastructure Critical {{DATE}} SOC 2 Type II, ISO 27001, PCI-DSS Yes

11. Compliance Monitoring Dashboard

Dashboard location: {{DASHBOARD_URL}} Refresh frequency: Daily

Metric Target Alert Threshold
Open Critical compliance issues 0 > 0
Access review completion (quarterly) 100% < 95%
Training completion rate > 95% < 90%
Vendor with expired certifications 0 > 0
Overdue DPIA reviews 0 > 0
Unresolved data subject requests (> 25 days) 0 > 0
Incidents without post-mortem (> 5 days) 0 > 0

Approval

Role Name Date Signature
Author
DPO
CISO
Legal Counsel
CEO / Management
Back to top