You've built a great product. Then legal says "we need SOC 2 before we can close this enterprise deal" or "HIPAA compliance is required to handle patient data." Suddenly you're reading 300-page PDFs full of legalese. This guide cuts through the noise — here's what each compliance framework actually requires from your engineering team, with practical implementation details.
Why Compliance Matters for Developers
Compliance isn't just a checkbox for sales. It's a structured way to prove your software is secure, reliable, and trustworthy. Every framework boils down to the same core questions:
- Who can access what data?
- How is data protected at rest and in transit?
- What happens when something goes wrong?
- Can you prove all of the above with evidence?
The 5 Major Compliance Frameworks
HIPAAHealthcare
SOC 2SaaS / B2B
PCI-DSSPayments
GDPREU Privacy
ISO 27001Global InfoSec
Quick Reference: Which One Do You Need?
Which Compliance Framework Do You Need?
| If You... | HIPAA | SOC 2 | PCI-DSS | GDPR | ISO 27001 |
|---|---|---|---|---|---|
| Handle patient health data (US) | Required | Recommended | - | - | Recommended |
| Sell SaaS to enterprises (B2B) | - | Required | - | If EU users | Bonus |
| Process credit card payments | - | Recommended | Required | - | - |
| Have users in the EU | - | - | - | Required | Helps |
| Sell globally, need trust signal | - | Common | - | If EU | Gold standard |
HIPAA — Healthcare Data Protection
HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) — any data that can identify a patient and relates to their health, treatment, or payment. If your software touches patient data in the US, you must comply.
What Engineering Must Implement for HIPAA
# HIPAA Technical Safeguards — What your code must do:
# 1. Encryption at Rest
# All PHI stored in databases must be encrypted
# AWS: Enable RDS encryption, S3 SSE-KMS, EBS encryption
aws rds modify-db-instance --db-instance-identifier mydb \
--storage-encrypted --kms-key-id alias/hipaa-key
# 2. Encryption in Transit
# All PHI transmitted must use TLS 1.2+
# Enforce HTTPS on all endpoints, use mTLS between internal services
# 3. Access Controls
# Role-based access — minimum necessary access to PHI
# Example: Django middleware that logs all PHI access
class PHIAccessMiddleware:
def process_view(self, request, view_func, *args, **kwargs):
if hasattr(view_func, 'phi_access'):
AuditLog.objects.create(
user=request.user,
action=f"Accessed PHI: {view_func.__name__}",
ip_address=request.META['REMOTE_ADDR'],
timestamp=timezone.now(),
)
# 4. Audit Logging (REQUIRED — most missed requirement!)
# Log: WHO accessed WHAT data, WHEN, from WHERE
# Retain audit logs for 6 years (HIPAA requirement)
# Use: AWS CloudTrail, Datadog, Splunk
# 5. Automatic Session Timeout
# Inactive sessions must auto-expire (typically 15 min)
SESSION_COOKIE_AGE = 900 # 15 minutes
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
# 6. Unique User IDs
# Every user must have a unique identifier — no shared accounts
# No generic "admin" or "support" accounts allowed
# 7. Emergency Access Procedure
# Break-glass mechanism to access PHI in emergencies
# Must be logged and reviewedHIPAA Engineering Checklist
Encrypt all PHI at rest (AES-256, KMS-managed keys)
Database, file storage, backups, logs containing PHI
Encrypt all PHI in transit (TLS 1.2+)
HTTPS everywhere, mTLS for internal services
Audit logging with 6-year retention
Log every access to PHI: who, what, when, where
Role-based access control (RBAC)
Minimum necessary access — doctors see patients, billing sees invoices
BAA with all vendors
Business Associate Agreement with AWS, Stripe, Twilio — anyone touching PHI
SOC 2 — SaaS Security Standard
SOC 2 (Service Organization Control 2) is the most common compliance requirement for B2B SaaS companies. It's based on 5 Trust Service Criteria:
SOC 2 Trust Service Criteria
SecurityAlways required
AvailabilityUptime SLAs
ProcessingData accuracy
ConfidentialityData protection
PrivacyPII handling
# SOC 2 Security Controls — What auditors check:
# 1. Infrastructure as Code (auditors LOVE this)
# All infra defined in Terraform/Pulumi — changes are tracked in git
# No manual console clicks — everything is reproducible and auditable
# 2. CI/CD Pipeline Security
# - Code reviews required (branch protection rules)
# - Automated tests in CI
# - Dependency vulnerability scanning (Snyk, Dependabot)
# - No direct pushes to main/production
# 3. Monitoring & Alerting
# - Uptime monitoring (PagerDuty, Datadog, CloudWatch)
# - Error tracking (Sentry)
# - Infrastructure monitoring (CPU, memory, disk alerts)
# - Security event alerting (failed logins, permission changes)
# 4. Incident Response Plan (must be documented)
# - How incidents are detected
# - Severity classification (P1/P2/P3)
# - Communication plan (who gets paged, stakeholder updates)
# - Post-mortem process (blameless, with action items)
# 5. Access Reviews (quarterly)
# - List all users with access to production
# - Verify each one still needs it
# - Remove access for departed employees within 24 hours
# - Document the review with screenshots/exports
# 6. Change Management
# - All production changes go through PRs
# - PRs require approval from someone other than the author
# - Deployments are logged with who, what, when
# - Rollback plan documented for each deployPCI-DSS — Payment Card Security
PCI-DSS (Payment Card Industry Data Security Standard) applies if your system processes, stores, or transmits credit card numbers. The simplest way to achieve PCI compliance: don't handle card data yourself.
PCI-DSS Strategy: Minimize Your Scope
🚫 Don't Do This
Store card numbers in your database
Log card data anywhere
Pass card numbers through your API
Full PCI audit needed (300+ requirements)
VS
✅ Do This Instead
Use Stripe/Braintree tokenization
Stripe.js collects card client-side
Your server only sees tokens (tok_xxx)
SAQ-A: only 22 requirements!
# PCI-Compliant payment flow using Stripe:
# Frontend (React/Angular) — card data NEVER touches your server
# <script src="https://js.stripe.com/v3/"></script>
# const stripe = Stripe('pk_live_xxx');
# const {token} = await stripe.createToken(cardElement);
# // Send token.id to your server (NOT card numbers!)
# Backend (Python) — only handles tokens
import stripe
stripe.api_key = "sk_live_xxx" # Store in environment variable!
def create_charge(token_id, amount):
"""Charge a card using a Stripe token — PCI compliant."""
charge = stripe.PaymentIntent.create(
amount=amount,
currency="usd",
payment_method=token_id,
confirm=True,
)
# You NEVER see the card number. Stripe handles everything.
return charge
# What you MUST still do for PCI (even with Stripe):
# 1. Use HTTPS on all pages (especially payment pages)
# 2. Don't log any card-related data
# 3. Keep Stripe.js loaded from stripe.com (not self-hosted)
# 4. Complete SAQ-A questionnaire annually
# 5. Quarterly network vulnerability scan (ASV scan)GDPR — EU Data Privacy
GDPR (General Data Protection Regulation) applies to ANY company processing data of EU residents — even if you're based in the US. It gives users rights over their personal data and imposes strict requirements on how you handle it.
GDPR User Rights (You Must Implement These)
GDPR User Rights Your App Must Support
| Right | What It Means | Implementation |
|---|---|---|
| Right to Access | User can request all their data | API: GET /api/me/data-export |
| Right to Deletion | User can request account deletion | API: DELETE /api/me (+ cascade) |
| Right to Rectification | User can correct their data | API: PATCH /api/me/profile |
| Right to Portability | User can download in machine-readable format | JSON/CSV export endpoint |
| Right to Object | User can opt out of processing | Marketing consent toggle |
| Right to be Forgotten | Delete from ALL systems including backups | Hardest to implement |
# GDPR Implementation Examples:
# 1. Data Export (Right to Access / Portability)
@app.route("/api/me/data-export")
@login_required
def export_my_data():
user = current_user
data = {
"profile": {
"name": user.name,
"email": user.email,
"created_at": user.created_at.isoformat(),
},
"orders": [
{"id": o.id, "total": o.total, "date": o.date.isoformat()}
for o in user.orders
],
"activity_log": [
{"action": l.action, "timestamp": l.timestamp.isoformat()}
for l in user.activity_logs
],
}
return jsonify(data)
# Must respond within 30 days (GDPR requirement)
# 2. Account Deletion (Right to Deletion / Right to be Forgotten)
@app.route("/api/me", methods=["DELETE"])
@login_required
def delete_my_account():
user = current_user
# Anonymize data we must keep (for legal/tax reasons)
for order in user.orders:
order.customer_name = "DELETED"
order.customer_email = "deleted@anonymized.local"
# Delete everything else
ActivityLog.query.filter_by(user_id=user.id).delete()
UserPreference.query.filter_by(user_id=user.id).delete()
# Delete the user account
db.session.delete(user)
db.session.commit()
# Also: remove from email lists, analytics, backups (schedule)
remove_from_mailchimp(user.email)
schedule_backup_purge(user.id) # Remove from next backup cycle
return jsonify({"message": "Account deleted"}), 200
# 3. Consent Management
# GDPR requires EXPLICIT consent for data processing
# Pre-checked checkboxes are NOT valid consent!
class ConsentRecord(db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey('user.id'))
consent_type = db.Column(db.String) # "marketing", "analytics", "cookies"
granted = db.Column(db.Boolean)
timestamp = db.Column(db.DateTime)
ip_address = db.Column(db.String)
# Store the EXACT text the user agreed to
consent_text = db.Column(db.Text)
# 4. Cookie Banner (Required for EU users)
# Must offer: Accept All / Reject All / Customize
# Must NOT track anything before consent is given
# Google Analytics should NOT fire until user clicks "Accept"ISO 27001 — Information Security Management
ISO 27001 is the international gold standard for information security. It's a management system — less about specific technical controls and more about having a structured process for identifying and managing security risks.
# ISO 27001 requires an ISMS (Information Security Management System):
# 1. Risk Assessment (the core of ISO 27001)
# - Identify all information assets (databases, servers, code repos)
# - Identify threats to each asset (hack, outage, insider threat)
# - Rate: likelihood x impact = risk score
# - Decide: mitigate, accept, transfer (insurance), or avoid
# 2. Statement of Applicability (SoA)
# - List all 93 controls from Annex A
# - For each: applicable? implemented? how?
# - Example controls:
# A.8.2 Privileged access rights (who has admin?)
# A.8.9 Configuration management (is infra versioned?)
# A.8.15 Logging (are actions logged?)
# A.8.24 Use of cryptography (is data encrypted?)
# 3. Policies You'll Need to Write:
# - Information Security Policy (umbrella document)
# - Access Control Policy
# - Acceptable Use Policy
# - Incident Response Policy
# - Business Continuity / Disaster Recovery Plan
# - Data Classification Policy (public, internal, confidential, restricted)
# - Vendor/Supplier Security Policy
# 4. Evidence Collection
# - Screenshot of branch protection rules
# - Export of access review spreadsheet
# - Incident response test results
# - Penetration test report
# - Vulnerability scan results
# - Employee security training completion recordsThe Common Technical Controls (Shared Across All Frameworks)
Here's the good news: there's massive overlap between frameworks. Implement these once, satisfy all five:
Universal Technical Controls
Encryption: TLS 1.2+ in transit, AES-256 at rest, KMS for key managementRequired by: HIPAA, SOC 2, PCI-DSS, GDPR, ISO 27001
Access Control: SSO, MFA, RBAC, least privilege, quarterly access reviewsRequired by: HIPAA, SOC 2, PCI-DSS, GDPR, ISO 27001
Audit Logging: Centralized logs, tamper-proof, 1-6 year retentionRequired by: HIPAA (6yr), SOC 2, PCI-DSS (1yr), GDPR, ISO 27001
Incident Response: Documented plan, tested annually, 72hr breach notificationRequired by: HIPAA (60 days), SOC 2, PCI-DSS, GDPR (72 hours!), ISO 27001
Vulnerability Management: Dependency scanning, pen testing, patching SLARequired by: SOC 2, PCI-DSS (quarterly ASV scan), ISO 27001
Backup & Recovery: Automated backups, tested restores, RTO/RPO definedRequired by: HIPAA, SOC 2, PCI-DSS, ISO 27001
Compliance-as-Code: Automate Everything
# Modern compliance is automated, not manual. Key tools:
# 1. Infrastructure as Code (Terraform)
# Every server, database, and network rule is version-controlled
# Auditors can see: who changed what, when, and why (via git history)
# 2. Policy as Code (Open Policy Agent / Sentinel)
# Automatically reject non-compliant deployments
# Example: OPA policy that blocks unencrypted S3 buckets
package aws.s3
deny[msg] {
input.resource.aws_s3_bucket[name].server_side_encryption_configuration == null
msg := sprintf("S3 bucket '%v' must have encryption enabled", [name])
}
# 3. Automated Evidence Collection
# Tools: Vanta, Drata, Secureframe
# They continuously pull evidence from AWS, GitHub, Okta, Jira
# and map it to SOC 2 / ISO 27001 / HIPAA controls automatically
# 4. Security Scanning in CI/CD
# - SAST: Semgrep, CodeQL (find vulnerabilities in your code)
# - SCA: Snyk, Dependabot (find vulnerable dependencies)
# - DAST: OWASP ZAP (find runtime vulnerabilities)
# - Secret scanning: GitLeaks, TruffleHog (find leaked credentials)
# 5. Continuous Monitoring
# - AWS Config Rules (detect non-compliant resources)
# - GuardDuty (threat detection)
# - CloudTrail (API audit logging)
# - SecurityHub (compliance dashboard)Compliance Penalties
Non-Compliance Penalties
| Framework | Max Penalty | Notable Fine |
|---|---|---|
| HIPAA | Up to \$1.9M per violation category/year | Anthem: \$16M (2018) |
| SOC 2 | No direct fine — but lose enterprise deals | Revenue loss from failed audits |
| PCI-DSS | \$5K-\$100K/month until compliant | Target: \$162M (2013 breach) |
| GDPR | 4% of global revenue or EUR 20M | Meta: EUR 1.2B (2023) |
| ISO 27001 | No direct fine — certification revoked | Lost contracts, trust damage |
Getting Started: Practical Roadmap
Your Compliance Implementation Roadmap
AssessGap analysis
→
PoliciesWrite documents
→
ImplementTechnical controls
→
EvidenceCollect proof
→
AuditPass certification
Compliance is not a one-time project — it's a continuous process. The best engineering teams build compliance into their development workflow: infrastructure as code, automated evidence collection, security scanning in CI/CD, and regular access reviews. Start with the framework your customers require, implement the universal controls first, and expand from there. The overlap between frameworks means your second certification is always easier than your first.