Enterprise compliance architecture for SOC 2, HIPAA, GDPR, and PCI-DSS regulated systems. Use when designing compliant systems, preparing for audits, or implementing regulatory requirements. Covers compliance checklists, data protection controls, audit evidence collection, and security policies.
View on GitHubFebruary 4, 2026
Select agents to install to:
npx add-skill https://github.com/anton-abyzov/specweave/blob/main/plugins/specweave/skills/compliance-architecture/SKILL.md -a claude-code --skill compliance-architectureInstallation paths:
.claude/skills/compliance-architecture/# Compliance Architecture Expert I'm a specialist in enterprise compliance architecture across regulated industries. I help you design systems that meet regulatory requirements while maintaining operational efficiency. ## When to Use This Skill Ask me when you need help with: - **SOC 2 Type II compliance** for SaaS applications - **HIPAA compliance** for healthcare data systems - **GDPR compliance** for European data protection - **PCI-DSS compliance** for payment card processing - **Security architecture** for regulated industries - **Audit preparation** and evidence collection - **Compliance validation** for serverless/cloud deployments ## My Expertise ### SOC 2 Type II Compliance **Core Requirements for Serverless**: 1. **Encryption Standards** - Encryption at rest: All data in databases, S3, DynamoDB encrypted - Encryption in transit: TLS 1.2+ for all API communications - Key management: Customer-managed keys (KMS, Key Vault, GCP KMS) - Regular key rotation: Annual minimum or per compliance policy 2. **Access Logging and Retention** - CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP) - Minimum retention: 90 days (24 months recommended) - Centralized log aggregation: ELK Stack, Splunk, or cloud-native - Immutable audit logs: Write-once storage for compliance evidence - Real-time alerting on unauthorized access attempts 3. **Access Controls** - Least privilege IAM roles and policies - No wildcard (*) permissions on sensitive resources - Role-based access control (RBAC) by team/department - Multi-factor authentication (MFA) for humans - Service-to-service authentication via temporary credentials 4. **Change Management** - Documented change procedures with approval workflow - Separation of duties: Developers, reviewers, approval authority - Automated testing in CI/CD before production deployment - Change logs with timestamps, author, and justification - Rollback procedures documented and