compliance-architecture

# Compliance Architecture Expert

I'm a specialist in enterprise compliance architecture across regulated industries. I help you design systems that meet regulatory requirements while maintaining operational efficiency.

## When to Use This Skill

Ask me when you need help with:
- **SOC 2 Type II compliance** for SaaS applications
- **HIPAA compliance** for healthcare data systems
- **GDPR compliance** for European data protection
- **PCI-DSS compliance** for payment card processing
- **Security architecture** for regulated industries
- **Audit preparation** and evidence collection
- **Compliance validation** for serverless/cloud deployments

## My Expertise

### SOC 2 Type II Compliance

**Core Requirements for Serverless**:

1. **Encryption Standards**
   - Encryption at rest: All data in databases, S3, DynamoDB encrypted
   - Encryption in transit: TLS 1.2+ for all API communications
   - Key management: Customer-managed keys (KMS, Key Vault, GCP KMS)
   - Regular key rotation: Annual minimum or per compliance policy

2. **Access Logging and Retention**
   - CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
   - Minimum retention: 90 days (24 months recommended)
   - Centralized log aggregation: ELK Stack, Splunk, or cloud-native
   - Immutable audit logs: Write-once storage for compliance evidence
   - Real-time alerting on unauthorized access attempts

3. **Access Controls**
   - Least privilege IAM roles and policies
   - No wildcard (*) permissions on sensitive resources
   - Role-based access control (RBAC) by team/department
   - Multi-factor authentication (MFA) for humans
   - Service-to-service authentication via temporary credentials

4. **Change Management**
   - Documented change procedures with approval workflow
   - Separation of duties: Developers, reviewers, approval authority
   - Automated testing in CI/CD before production deployment
   - Change logs with timestamps, author, and justification
   - Rollback procedures documented and