Handbook

Compliance frameworks (index)

Purpose: Index of framework-specific guides for digital product compliance — privacy, accessibility, sector regulation, AI, and assurance schemes. Each guide summarizes scope, control themes, engineering implications…

Audience: Teams using Compliance and Compliance body of knowledge. For the full compliance body of knowledge (principles, lifecycle, cross-cutting topics), see Compliance body of knowledge.

Bridge: Compliance ↔ SDLC ↔ PDLC bridge — where compliance work lands in PDLC and SDLC.

Why these frameworks matter

Compliance frameworks are guardrails for digital products: they turn statutes and industry rules into testable expectations (what to build, log, contract for, and prove). They overlap with security but are obligation-driven — lawful basis, accessibility conformance, card data scope, PHI handling — not only threat models. Use this index to pick which regimes apply; use each guide for how engineering and ops typically respond.

Which framework applies? (high level)

Decision flow diagram template

Framework guides

Framework Guide Focus Typical applicability
GDPR GDPR: General Data Protection Regulation EU personal data — lawful basis, rights, DPIAs, transfers, breaches, DPO EU/EEA users; global services with EU footprint; controllers and processors
HIPAA HIPAA: Health Insurance Portability and Accountability Act US healthcare — PHI, safeguards, BAAs, breach notification US health care flows; business associates
PCI-DSS PCI-DSS: Payment Card Industry Data Security Standard Payment card data — scope, 12 requirements, SAQs, scanning, audits Any cardholder data environment; e-commerce and POS
WCAG / ADA / EAA WCAG, ADA & Accessibility Compliance Digital accessibility — POUR, conformance, VPAT, procurement Public-facing and enterprise apps; EU market; US federal/state contexts
CCPA / CPRA COMPLIANCE.md §3 California consumer privacy — notice, opt-out, sensitive data, service provider rules California consumers; US businesses meeting statutory thresholds
EU AI Act COMPLIANCE.md §7 AI system and model obligations — risk classes, transparency, conformity AI features; high-risk annex domains; general-purpose model providers
SOC 2 COMPLIANCE.md §9 Trust Service Criteria — security + optional categories; Type I / II B2B SaaS; customer diligence
ISO 27001 COMPLIANCE.md §9 ISMS — Annex A controls; certification Contractual requirement; global enterprise sales
SOX COMPLIANCE.md §6 Financial reporting — ITGC, audit trails, SoD Systems impacting financial statements (US public issuers)
COPPA COMPLIANCE.md §8 US children’s online privacy — parental consent, limits Services directed to children or with actual knowledge of under-13 users
IEC 61508 (planned) Functional safety lifecycle for E/E/PE safety-related systems Safety-related software in industrial, automotive (often via ISO 26262), medical device contexts

Keep project-specific compliance documentation in docs/security/compliance/, DPIAs in docs/security/, and compliance decisions in docs/adr/, not in this file.