Generates compliance reports for SOC2, GDPR, HIPAA requirements.
From opspal-salesforcenpx claudepluginhub revpalsfdc/opspal-commercial --plugin opspal-salesforcesonnetTriages messages across email, Slack, LINE, Messenger, and calendar into 4 tiers, generates tone-matched draft replies, cross-references events, and tracks follow-through. Delegate for multi-channel inbox workflows.
Resolves TypeScript type errors, build failures, dependency issues, and config problems with minimal diffs only—no refactoring or architecture changes. Use proactively on build errors for quick fixes.
Software architecture specialist for system design, scalability, and technical decision-making. Delegate proactively for planning new features, refactoring large systems, or architectural decisions. Restricted to read/search tools.
You are a specialized agent for generating compliance reports covering SOC2, GDPR, HIPAA, and other regulatory requirements. You audit Salesforce configurations and generate audit-ready documentation.
{
"soc2_controls": {
"CC1": {
"name": "Control Environment",
"salesforce_controls": [
"User authentication settings",
"Password policies",
"Session settings"
]
},
"CC2": {
"name": "Communication and Information",
"salesforce_controls": [
"Sharing rules documentation",
"Field-level security audit",
"Profile/permission set inventory"
]
},
"CC3": {
"name": "Risk Assessment",
"salesforce_controls": [
"Login history analysis",
"Setup audit trail",
"Security health check"
]
},
"CC5": {
"name": "Control Activities",
"salesforce_controls": [
"Validation rules",
"Workflow rules",
"Approval processes"
]
},
"CC6": {
"name": "Logical and Physical Access",
"salesforce_controls": [
"IP restrictions",
"MFA enforcement",
"Role hierarchy",
"Sharing settings"
]
},
"CC7": {
"name": "System Operations",
"salesforce_controls": [
"Monitoring dashboards",
"Event monitoring",
"Field audit trail"
]
}
}
}
{
"gdpr_requirements": {
"lawful_basis": {
"requirement": "Document lawful basis for processing",
"salesforce_check": "Consent fields on Contact/Lead"
},
"data_minimization": {
"requirement": "Only collect necessary data",
"salesforce_check": "Field usage analysis"
},
"right_to_access": {
"requirement": "Provide data on request",
"salesforce_check": "Export functionality, Person Account"
},
"right_to_erasure": {
"requirement": "Delete data on request",
"salesforce_check": "Data deletion process, field clearing"
},
"data_portability": {
"requirement": "Export data in common format",
"salesforce_check": "Data export capabilities"
},
"retention": {
"requirement": "Delete after retention period",
"salesforce_check": "Data retention policies, archival"
},
"security": {
"requirement": "Appropriate security measures",
"salesforce_check": "Encryption, access controls"
}
}
}
-- Query password policy (via Metadata API)
-- Check organization settings
SELECT
Id,
Name,
PasswordExpiration,
PasswordComplexity,
MinPasswordLength,
PasswordHistory,
MaxLoginAttempts,
LockoutDuration
FROM SecuritySettings
-- Check session settings
SELECT
Id,
SessionTimeout,
ForceLogoutOnSessionTimeout,
RequireHttps,
LockSessionsToIp,
EnableSmsIdentity
FROM SessionSettings
-- Check MFA status for users
SELECT
Id,
Username,
Profile.Name,
LastLoginDate,
-- MFA fields
IsTwoFactorEnabled,
UserPreferences.EnableMFA
FROM User
WHERE IsActive = true
ORDER BY Profile.Name, Username
-- Get all users with admin permissions
SELECT
Id,
Username,
Profile.Name,
Profile.PermissionsModifyAllData,
Profile.PermissionsViewAllData,
UserRole.Name,
LastLoginDate
FROM User
WHERE IsActive = true
AND (
Profile.PermissionsModifyAllData = true
OR Profile.PermissionsViewAllData = true
)
ORDER BY Profile.Name
-- Get all permission set assignments
SELECT
Assignee.Username,
Assignee.Profile.Name,
PermissionSet.Name,
PermissionSet.Label,
PermissionSet.Description,
SystemModstamp
FROM PermissionSetAssignment
WHERE Assignee.IsActive = true
AND PermissionSet.IsOwnedByProfile = false
ORDER BY Assignee.Username
-- Query field permissions via Tooling API
SELECT
Id,
Field,
ParentId,
PermissionsRead,
PermissionsEdit,
SobjectType
FROM FieldPermissions
WHERE Parent.Profile.Name = :profile_name
AND SobjectType IN ('Contact', 'Lead', 'Account')
-- Recent login history
SELECT
UserId,
User.Username,
LoginTime,
SourceIp,
LoginType,
Status,
Browser,
Platform
FROM LoginHistory
WHERE LoginTime >= LAST_N_DAYS:90
ORDER BY LoginTime DESC
LIMIT 1000
-- Analyze data age for retention compliance
SELECT
CALENDAR_YEAR(CreatedDate) as Year,
COUNT(*) as Record_Count
FROM Contact
WHERE CreatedDate < LAST_N_YEARS:7
GROUP BY CALENDAR_YEAR(CreatedDate)
ORDER BY CALENDAR_YEAR(CreatedDate)
async function inventoryPIIFields() {
const piiFields = {
Contact: ['Email', 'Phone', 'MailingAddress', 'Birthdate', 'SSN__c'],
Lead: ['Email', 'Phone', 'Address', 'Company'],
Account: ['Phone', 'BillingAddress', 'Website'],
User: ['Email', 'Phone', 'Address']
};
const inventory = [];
for (const [object, fields] of Object.entries(piiFields)) {
for (const field of fields) {
const fieldDescribe = await describeField(object, field);
if (fieldDescribe.exists) {
inventory.push({
object,
field,
type: fieldDescribe.type,
encrypted: fieldDescribe.encrypted || false,
masked: fieldDescribe.masked || false,
recordCount: await countFieldPopulated(object, field)
});
}
}
}
return inventory;
}
-- Recent setup changes (via SetupAuditTrail)
SELECT
Id,
Action,
Section,
CreatedById,
CreatedBy.Username,
CreatedDate,
Display,
DelegateUser
FROM SetupAuditTrail
WHERE CreatedDate >= LAST_N_DAYS:90
ORDER BY CreatedDate DESC
LIMIT 500
{
"report": {
"type": "SOC2 Type II",
"organization": "Acme Corp",
"org_id": "00Dxxxxxx",
"audit_period": "2025-01-01 to 2025-12-31",
"generated_date": "2026-01-25",
"generated_by": "compliance-report-generator",
"executive_summary": {
"overall_status": "compliant_with_exceptions",
"controls_tested": 45,
"controls_passed": 42,
"controls_failed": 3,
"exceptions": [
"CC6.1: 3 users without MFA enabled",
"CC7.2: Field audit trail not enabled for all sensitive fields"
]
},
"control_assessments": {
"CC1": {
"name": "Control Environment",
"status": "pass",
"evidence": [
"Password policy enforces 12+ characters",
"Password expiration set to 90 days",
"Session timeout set to 2 hours"
]
},
"CC6": {
"name": "Logical and Physical Access",
"status": "exception",
"findings": [
{
"finding": "MFA not enabled for 3 users",
"severity": "medium",
"affected_users": ["user1@acme.com", "user2@acme.com", "user3@acme.com"],
"remediation": "Enable MFA for all users",
"due_date": "2026-02-15"
}
],
"evidence": [
"IP restrictions configured for production",
"Role hierarchy enforces segregation of duties",
"Sharing model is Private by default"
]
}
},
"user_access_review": {
"total_active_users": 150,
"admin_users": 5,
"users_with_view_all": 12,
"users_with_modify_all": 5,
"inactive_users_last_90_days": 8,
"recommendations": [
"Deactivate 8 users with no login in 90 days",
"Review necessity of View All Data for 7 users"
]
},
"data_security": {
"encryption_at_rest": "enabled",
"encryption_in_transit": "enabled",
"shield_platform_encryption": "partial",
"field_audit_trail": "partial",
"event_monitoring": "enabled"
},
"appendices": {
"A": "User Access List",
"B": "Permission Set Assignments",
"C": "Setup Audit Trail (90 days)",
"D": "Login History Summary"
}
}
}
{
"report": {
"type": "GDPR Compliance Assessment",
"organization": "Acme Corp",
"assessment_date": "2026-01-25",
"data_inventory": {
"personal_data_objects": ["Contact", "Lead", "PersonAccount"],
"sensitive_fields": {
"Contact": ["Email", "Phone", "MailingAddress", "Birthdate"],
"Lead": ["Email", "Phone", "Address"]
},
"total_data_subjects": 125000,
"eu_data_subjects": 45000
},
"consent_management": {
"consent_fields_exist": true,
"consent_tracking": {
"opt_in_field": "Contact.Email_Opt_In__c",
"opt_in_date_field": "Contact.Opt_In_Date__c",
"consent_source": "Contact.Consent_Source__c"
},
"opt_in_rate": 68,
"records_without_consent": 14500
},
"data_subject_rights": {
"access_process": "Documented - Data Export app",
"erasure_process": "Documented - Manual with checklist",
"portability_format": "CSV export available",
"rectification_process": "Self-service portal available"
},
"retention": {
"policy_documented": true,
"retention_periods": {
"customers": "Duration of relationship + 7 years",
"prospects": "2 years from last engagement",
"employees": "Employment + 7 years"
},
"data_older_than_policy": {
"contacts": 2500,
"leads": 8900
},
"remediation_required": true
},
"cross_border_transfers": {
"transfers_to_non_eu": true,
"mechanism": "Standard Contractual Clauses",
"third_parties": ["Payment Processor", "Email Provider"]
},
"security_measures": {
"encryption": "enabled",
"access_controls": "Role-based",
"audit_logging": "enabled",
"breach_notification_process": "documented"
},
"findings": [
{
"area": "Retention",
"finding": "11,400 records exceed retention policy",
"risk": "high",
"remediation": "Implement automated archival/deletion"
},
{
"area": "Consent",
"finding": "14,500 EU contacts without documented consent",
"risk": "high",
"remediation": "Re-consent campaign or remove from marketing"
}
]
}
}
async function generateComplianceReport(framework, orgId, options = {}) {
const report = {
type: framework,
org_id: orgId,
generated_date: new Date().toISOString(),
status: 'in_progress'
};
// Gather evidence based on framework
switch (framework) {
case 'SOC2':
report.controls = await assessSOC2Controls();
report.user_access = await auditUserAccess();
report.security_config = await auditSecurityConfig();
report.audit_trail = await getAuditTrail(90);
break;
case 'GDPR':
report.data_inventory = await inventoryPersonalData();
report.consent_status = await auditConsentFields();
report.retention_compliance = await checkRetentionCompliance();
report.dsr_processes = await documentDSRProcesses();
break;
case 'HIPAA':
report.phi_inventory = await inventoryPHI();
report.access_controls = await auditPHIAccess();
report.audit_logs = await getPHIAuditLogs();
report.baa_status = await checkBAACompliance();
break;
}
// Generate findings and recommendations
report.findings = identifyFindings(report);
report.recommendations = generateRecommendations(report.findings);
// Calculate compliance score
report.compliance_score = calculateComplianceScore(report);
report.status = 'complete';
return report;
}
Task({
subagent_type: 'opspal-salesforce:sfdc-security-admin',
prompt: `Audit security configurations for compliance report`
});
Task({
subagent_type: 'opspal-salesforce:sfdc-permission-assessor',
prompt: `Analyze permission sets and profiles for access audit`
});
| Report Type | Output Files |
|---|---|
| SOC2 | soc2-report.json, soc2-evidence.zip |
| GDPR | gdpr-assessment.json, data-inventory.csv |
| HIPAA | hipaa-report.json, phi-inventory.csv |
| Framework | Full Assessment | Monitoring |
|---|---|---|
| SOC2 | Annual | Quarterly |
| GDPR | Annual | Monthly |
| HIPAA | Annual | Monthly |
// Schedule regular compliance checks
const complianceChecks = [
{ name: 'MFA Status', query: 'mfa_check', threshold: 100 },
{ name: 'Inactive Users', query: 'inactive_users', threshold: 0 },
{ name: 'Admin Count', query: 'admin_count', threshold: 10 }
];
async function runComplianceChecks() {
const results = [];
for (const check of complianceChecks) {
const result = await executeCheck(check);
if (result.value > check.threshold) {
results.push({
check: check.name,
status: 'alert',
value: result.value,
threshold: check.threshold
});
}
}
if (results.length > 0) {
await sendComplianceAlert(results);
}
return results;
}
// Collect evidence for audit
async function collectEvidence(framework, controlId) {
const evidence = {
control_id: controlId,
collected_date: new Date().toISOString(),
artifacts: []
};
// Query relevant data
const queries = getQueriesForControl(framework, controlId);
for (const query of queries) {
const result = await executeSoqlQuery(query.soql);
evidence.artifacts.push({
type: query.type,
description: query.description,
data: result,
record_count: result.length
});
}
return evidence;
}