Skill

compliance-framework

Implement compliance requirements (SOC2, GDPR, HIPAA). Design architecture for regulations. Map technical controls to compliance requirements. Use when building regulated systems.

From architecture-governance

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin architect-governance

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

138.6k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

evaluation-methodology

1 file

Details PluginEval's skill quality evaluation: 3 layers (static, LLM judge), 10 dimensions, rubrics, formulas, anti-patterns, badges. Use to interpret scores, improve triggering, calibrate thresholds.

plugin-eval

32.9k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Based on compliance frameworks and regulatory standards:

SOC2: Security, availability, processing integrity, confidentiality. Requires audit trail, access control, encryption.

GDPR: Protects EU citizens' personal data. Requires consent, data portability, right-to-be-forgotten, breach notification.

HIPAA: Health information privacy (US). Requires encryption, audit logs, access controls, business associate agreements.

PCI DSS: Payment card data protection. Requires segmentation, encryption, monitoring, vendor management.

Instructions

Identify Applicable Standards: Which regulations apply? GDPR (EU users)? HIPAA (health data)? SOC2 (enterprise customers)? PCI DSS (payment processing)?

Map Controls to Architecture: For each regulation, what technical controls needed? GDPR: encryption at rest/transit, audit logs, consent tracking. HIPAA: role-based access, encrypted backups, breach detection.

Design for Audit: Audit logs must be immutable, encrypted, sent to separate system. Log all data access, configuration changes, admin actions. Retention per regulation (GDPR: 3 years minimum).

Build Operational Processes: Change management: approve all changes, test in staging, audit trail. Incident response: detect, contain, notify (GDPR: 72 hours). Annual training on compliance.

Plan for Verification: Audit readiness: document controls, gather evidence. Penetration testing annually. Vulnerability scanning continuous. Third-party assessments (SOC2, HIPAA).

Anti-Patterns

Compliance as Afterthought: Build system, then add compliance controls. Result: hard to retrofit, costly. Guard: Design for compliance from start; embed controls in architecture.

Over-Compliance: Implement controls for regulations you don't need. Result: cost, complexity. Guard: Identify exact requirements; implement only what's needed.

No Automation: Manual evidence gathering for audits. Result: slow, error-prone. Guard: Automate log collection, evidence gathering, control testing.

Forgotten After Certification: Achieve compliance, then relax. Result: drift, recertification failure. Guard: Continuous monitoring; treat compliance as ongoing, not one-time.

Domain Context

Based on compliance frameworks and regulatory standards:

SOC2: Security, availability, processing integrity, confidentiality. Requires audit trail, access control, encryption.

GDPR: Protects EU citizens' personal data. Requires consent, data portability, right-to-be-forgotten, breach notification.

HIPAA: Health information privacy (US). Requires encryption, audit logs, access controls, business associate agreements.

PCI DSS: Payment card data protection. Requires segmentation, encryption, monitoring, vendor management.

Instructions

Identify Applicable Standards: Which regulations apply? GDPR (EU users)? HIPAA (health data)? SOC2 (enterprise customers)? PCI DSS (payment processing)?

Design for Audit: Audit logs must be immutable, encrypted, sent to separate system. Log all data access, configuration changes, admin actions. Retention per regulation (GDPR: 3 years minimum).

Build Operational Processes: Change management: approve all changes, test in staging, audit trail. Incident response: detect, contain, notify (GDPR: 72 hours). Annual training on compliance.

Plan for Verification: Audit readiness: document controls, gather evidence. Penetration testing annually. Vulnerability scanning continuous. Third-party assessments (SOC2, HIPAA).

Anti-Patterns

Compliance as Afterthought: Build system, then add compliance controls. Result: hard to retrofit, costly. Guard: Design for compliance from start; embed controls in architecture.

Over-Compliance: Implement controls for regulations you don't need. Result: cost, complexity. Guard: Identify exact requirements; implement only what's needed.

No Automation: Manual evidence gathering for audits. Result: slow, error-prone. Guard: Automate log collection, evidence gathering, control testing.

Forgotten After Certification: Achieve compliance, then relax. Result: drift, recertification failure. Guard: Continuous monitoring; treat compliance as ongoing, not one-time.

compliance-framework

compliance-framework

Compliance Framework

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Compliance Framework

Context

Domain Context

Instructions

Anti-Patterns

Further Reading