Translates compliance regulations like HIPAA, GDPR, SOC 2, PCI into concrete technical requirements for tech stacks in healthcare, fintech, edtech apps.
npx claudepluginhub whawkinsiv/solo-founder-superpowers --plugin solo-founder-superpowersThis skill uses the workspace's default tool permissions.
If you're building for healthcare, finance, education, or any regulated industry, there are rules about how you handle data. You probably already know the regulations from your professional life — but you don't know what they mean for software. This skill translates compliance requirements into concrete technical decisions.
Provides Ktor server patterns for routing DSL, plugins (auth, CORS, serialization), Koin DI, WebSockets, services, and testApplication testing.
Conducts multi-source web research with firecrawl and exa MCPs: searches, scrapes pages, synthesizes cited reports. For deep dives, competitive analysis, tech evaluations, or due diligence.
Provides demand forecasting, safety stock optimization, replenishment planning, and promotional lift estimation for multi-location retailers managing 300-800 SKUs.
If you're building for healthcare, finance, education, or any regulated industry, there are rules about how you handle data. You probably already know the regulations from your professional life — but you don't know what they mean for software. This skill translates compliance requirements into concrete technical decisions.
This skill is for understanding what regulations mean for your tech stack. For implementing security controls (auth, encryption, rate limiting), use secure. For writing legal documents (ToS, Privacy Policy), use legal. For payment processing and PCI, use payments.
Disclaimer: This skill covers common compliance patterns. It is not legal advice. Consult a compliance specialist for your specific situation, especially before handling sensitive data in production.
Tell AI:
I'm building a SaaS product for [industry/profession].
My product handles this type of data: [describe the data — patient records, student info, financial transactions, etc.]
My users are in: [countries/regions]
What compliance requirements apply to me?
For each one, tell me:
1. What it is (one sentence)
2. Whether I need it before launch or can add it later
3. What it means for my tech stack (specific technical requirements)
4. Whether I need a certification/audit or just need to follow the rules
Applies when: Your software stores, processes, or transmits Protected Health Information (PHI) — patient names, conditions, treatment records, billing info tied to health data.
What it means for your tech stack:
| Requirement | What to Do |
|---|---|
| Data encryption at rest | Use a database that encrypts stored data (Supabase, AWS RDS with encryption enabled) |
| Data encryption in transit | HTTPS everywhere (all modern hosting does this) |
| Access controls | Role-based access, audit logs of who accessed what |
| Business Associate Agreement (BAA) | Your hosting and database provider must sign one. Not all do. |
| Audit trail | Log every access to PHI: who, when, what |
| Minimum necessary | Only show users the data they need for their role |
| Breach notification | Have a plan for what happens if data leaks |
Hosting that offers BAAs:
Hosting that does NOT offer BAAs (don't use for PHI):
Tell AI:
I'm building a healthcare SaaS that stores [type of health data].
Set up the tech stack for HIPAA compliance:
- Database: needs encryption at rest and BAA support
- Hosting: needs BAA support
- Auth: role-based access with audit logging
- Add an audit log table that tracks every PHI access
- Ensure all API endpoints require authentication
- No PHI in URL parameters, logs, or error messages
PCI-DSS applies when: You handle credit card numbers directly.
The shortcut: Use Stripe. Stripe handles PCI compliance for you. Never store card numbers in your database. Never let card numbers touch your server. Use Stripe Elements or Checkout — the card data goes directly from the user's browser to Stripe, bypassing your server entirely.
If you use Stripe correctly, PCI is handled. See payments skill for implementation.
SOC 2 applies when: Enterprise customers ask for it (usually $50K+ deals). You don't need it at launch.
Plan for SOC 2 later by doing these now:
Applies when: Your software handles student education records — grades, enrollment, disciplinary records, financial aid.
| Requirement | What to Do |
|---|---|
| Written consent for disclosure | Parents/students must consent before you share their data |
| Access controls | Only authorized school officials see student records |
| Directory information opt-out | Students can opt out of directory info sharing |
| Data minimization | Only collect what you need |
| Audit trail | Track who accessed student records |
Tell AI:
I'm building an edtech product that handles [type of student data].
Set up FERPA-compliant data handling:
- Role-based access: [teacher, admin, student, parent] with different data visibility
- Consent tracking: record when parents/students consented to data use
- Audit log for all access to student records
- Data export and deletion capability (for student/parent requests)
- No student data in analytics, logs, or error tracking
Less regulated technically, but watch for:
Attorney-client privilege considerations:
GDPR (if you have EU users):
| Requirement | What to Do |
|---|---|
| Consent before collecting data | Cookie consent banner, clear privacy policy |
| Right to access | Users can request all their data |
| Right to deletion | Users can request data deletion ("right to be forgotten") |
| Data portability | Users can export their data in a standard format |
| Privacy by design | Only collect data you actually need |
| Breach notification | Notify authorities within 72 hours of a breach |
Tell AI:
Add GDPR compliance features to our app:
- Cookie consent banner that blocks tracking until consent is given
- "Download my data" feature in account settings (export as JSON/CSV)
- "Delete my account" feature that actually deletes all user data
- Privacy policy page explaining what data we collect and why
- Data processing records (log what data we collect, why, and how long we keep it)
CCPA/CPRA (if you have California users): Similar to GDPR. The main additional requirement is a "Do Not Sell My Personal Information" link.
Minimum for any SaaS:
- [ ] Privacy policy published
- [ ] Terms of service published
- [ ] HTTPS on all pages (usually automatic with modern hosting)
- [ ] Passwords hashed (never stored in plain text)
- [ ] No sensitive data in logs, URLs, or error messages
- [ ] User data export capability
- [ ] User data deletion capability
- [ ] Cookie consent if you use analytics/tracking
Add if regulated industry:
- [ ] Identified which regulations apply to your data
- [ ] Hosting provider supports required compliance (BAA, certifications)
- [ ] Encryption at rest enabled on database
- [ ] Role-based access controls implemented
- [ ] Audit log tracking data access
- [ ] Breach notification plan documented
- [ ] Consulted a compliance specialist for your specific situation
| Stage | What to Do |
|---|---|
| Pre-launch | Read this skill. Make compliant tech stack choices. |
| First paying customers | Get a compliance consultant to review your setup (one-time, $1K-5K) |
| $10K+ MRR or enterprise customers | Consider formal certification (SOC 2 audit: $15K-50K) |
| Handling highly sensitive data (PHI, financial) | Consult before launch, not after |
| Mistake | Fix |
|---|---|
| Ignoring compliance until an enterprise customer asks | Make compliant tech choices from day 1 — it's free |
| Storing credit card numbers in your database | Use Stripe. Card data never touches your server. |
| Using a hosting provider without a BAA for healthcare data | Check BAA availability before choosing your stack |
| "We'll add compliance later" for regulated data | Retrofitting compliance is 10x more expensive than building it in |
| Over-investing in certification at $0 MRR | You need compliant practices, not a $50K audit, until you have enterprise customers |
| Putting sensitive data in error logs or analytics | Scrub PII from all logging. This is the most common compliance violation. |