← ClaudeAtlas

saas-compliance-auditlisted

Audit SaaS applications against common compliance frameworks (SOC2, GDPR, HIPAA, PCI-DSS) with focus on technically-verifiable controls including audit logging, data retention, encryption at rest and in transit, DSAR (Data Subject Access Request) endpoints, breach notification readiness, vendor risk, and access reviews. Use this skill whenever the user asks about SOC2, GDPR, HIPAA, PCI-DSS, compliance audit, audit logging, data retention, DSAR, "right to be forgotten", erasure requests, evidence collection, ISO 27001, or "are we compliant". Trigger on phrases like "audit my compliance posture", "SOC2 readiness", "GDPR controls", "do we have the right logs", "data retention policy", "DSAR endpoint", "data deletion", "compliance evidence". Use this even when only one framework or control is mentioned.
hlsitechio/claude-skills-security · ★ 1 · AI & Automation · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# SaaS Compliance Audit Audit the technical surface of a SaaS application against common compliance frameworks. This is NOT a substitute for a qualified auditor — it's a pre-audit gap analysis that finds the technical controls auditors will look for. ## When this skill applies - Pre-audit readiness checks (SOC2 Type 1/2, ISO 27001, GDPR, HIPAA, PCI-DSS) - Designing the audit logging system - Setting up DSAR / "right to erasure" endpoints - Reviewing data retention policies and implementation - Vendor risk assessment of subprocessors - Evidence collection for an upcoming audit This skill focuses on **technically verifiable controls**. Policy-only items (org chart, signed agreements, training records) are out of scope — the auditor will collect those separately. Use other skills for: data-layer controls (`supabase-security-audit`, `saas-tenant-isolation`), application-layer controls (`saas-code-security-review`). ## Workflow Follow `../_shared/audit-workflow.md`. Compliance-specific notes below. ### Phase 1: Scope confirmation - Which framework(s)? - **SOC 2 Type 1**: point-in-time; technical controls exist. - **SOC 2 Type 2**: operating effectiveness over a 3-12 month window; need evidence of consistent operation. - **GDPR**: EU personal data; data subject rights are technical features. - **HIPAA**: US healthcare data; specific encryption + access logging requirements. - **PCI-DSS**: payment card data; segmentation + key management. - **ISO 27001**: manage