Compliance¶
OWNER: aimee ALSO_USED_BY: anna (implementation), eric (contract/DPA), hugo (security controls), faye, sytske
GE builds all B2B SaaS to ISO 27001 and SOC 2 Type II standards by default. GDPR compliance is non-negotiable for EU-hosted products. These are not optional add-ons — they are baseline architecture requirements.
GDPR Compliance¶
SCOPE_ITEM: gdpr_compliance
Data Processing Agreement (DPA)¶
INCLUDES: Standard DPA template provided to every client (client is Controller, SaaS is Processor) INCLUDES: DPA covers: purpose of processing, data categories, data subjects, security measures INCLUDES: DPA includes sub-processor list with notification obligations INCLUDES: DPA includes Standard Contractual Clauses (SCCs) for non-EEA transfers if applicable INCLUDES: DPA available for self-serve download on trust center page COMPLIANCE: GDPR Article 28 — written contract between Controller and Processor is mandatory CHECK: Custom DPA negotiations extend sales cycles 4-12 weeks — have template ready CHECK: Eric (contract agent) reviews all custom DPA modifications
Sub-Processor Management¶
INCLUDES: Public sub-processor list on website (name, purpose, location, DPA status) INCLUDES: Change notification process (email 30 days before new sub-processor) INCLUDES: Objection mechanism (customer can object to new sub-processor) INCLUDES: DPA in place with every sub-processor INCLUDES: Annual review of sub-processor compliance
Typical sub-processors for GE stack:
INCLUDES: Cloud hosting provider (Hetzner/OVH/AWS) — infrastructure
INCLUDES: Mollie (NL, PRIMARY) / Stripe (US, secondary — sovereignty risk) — payment processing
INCLUDES: Brevo (FR) / Mailjet (FR) — transactional email (PRIMARY). Resend/Postmark secondary (US — sovereignty risk).
INCLUDES: Sentry — error monitoring (can be self-hosted for zero external data)
INCLUDES: Meilisearch Cloud — search (or self-hosted for zero external data)
CHECK: Minimize sub-processors — every external service is a GDPR liability CHECK: Self-hosted alternatives reduce sub-processor count (Sentry, Meilisearch, analytics)
Data Subject Rights (DSAR)¶
SCOPE_ITEM: data_subject_rights INCLUDES: Right of access (Article 15) — export all personal data in machine-readable format INCLUDES: Right to rectification (Article 16) — correct inaccurate personal data INCLUDES: Right to erasure (Article 17) — delete personal data within 30 days INCLUDES: Right to data portability (Article 20) — export in structured, common format (JSON/CSV) INCLUDES: Right to restriction (Article 18) — mark data as restricted, stop processing INCLUDES: Right to object (Article 21) — opt out of specific processing activities
DSAR Workflow¶
INCLUDES: DSAR request form in user settings (self-serve for access and portability)
INCLUDES: DSAR request via email for erasure and restriction (requires identity verification)
INCLUDES: Request tracked in internal system (ticket or dedicated DSAR table)
INCLUDES: Response deadline: 30 days (extendable to 90 days for complex requests)
INCLUDES: Erasure cascades to all systems: DB, backups (next rotation), file storage, caches, logs
INCLUDES: Erasure confirmation sent to requester
COMPLIANCE: Backup exclusion is the hardest part — document the backup rotation schedule CHECK: Budget 20-30 hours for DSAR workflow implementation CHECK: Test erasure end-to-end before launch — including backup and cache removal
Consent Management¶
SCOPE_ITEM: consent_management INCLUDES: Cookie consent banner (if marketing cookies or analytics used) INCLUDES: Consent records stored with timestamp and version INCLUDES: Granular consent (analytics, marketing, functional — not all-or-nothing) INCLUDES: Consent withdrawal mechanism (as easy as giving consent) OPTIONAL: Consent management platform integration (Cookiebot, OneTrust) CHECK: B2B SaaS with only essential cookies may not need a cookie banner — legal review required CHECK: EU ePrivacy Directive applies to cookies, not just GDPR
Privacy by Design¶
SCOPE_ITEM: privacy_by_design INCLUDES: Data minimization — collect only what is necessary for the stated purpose INCLUDES: Purpose limitation — use data only for the purpose it was collected INCLUDES: Storage limitation — define retention periods, auto-delete expired data INCLUDES: Pseudonymization where possible (analytics, logs) INCLUDES: Default privacy settings are the most restrictive (privacy by default) COMPLIANCE: GDPR Article 25 — data protection by design and by default
SOC 2 Type II¶
SCOPE_ITEM: soc2_compliance
Trust Service Criteria¶
SOC 2 evaluates five trust service criteria. Security is mandatory; others are selected based on the product.
| Criterion | Required? | Relevance |
|---|---|---|
| Security | Always | Access controls, network security, monitoring |
| Availability | Usually | Uptime SLAs, DR, backups |
| Processing Integrity | Sometimes | Data accuracy, processing completeness |
| Confidentiality | Usually | Encryption, data classification, access controls |
| Privacy | If personal data | GDPR alignment, consent, data subject rights |
CHECK: Most B2B SaaS selects Security + Availability + Confidentiality CHECK: SOC 2 audit costs EUR 20k-50k — client bears this cost, not GE CHECK: GE builds SOC 2-ready infrastructure — the client engages the auditor
Security Controls (SOC 2 Aligned)¶
SCOPE_ITEM: security_controls INCLUDES: Encryption at rest (AES-256 for database, file storage) INCLUDES: Encryption in transit (TLS 1.3 for all connections) INCLUDES: Access control (RBAC, MFA, least privilege) INCLUDES: Network security (firewall rules, private subnets, no public DB access) INCLUDES: Vulnerability management (dependency scanning in CI, Snyk or Trivy) INCLUDES: Change management (Git-based, PR reviews, CI/CD pipeline) INCLUDES: Incident response plan (documented, tested annually) INCLUDES: Business continuity (backup strategy, recovery procedures, RTO/RPO defined) INCLUDES: Employee security (GE agents operate under Constitution v2 with 10 principles) INCLUDES: Monitoring and alerting (error tracking, uptime monitoring, anomaly detection)
Evidence Collection¶
INCLUDES: Automated evidence collection where possible (CI/CD logs, access logs, config exports) INCLUDES: Quarterly access reviews (who has access to production systems) INCLUDES: Annual penetration testing report INCLUDES: Backup restoration test (quarterly) INCLUDES: Incident response drill (annual) CHECK: SOC 2 auditors want evidence, not just documentation — automate collection
ISO 27001¶
SCOPE_ITEM: iso27001_alignment INCLUDES: Information Security Management System (ISMS) framework INCLUDES: Risk assessment and treatment plan INCLUDES: Statement of Applicability (SoA) — controls selected and justified INCLUDES: Access control policy (A.9) INCLUDES: Cryptography policy (A.10) INCLUDES: Operations security (A.12) — change management, capacity management, malware INCLUDES: Communications security (A.13) — network controls, information transfer INCLUDES: Supplier relationships (A.15) — sub-processor management COMPLIANCE: GE aligns to ISO 27001 controls — formal certification is client's decision CHECK: ISO 27001 and SOC 2 overlap ~70% — build once, certify for both
Audit Logging¶
SCOPE_ITEM: audit_logging_compliance
Audit Log Requirements¶
INCLUDES: Append-only log (no update, no delete — ever) INCLUDES: Every state change recorded (create, update, delete, access) INCLUDES: Fields: timestamp (UTC, microsecond), actor_type (user/api_key/system), actor_id, action, resource_type, resource_id, tenant_id, ip_address, user_agent, old_value, new_value INCLUDES: Authentication events (login, logout, failed login, MFA challenge, SSO login) INCLUDES: Authorization events (permission denied, role change) INCLUDES: Configuration changes (settings updated, integration connected, webhook added) INCLUDES: Data access events (export, bulk download, report generation) COMPLIANCE: Audit log is evidence for SOC 2, ISO 27001, and GDPR accountability
Audit Log Storage¶
INCLUDES: Separate audit log table (not mixed with application data) INCLUDES: Partitioned by month (performance and archival) INCLUDES: Retention: 2 years default (configurable per regulatory requirement) INCLUDES: Archive to cold storage after active retention period (S3 Glacier or equivalent) INCLUDES: Audit log integrity (hash chain or digital signature to detect tampering) OPTIONAL: Audit log forwarded to SIEM (self-hosted Elastic/Grafana Loki preferred. Datadog (US) only if client explicitly requires — US-based, EU data sovereignty risk. Splunk (US) — same warning.) CHECK: Audit log table grows fast — partition from day one, not when it is too late
Audit Log Access¶
INCLUDES: Admin panel: audit log viewer with filters (date range, actor, action, resource) INCLUDES: Export: CSV and JSON export of filtered audit log INCLUDES: API: audit log query endpoint for enterprise customers INCLUDES: Per-org audit log (tenant-scoped — org admin sees only their org's audit) INCLUDES: Platform audit log (client's super admin sees all orgs) COMPLIANCE: Audit log access itself must be audit-logged (meta-auditing)
Data Residency¶
SCOPE_ITEM: data_residency INCLUDES: All data stored in EU by default (Hetzner Falkenstein/Nuremberg, OVH Strasbourg, or AWS eu-west-1) INCLUDES: Database, file storage, backups, logs — all in same EU region INCLUDES: No data transfer to non-EU processors without SCCs INCLUDES: Data residency documented in DPA and trust center OPTIONAL: Region selection per tenant (EU, US, APAC) for global products IF: Multi-region required THEN: Budget 80-120 extra hours for multi-region infrastructure (separate DB, routing, replication) CHECK: Data residency is a contractual promise — violating it is a breach of contract and GDPR CHECK: CDN edge caching may replicate data outside EU — configure CDN to EU-only origins
Data Retention¶
SCOPE_ITEM: data_retention INCLUDES: Retention policy documented per data category INCLUDES: Active data: retained while subscription is active INCLUDES: Post-cancellation: 90 days (customer can reactivate and recover data) INCLUDES: Post-deletion request: 30 days maximum (GDPR) INCLUDES: Audit logs: 2 years (or as required by regulation) INCLUDES: Backups: 30 days rolling, then deleted INCLUDES: Transactional emails: logs retained 90 days, content not stored INCLUDES: Automated cleanup jobs run daily to enforce retention policy CHECK: Document retention periods during scoping — they affect storage cost estimates CHECK: Retention policy must be in DPA and terms of service
Right to Audit¶
SCOPE_ITEM: right_to_audit INCLUDES: DPA grants customer right to audit processor (GDPR Article 28) INCLUDES: Audit scope: security controls, data handling, sub-processor compliance INCLUDES: Preferred mechanism: SOC 2 Type II report or ISO 27001 certificate (no on-site audit) INCLUDES: If customer insists on on-site audit: max 1 per year, 30 days notice, customer bears cost INCLUDES: Audit findings addressed with remediation plan and timeline CHECK: SOC 2 report satisfies 95% of audit requests — push this over on-site audits CHECK: Right to audit clause must have reasonable limitations in DPA (frequency, scope, notice)
Trust Center¶
SCOPE_ITEM: trust_center INCLUDES: Public page on client's website showing security and compliance posture INCLUDES: Content: certifications, compliance badges, security practices summary INCLUDES: Downloads: DPA template, sub-processor list, security whitepaper INCLUDES: SOC 2 report available under NDA (request form) INCLUDES: Status page link (uptime monitoring) INCLUDES: Contact: security@client.com for vulnerability reports OPTIONAL: Penetration test summary (redacted, available under NDA) CHECK: Trust center is a sales tool — reduces security review friction CHECK: Budget 10-20 hours for trust center page