Enterprise Security & Compliance
Complete guide to security compliance including SOC 2, GDPR, security questionnaires, and penetration testing
The Enterprise Security workflow guides you through achieving and maintaining security compliance required for enterprise customers, including SOC 2, GDPR, and handling security assessments.
Overview#
| Property | Value |
|---|---|
| Phases | 4 |
| Tier | Business |
| Typical Duration | 3-6 months (SOC 2), ongoing |
| Best For | B2B SaaS, regulated industries, enterprise sales |
Why Security Compliance Matters#
Enterprise customers require security compliance for several reasons:
- Risk management - They need assurance you won't compromise their data
- Regulatory requirements - Many are subject to regulations that extend to vendors
- Procurement policy - Security review is often mandatory for vendor approval
- Due diligence - Investors and acquirers expect security maturity
Without compliance, you'll face:
- Longer sales cycles (security review bottleneck)
- Lost deals to compliant competitors
- Excluded from RFPs requiring certification
- Higher insurance premiums
Compliance Landscape#
┌─────────────────────────────────────────────────────────────────────────┐
│ COMPLIANCE REQUIREMENTS MAP │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ SOC 2 GDPR HIPAA │
│ ├─ Security ├─ Lawful basis ├─ PHI handling │
│ ├─ Availability ├─ Data rights ├─ Access controls │
│ ├─ Processing integrity ├─ Breach notification ├─ Audit controls │
│ ├─ Confidentiality ├─ DPA required ├─ Encryption │
│ └─ Privacy └─ Privacy by design └─ BAA required │
│ │
│ ISO 27001 PCI DSS CCPA │
│ ├─ ISMS framework ├─ Card data handling ├─ Consumer rights │
│ ├─ Risk assessment ├─ Network security ├─ Data selling │
│ ├─ Policy controls ├─ Encryption ├─ Opt-out │
│ └─ Continuous improve └─ Regular testing └─ Privacy notice │
│ │
├─────────────────────────────────────────────────────────────────────────┤
│ RECOMMENDATION FOR B2B SAAS: │
│ Start with SOC 2 Type II + GDPR compliance │
│ Add HIPAA/PCI only if handling health/payment data │
└─────────────────────────────────────────────────────────────────────────┘
Phases#
Phase 1: Gap Assessment (2-4 weeks)#
Agents: security-expert, architecture-expert
Assess current security posture against compliance requirements.
Tasks:
- Review current security controls
- Identify gaps against SOC 2 Trust Service Criteria
- Assess GDPR compliance requirements
- Document current policies and procedures
- Create remediation roadmap
SOC 2 Gap Assessment Checklist:
1## SOC 2 Trust Service Criteria - Gap Assessment
2
3### CC - Common Criteria (Security)
4
5#### CC1 - Control Environment
6- [ ] Security policies documented and communicated
7- [ ] Organizational structure with clear responsibilities
8- [ ] Board/management oversight of security
9- [ ] Commitment to ethics and integrity
10
11#### CC2 - Communication and Information
12- [ ] Information security policy communicated
13- [ ] Security training provided to employees
14- [ ] External communication of security commitments
15- [ ] Incident reporting mechanisms in place
16
17#### CC3 - Risk Assessment
18- [ ] Risk assessment process documented
19- [ ] Regular risk assessments conducted
20- [ ] Risks prioritized and tracked
21- [ ] Changes assessed for risk impact
22
23#### CC4 - Monitoring Activities
24- [ ] Continuous monitoring implemented
25- [ ] Deficiencies identified and remediated
26- [ ] Internal audit function exists
27- [ ] Security metrics tracked
28
29#### CC5 - Control Activities
30- [ ] Access controls implemented
31- [ ] Technology controls deployed
32- [ ] Policies implemented through technology
33- [ ] Segregation of duties enforced
34
35#### CC6 - Logical and Physical Access
36- [ ] Authentication mechanisms (MFA)
37- [ ] Authorization matrix defined
38- [ ] Access reviews conducted
39- [ ] Physical security controls
40
41#### CC7 - System Operations
42- [ ] Vulnerability management process
43- [ ] Incident management process
44- [ ] Business continuity planning
45- [ ] Change management process
46
47#### CC8 - Change Management
48- [ ] Change management policy
49- [ ] Testing before deployment
50- [ ] Approval workflows
51- [ ] Rollback procedures
52
53#### CC9 - Risk Mitigation
54- [ ] Vendor management process
55- [ ] Vendor security assessments
56- [ ] Contractual obligations enforced
57- [ ] Business recovery planningGap Analysis Template:
1// lib/compliance/gap-assessment.ts
2
3interface ControlAssessment {
4 controlId: string;
5 description: string;
6 status: 'compliant' | 'partial' | 'non-compliant' | 'not-applicable';
7 currentState: string;
8 gap: string;
9 remediation: string;
10 effort: 'low' | 'medium' | 'high';
11 priority: 'critical' | 'high' | 'medium' | 'low';
12 owner: string;
13 targetDate: Date;
14}
15
16const assessmentResults: ControlAssessment[] = [
17 {
18 controlId: "CC6.1",
19 description: "Logical access security",
20 status: "partial",
21 currentState: "Basic password authentication, no MFA",
22 gap: "Multi-factor authentication not enforced",
23 remediation: "Implement MFA for all user accounts using TOTP",
24 effort: "medium",
25 priority: "critical",
26 owner: "Security Team",
27 targetDate: new Date("2024-04-01")
28 },
29 {
30 controlId: "CC7.2",
31 description: "Vulnerability management",
32 status: "non-compliant",
33 currentState: "Ad-hoc vulnerability scanning",
34 gap: "No regular scanning schedule or tracking",
35 remediation: "Implement continuous vulnerability scanning with Snyk",
36 effort: "low",
37 priority: "high",
38 owner: "DevOps Team",
39 targetDate: new Date("2024-03-15")
40 }
41 // ... more assessments
42];Phase 2: Remediation (6-12 weeks)#
Agents: security-expert, backend-expert, devops-expert
Implement controls and fixes identified in the gap assessment.
Tasks:
- Implement technical controls
- Create and update policies
- Deploy security tooling
- Train employees
- Document all controls
Security Controls Implementation:
1// middleware.ts - Security Headers
2
3import { NextResponse } from 'next/server';
4import type { NextRequest } from 'next/server';
5
6export function middleware(request: NextRequest) {
7 const response = NextResponse.next();
8
9 // Security headers (required for compliance)
10 const headers = {
11 // Prevent clickjacking
12 'X-Frame-Options': 'DENY',
13
14 // Prevent MIME sniffing
15 'X-Content-Type-Options': 'nosniff',
16
17 // XSS protection
18 'X-XSS-Protection': '1; mode=block',
19
20 // Referrer policy
21 'Referrer-Policy': 'strict-origin-when-cross-origin',
22
23 // Content Security Policy
24 'Content-Security-Policy': [
25 "default-src 'self'",
26 "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
27 "style-src 'self' 'unsafe-inline'",
28 "img-src 'self' data: https:",
29 "font-src 'self'",
30 "connect-src 'self' https://api.example.com",
31 "frame-ancestors 'none'",
32 "base-uri 'self'",
33 "form-action 'self'"
34 ].join('; '),
35
36 // HSTS
37 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
38
39 // Permissions Policy
40 'Permissions-Policy': [
41 'camera=()',
42 'microphone=()',
43 'geolocation=()',
44 'interest-cohort=()'
45 ].join(', ')
46 };
47
48 Object.entries(headers).forEach(([key, value]) => {
49 response.headers.set(key, value);
50 });
51
52 return response;
53}Audit Logging for Compliance:
1// lib/audit/compliance-logger.ts
2
3import { PrismaClient } from '@prisma/client';
4
5const prisma = new PrismaClient();
6
7export interface AuditLogEntry {
8 timestamp: Date;
9 eventType: string;
10 actor: {
11 userId: string;
12 email: string;
13 role: string;
14 ipAddress: string;
15 userAgent: string;
16 };
17 resource: {
18 type: string;
19 id: string;
20 };
21 action: string;
22 outcome: 'success' | 'failure';
23 details: Record<string, unknown>;
24}
25
26export async function logSecurityEvent(entry: AuditLogEntry): Promise<void> {
27 // Write to immutable audit log
28 await prisma.auditLog.create({
29 data: {
30 timestamp: entry.timestamp,
31 eventType: entry.eventType,
32 actorUserId: entry.actor.userId,
33 actorEmail: entry.actor.email,
34 actorRole: entry.actor.role,
35 actorIp: entry.actor.ipAddress,
36 actorUserAgent: entry.actor.userAgent,
37 resourceType: entry.resource.type,
38 resourceId: entry.resource.id,
39 action: entry.action,
40 outcome: entry.outcome,
41 details: entry.details,
42 // Hash for tamper detection
43 integrityHash: computeHash(entry)
44 }
45 });
46
47 // Alert on suspicious activity
48 if (shouldAlert(entry)) {
49 await sendSecurityAlert(entry);
50 }
51}
52
53// Required security events to log
54const REQUIRED_EVENTS = [
55 'user.login',
56 'user.logout',
57 'user.login_failed',
58 'user.password_change',
59 'user.mfa_enabled',
60 'user.mfa_disabled',
61 'user.created',
62 'user.deleted',
63 'permission.granted',
64 'permission.revoked',
65 'data.export',
66 'data.deletion',
67 'api_key.created',
68 'api_key.revoked',
69 'settings.changed',
70 'admin.action'
71];Data Protection Implementation:
1// lib/security/encryption.ts
2
3import { createCipheriv, createDecipheriv, randomBytes, scrypt } from 'crypto';
4import { promisify } from 'util';
5
6const scryptAsync = promisify(scrypt);
7
8// Encryption for sensitive fields (PII, etc.)
9export async function encryptField(
10 plaintext: string,
11 purpose: string
12): Promise<string> {
13 const iv = randomBytes(16);
14 const key = await deriveKey(purpose);
15 const cipher = createCipheriv('aes-256-gcm', key, iv);
16
17 const encrypted = Buffer.concat([
18 cipher.update(plaintext, 'utf8'),
19 cipher.final()
20 ]);
21
22 const authTag = cipher.getAuthTag();
23
24 // Format: iv:authTag:ciphertext (all base64)
25 return [
26 iv.toString('base64'),
27 authTag.toString('base64'),
28 encrypted.toString('base64')
29 ].join(':');
30}
31
32export async function decryptField(
33 ciphertext: string,
34 purpose: string
35): Promise<string> {
36 const [ivB64, authTagB64, encryptedB64] = ciphertext.split(':');
37
38 const iv = Buffer.from(ivB64, 'base64');
39 const authTag = Buffer.from(authTagB64, 'base64');
40 const encrypted = Buffer.from(encryptedB64, 'base64');
41
42 const key = await deriveKey(purpose);
43 const decipher = createDecipheriv('aes-256-gcm', key, iv);
44 decipher.setAuthTag(authTag);
45
46 return decipher.update(encrypted) + decipher.final('utf8');
47}
48
49async function deriveKey(purpose: string): Promise<Buffer> {
50 const masterKey = process.env.ENCRYPTION_MASTER_KEY!;
51 return await scryptAsync(masterKey, purpose, 32) as Buffer;
52}Phase 3: SOC 2 Audit (4-8 weeks)#
Agents: security-expert
Work with an auditor to complete SOC 2 Type II certification.
Tasks:
- Select SOC 2 auditor
- Prepare evidence documentation
- Complete readiness assessment
- Address auditor findings
- Obtain report
SOC 2 Evidence Preparation:
1## Evidence Collection Guide
2
3### CC6 - Logical and Physical Access Controls
4
5#### CC6.1 - Logical Access Security
6Evidence needed:
7- [ ] Access control policy document
8- [ ] User provisioning procedure
9- [ ] List of all systems with access controls
10- [ ] Screenshots of authentication settings (MFA enabled)
11- [ ] Sample user access review documentation
12
13#### CC6.2 - New Logical Access
14Evidence needed:
15- [ ] Onboarding procedure document
16- [ ] Sample new hire access tickets
17- [ ] Approval workflow screenshots
18- [ ] Role-to-permission mapping document
19
20#### CC6.3 - Access Removal
21Evidence needed:
22- [ ] Offboarding procedure document
23- [ ] Sample termination access removal tickets
24- [ ] Evidence of timely access revocation
25- [ ] Automated deprovisioning logs
26
27### CC7 - System Operations
28
29#### CC7.1 - Vulnerability Management
30Evidence needed:
31- [ ] Vulnerability management policy
32- [ ] Scan reports (monthly)
33- [ ] Remediation tracking spreadsheet
34- [ ] Penetration test report
35- [ ] Evidence of patch management
36
37#### CC7.2 - Incident Management
38Evidence needed:
39- [ ] Incident response plan
40- [ ] Incident tracking system screenshots
41- [ ] Sample incident reports
42- [ ] Post-mortem documents
43- [ ] Incident metrics dashboardSOC 2 Timeline:
┌─────────────────────────────────────────────────────────────────────────┐
│ SOC 2 TYPE II TIMELINE │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Month 1-2: Gap Assessment & Remediation Planning │
│ ├─ Engage auditor for readiness assessment │
│ ├─ Identify control gaps │
│ └─ Create remediation roadmap │
│ │
│ Month 3-4: Control Implementation │
│ ├─ Implement missing controls │
│ ├─ Document policies and procedures │
│ └─ Deploy monitoring and logging │
│ │
│ Month 5: Type I Audit (optional but recommended) │
│ ├─ Point-in-time assessment │
│ ├─ Validates controls are in place │
│ └─ Get early feedback before Type II │
│ │
│ Month 6-11: Observation Period (Type II requires 6+ months) │
│ ├─ Controls operating effectively │
│ ├─ Collecting evidence │
│ └─ Addressing any issues │
│ │
│ Month 12: Type II Audit │
│ ├─ Auditor reviews evidence │
│ ├─ Tests control effectiveness │
│ └─ Issues final report │
│ │
│ Ongoing: Annual re-certification │
└─────────────────────────────────────────────────────────────────────────┘
Phase 4: GDPR Compliance (2-4 weeks)#
Agents: security-expert, legal-expert
Implement GDPR requirements for handling EU personal data.
Tasks:
- Document lawful basis for processing
- Implement data subject rights
- Create privacy notices
- Prepare Data Processing Agreement
- Implement breach notification process
GDPR Compliance Checklist:
1## GDPR Compliance Requirements
2
3### Lawful Basis for Processing
4- [ ] Documented lawful basis for each processing activity
5- [ ] Consent mechanism implemented (where required)
6- [ ] Legitimate interest assessments completed
7- [ ] Records of processing activities maintained
8
9### Data Subject Rights
10- [ ] Right to access (data export)
11- [ ] Right to rectification (update data)
12- [ ] Right to erasure (delete account)
13- [ ] Right to restrict processing
14- [ ] Right to data portability (export in machine-readable format)
15- [ ] Right to object (opt-out)
16
17### Privacy Documentation
18- [ ] Privacy policy (clear, accessible)
19- [ ] Cookie policy and consent banner
20- [ ] Data Processing Agreement template
21- [ ] Internal data protection policy
22
23### Data Protection
24- [ ] Privacy by design implemented
25- [ ] Data minimization practiced
26- [ ] Encryption at rest and in transit
27- [ ] Access controls limiting data access
28- [ ] Retention periods defined and enforced
29
30### Breach Management
31- [ ] Breach detection mechanisms
32- [ ] Breach notification procedure (72 hours)
33- [ ] Breach register maintained
34- [ ] DPO designated (if required)Data Subject Rights Implementation:
1// app/api/privacy/export/route.ts
2// Right to access / data portability
3
4import { NextResponse } from 'next/server';
5import { auth } from '@/lib/auth';
6import { prisma } from '@/lib/prisma';
7
8export async function POST(request: Request) {
9 const session = await auth();
10 if (!session) {
11 return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
12 }
13
14 // Gather all user data
15 const userData = await prisma.user.findUnique({
16 where: { id: session.user.id },
17 include: {
18 profile: true,
19 projects: true,
20 activityLogs: true,
21 preferences: true,
22 }
23 });
24
25 // Format for portability (JSON)
26 const exportData = {
27 exportDate: new Date().toISOString(),
28 user: {
29 email: userData.email,
30 name: userData.name,
31 createdAt: userData.createdAt,
32 },
33 profile: userData.profile,
34 projects: userData.projects.map(p => ({
35 name: p.name,
36 createdAt: p.createdAt,
37 // ... other fields
38 })),
39 activityHistory: userData.activityLogs,
40 preferences: userData.preferences,
41 };
42
43 // Log the export request
44 await logSecurityEvent({
45 eventType: 'data.export',
46 actor: {
47 userId: session.user.id,
48 email: session.user.email,
49 // ...
50 },
51 action: 'GDPR data export requested',
52 outcome: 'success'
53 });
54
55 return NextResponse.json(exportData);
56}1// app/api/privacy/delete/route.ts
2// Right to erasure
3
4export async function POST(request: Request) {
5 const session = await auth();
6 if (!session) {
7 return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
8 }
9
10 const { confirmation } = await request.json();
11
12 if (confirmation !== 'DELETE MY ACCOUNT') {
13 return NextResponse.json(
14 { error: 'Confirmation required' },
15 { status: 400 }
16 );
17 }
18
19 // Soft delete with retention period for legal requirements
20 await prisma.user.update({
21 where: { id: session.user.id },
22 data: {
23 deletedAt: new Date(),
24 deleteScheduledAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
25 email: `deleted_${session.user.id}@deleted.local`,
26 name: '[Deleted User]',
27 }
28 });
29
30 // Anonymize related data
31 await prisma.activityLog.updateMany({
32 where: { userId: session.user.id },
33 data: { userId: null, anonymized: true }
34 });
35
36 // Log deletion request
37 await logSecurityEvent({
38 eventType: 'data.deletion',
39 actor: {
40 userId: session.user.id,
41 email: session.user.email,
42 },
43 action: 'GDPR deletion requested',
44 outcome: 'success'
45 });
46
47 // Terminate all sessions
48 await prisma.session.deleteMany({
49 where: { userId: session.user.id }
50 });
51
52 return NextResponse.json({
53 message: 'Account scheduled for deletion',
54 deletionDate: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000)
55 });
56}Security Questionnaire Responses#
Common Questions and Answers:
1## Security Questionnaire Template Responses
2
3### Data Security
4
5**Q: How is customer data protected?**
6A: Customer data is protected through multiple layers of security:
7- Encryption at rest using AES-256
8- Encryption in transit using TLS 1.3
9- Access controls limiting data access to authorized personnel
10- Regular security assessments and penetration testing
11- SOC 2 Type II certified infrastructure
12
13**Q: Where is data stored?**
14A: Data is stored in [Cloud Provider] data centers in [Region].
15For enterprise customers, we offer data residency options in
16US, EU, and APAC regions.
17
18**Q: How long is data retained?**
19A: Active account data is retained for the duration of the
20subscription. Upon account deletion, data is purged within
2130 days except where legal retention requirements apply.
22
23### Access Control
24
25**Q: What authentication methods are supported?**
26A: We support:
27- Email/password with complexity requirements
28- Multi-factor authentication (TOTP, SMS, WebAuthn)
29- Single Sign-On via SAML 2.0 and OIDC
30- Social login (Google, Microsoft)
31
32**Q: How are user sessions managed?**
33A: Sessions are:
34- Secured with HttpOnly, Secure cookies
35- Expire after 24 hours of inactivity
36- Can be remotely terminated by admins
37- Logged with IP and device information
38
39### Incident Response
40
41**Q: What is your breach notification policy?**
42A: We notify affected customers within 72 hours of confirmed
43breach detection, in compliance with GDPR requirements.
44Notification includes nature of breach, data affected,
45and remediation steps.
46
47**Q: Do you have an incident response plan?**
48A: Yes, our incident response plan includes:
49- 24/7 monitoring and alerting
50- Defined escalation procedures
51- Communication templates
52- Post-incident review process
53- Annual tabletop exercisesStarting the Workflow#
1# Start security compliance workflow
2bootspring workflow start enterprise-security
3
4# Run gap assessment
5bootspring enterprise security assess
6
7# Generate security documentation
8bootspring enterprise security docs
9
10# Prepare for SOC 2 audit
11bootspring enterprise soc2 prepareDeliverables#
A successful Enterprise Security workflow produces:
- Gap assessment report
- Remediation roadmap
- Security policies and procedures
- SOC 2 Type II report
- GDPR compliance documentation
- Data Processing Agreement template
- Security questionnaire responses
- Incident response plan
Best Practices#
- Start early - Compliance takes months, not weeks
- Automate evidence collection - Manual collection doesn't scale
- Build security into the product - Retrofitting is expensive
- Document as you go - Auditors love documentation
- Train your team - Security is everyone's responsibility
- Plan for ongoing compliance - It's not a one-time project
Compliance Cost Estimates#
| Item | Cost Range | Notes |
|---|---|---|
| SOC 2 auditor | $20K-$50K | Annual, varies by complexity |
| Compliance platform | $10K-$30K/year | Vanta, Drata, Secureframe |
| Penetration test | $5K-$20K | Annual, scope-dependent |
| Security tools | $5K-$20K/year | SIEM, vulnerability scanning |
| Internal effort | 2-3 months FTE | Initial implementation |