Security Checklist
Common security vulnerabilities in AI-generated applications relevant to regulatory frameworks like GDPR, SOC2, HIPAA, and PCI DSS. This is an educational resource, not legal or compliance advice.
Security Best Practices
This checklist covers common security vulnerabilities that may be relevant to various regulatory frameworks. It is provided for educational purposes only. For actual compliance requirements, consult qualified legal and compliance professionals. VibeEval is a vulnerability scanner, not a compliance audit or certification tool.
GDPR Compliance (EU Data Protection)
Data Processing Agreements
Document legal basis for processing personal data and maintain records of processing activities
Implementation:
Create data processing registry, maintain user consent records, document legitimate interests
Right to Access and Portability
Users can request copies of their data in machine-readable format and transfer to another service
Implementation:
Build data export endpoint returning JSON, implement self-service data download feature
Right to Erasure
Users can request deletion of personal data. Must delete or anonymize data within 30 days
Implementation:
Implement account deletion with cascading deletes, anonymize instead of delete where retention required
Data Breach Notification
Report data breaches to authorities within 72 hours and notify affected users
Implementation:
Create incident response plan, implement security monitoring, maintain contact list for notifications
Privacy by Design
Build privacy protections into system architecture, not as afterthought
Implementation:
Minimize data collection, implement encryption by default, use pseudonymization where possible
Consent Management
Obtain explicit consent before processing personal data. Allow withdrawal of consent
Implementation:
Implement granular consent checkboxes, maintain consent audit log, allow users to revoke consent
SOC2 Compliance (Security & Availability)
Access Control Policies
Implement least privilege access and regular access reviews
Implementation:
Use RBAC, audit user permissions quarterly, remove access when employees leave
Security Monitoring
Monitor systems for security incidents and maintain audit logs
Implementation:
Enable database audit logs, monitor failed authentication, alert on suspicious activity
Change Management
Document and review changes to production systems before deployment
Implementation:
Require code review, maintain change log, implement rollback procedures
Vendor Management
Assess security of third-party services processing customer data
Implementation:
Review vendor SOC2 reports, document data sharing agreements, audit vendor access
Business Continuity
Maintain backups and disaster recovery procedures to ensure availability
Implementation:
Automate database backups, test restore procedures, document recovery time objectives
Security Awareness Training
Train employees on security best practices and compliance requirements
Implementation:
Annual security training for all staff, track completion, update training materials annually
HIPAA Compliance (Healthcare Data)
Encryption of PHI
Encrypt protected health information at rest and in transit
Implementation:
Enable database encryption, enforce TLS, use field-level encryption for sensitive medical data
Access Logs and Audit Trails
Log all access to protected health information with timestamps and user IDs
Implementation:
Enable database audit logging, log API access to patient records, retain logs for 6 years
Business Associate Agreements
Signed agreements with vendors processing health data
Implementation:
Execute BAAs with cloud providers, database vendors, and analytics services
Minimum Necessary Access
Limit access to minimum PHI necessary to perform job functions
Implementation:
Implement role-based access limiting data visibility, audit access patterns regularly
Patient Rights
Patients can access, amend, and receive accounting of disclosures of their health data
Implementation:
Build patient portal for data access, implement amendment request workflow, log disclosures
Breach Notification
Notify affected individuals and HHS of breaches affecting 500+ individuals within 60 days
Implementation:
Create breach response plan, maintain notification templates, track affected individuals
PCI DSS Compliance (Payment Card Data)
Never Store CVV/CVC
Card verification codes must not be stored after authorization
Implementation:
Use payment gateway tokenization, never log CVV in application code or databases
Encrypt Card Data
Encrypt primary account numbers (PAN) when stored
Implementation:
Use PCI-compliant payment processors like Stripe, never store raw card numbers
Secure Transmission
Transmit cardholder data only over encrypted connections
Implementation:
Enforce TLS 1.2+, disable weak ciphers, use HSTS headers
Regular Security Testing
Perform quarterly vulnerability scans and annual penetration tests
Implementation:
Use ASV-approved scanning vendor, schedule annual penetration tests, remediate findings
Access Control and Monitoring
Restrict access to cardholder data and monitor all access
Implementation:
Implement need-to-know access controls, log all access to payment systems, review logs monthly
Maintain Security Policies
Document and maintain information security policies
Implementation:
Create security policy documents, review annually, train staff on policies
Common Compliance Gaps
Missing Data Processing Records
CriticalNo documentation of what personal data is collected, why it is processed, and legal basis for processing
No User Data Export
HighUsers cannot download their data in machine-readable format, violating GDPR data portability requirement
Weak Audit Logging
HighSecurity events not logged or logs not retained long enough for compliance audits
No Incident Response Plan
CriticalNo documented procedures for detecting, responding to, and reporting security incidents or data breaches
Related Resources
Audit Your Compliance Posture
VibeEval automatically checks for common compliance gaps including missing data export, weak encryption, insufficient logging, and missing access controls to identify regulatory risks early.
Start Free Compliance Scan