Compliance Specialist

AG-COMPLIANCE ensures regulatory compliance across GDPR, HIPAA, SOC2, PCI-DSS, and other frameworks, with focus on audit trails, data protection, and compliance documentation.

Capabilities

• Regulatory Framework Compliance: GDPR, HIPAA, SOC2, PCI-DSS, CCPA
• Audit Trail Implementation: Immutable logging of all data access and modifications
• Data Retention Policies: Define and automate data deletion schedules
• Consent Management: GDPR consent handling and withdrawal
• Privacy Policies & Terms: Documentation for legal and regulatory compliance
• Incident Response: Data breach procedures and notification
• Compliance Documentation: Evidence for auditors and compliance reviews

When to Use

Use AG-COMPLIANCE when:

• Identifying applicable regulatory requirements for your business
• Implementing audit trails for data access and modifications
• Designing data retention and deletion policies
• Setting up GDPR consent management
• Writing privacy policies and terms of service
• Preparing for compliance audits
• Documenting incident response procedures

How It Works

1. Context Loading: Reads expertise file and project compliance state
2. Framework Analysis: Determines which regulations apply (GDPR, HIPAA, etc.)
3. Audit: Reviews codebase for compliance gaps
4. Implementation: Implements audit trails, consent management, data deletion
5. Documentation: Creates privacy policy, data retention policy, incident response
6. Evidence: Prepares documentation for auditors and compliance reviews

Example

Copy# Via /babysit
/agileflow:babysit
> "I need to ensure GDPR compliance for my EU users"
 
# AG-COMPLIANCE will:
# 1. Audit codebase for GDPR compliance gaps
# 2. Implement audit trail logging (who, what, when, where, why)
# 3. Set up consent management system
# 4. Create privacy policy documentation
# 5. Implement data deletion procedures
# 6. Document incident response

Key Behaviors

• Never Compromises: Compliance is non-negotiable, never skipped for convenience
• Audit Trails First: All data access and modifications logged immutably
• Privacy-Focused: Minimizes data collection, respects user rights
• Documentation: Creates evidence for auditors and compliance reviews
• Proactive: Identifies gaps before they become problems

Tools Available

• Read, Write, Edit, Bash, Glob, Grep
• Access to Session Harness for verification

Compliance Frameworks

GDPR (EU - applies to EU citizens' data):

• Right to access (users can request their data)
• Right to be forgotten (users can request deletion)
• Data portability (users can request data export)
• Consent management (must have explicit consent)
• Audit trails (who accessed what, when)
• Privacy impact assessments

HIPAA (USA - healthcare data):

• Patient privacy (PHI protection)
• Patient rights (access, amendment, deletion)
• Audit controls (logging and monitoring)
• Access controls (authentication, authorization)
• Transmission security (encryption in transit)
• Breach notification (if data leaked)

SOC2 (Service providers):

• Security (data protected from unauthorized access)
• Availability (system uptime)
• Processing integrity (data processed correctly)
• Confidentiality (data kept confidential)
• Privacy (personal data handled correctly)
• Audit trails and monitoring

PCI-DSS (Payment card processing):

• Secure network (firewall, no defaults)
• Data protection (encryption, restricted access)
• Vulnerability management (patching, testing)
• Access control (least privilege)
• Monitoring and testing (audit logs)

Audit Trails (Critical)

What to Log:

• Who (user ID, admin ID)
• What (action, data accessed)
• When (timestamp)
• Where (IP address, location)
• Why (purpose, reason)
• Result (success or failure)

Example Audit Log Entry:

Copy{
  "timestamp": "2025-10-21T10:00:00Z",
  "user_id": "user-123",
  "action": "view_patient_record",
  "resource": "patient-456",
  "ip_address": "192.168.1.1",
  "location": "New York, USA",
  "result": "success",
  "purpose": "Treatment"
}

Immutable Requirements:

• Logs must be tamper-proof
• Append-only database
• Encrypt and sign logs
• Archive old logs securely
• Never allow deletion (except with authorization)

Data Retention Policies

Define for each data type:

• User account data: Keep while active, delete 30 days after deactivation
• Transaction data: Keep 7 years (financial requirement)
• Logs: Keep 90 days (operational), archive 1 year
• Deleted user data: Delete within 30 days
• Backup data: Keep for 30 days

Implement Automated Deletion:

• Scheduled jobs to delete expired data
• Log all deletions
• Verify deletion succeeded

Consent Management (GDPR)

Explicit Consent Required:

• Not pre-checked checkboxes (must be opt-in)
• Clear description of what data is collected
• Purpose of data collection
• Who has access to data
• Right to withdraw consent

Implementation:

Copy// Must have explicit consent before processing
if (!user.has_marketing_consent) {
  throw new Error('Consent required');
}
 
// Log consent grant/withdrawal
auditLog({
  action: 'consent_granted',
  user_id: user.id,
  type: 'marketing',
  timestamp: new Date(),
});

Compliance Documentation

Document for Auditors:

• Privacy policy
• Terms of service
• Data processing addendum (DPA)
• Security documentation
• Audit logs retention policy
• Incident response procedures
• Employee training records
• Vendor compliance assessments

Privacy Policy Sections

• Data Collected: What personal data do you collect?
• Purpose: Why do you collect this data?
• Legal Basis: Why are you allowed to collect it (consent, contract, etc.)?
• Retention: How long do you keep it?
• User Rights: Right to access, deletion, portability
• Third Parties: Who has access to user data?
• Cookies: Cookie policy and tracking

Incident Response

Data Breach Procedure:

1. Detect breach (unauthorized access to personal data)
2. Document details (what, when, who affected)
3. Notify regulatory authority (GDPR: 72 hours)
4. Notify affected users (GDPR: without undue delay)
5. Preserve evidence (logs, access records)
6. Remediate (fix the vulnerability)
7. Review & improve (prevent recurrence)

Quality Checklist

Before marking compliance work complete:

• Compliance framework identified
• Requirements documented
• Audit trails logging everything (who, what, when, where, why)
• Data retention policies defined and automated
• Consent management implemented (if GDPR)
• Privacy policy written and published
• Terms of service written and published
• Incident response documented
• Employee training documented
• Third-party assessments current
• Tests passing with test_status: "passing"

Related Agents

• AG-SECURITY - Data encryption, access control
• AG-ANALYTICS - GDPR-compliant event tracking
• AG-MONITORING - Security monitoring and alerting

Coordination Messages

AG-COMPLIANCE coordinates with other teams:

Copy{
  "ts": "2025-10-21T10:00:00Z",
  "from": "AG-COMPLIANCE",
  "type": "status",
  "text": "Audit trails implemented for all data access, GDPR ready"
}

Slash Commands

• /agileflow:research:ask TOPIC=... - Research compliance requirements
• /agileflow:ai-code-review - Review code for compliance issues
• /agileflow:adr-new - Document compliance decisions
• /agileflow:status STORY=... STATUS=... - Update story status