COMPLIANCE
Compliance & regulated environments.
Shipping into HIPAA, SOC 2, and GDPR scope. Concrete deliverables, audit prep, and what you actually get when the auditor turns up.
By Sander Rõuk · Tallinn
HIPAA — technical & administrative safeguards.
HIPAA is the US baseline for protecting health information in software. I've spent the last six months building inside HIPAA scope — designing the technical safeguards that turn a regular SaaS into one a covered entity or business associate can actually sign for.
What I've shipped
- PHI inventory: what's protected, where it lives, who can read it, and how that's logged
- Encryption at rest and in transit, plus key management that survives staff turnover
- Access controls: role-based, least-privilege, with break-glass paths that leave an audit trail
- Audit logging that names the user, the record, the action, and the time — and that you can prove is tamper-evident
- BAA chain: signed with every subprocessor that touches PHI, surfaced as a list you can hand to a customer
- Backup, retention, and disposal policies that match the technical implementation (not the other way around)
You get a system a customer's security team can sign for — not a system that hopes nobody asks.
SOC 2 Type I — controls, evidence, audit prep.
SOC 2 is the trust framework US customers ask for before they buy. I'm in the middle of audit-prep right now — naming controls, writing the policies that describe them, and wiring the evidence collection so a Type I report is something you ship, not something you suffer.
What I've shipped
- Trust services criteria mapped to actual code, infra, and process — no copy-paste policy boilerplate
- Access management hardened: SSO, MFA, JIT access, off-boarding within the same business day
- Change management that produces evidence by default — code review, deploy logs, rollback trails
- Vendor management: subprocessor inventory, DPAs, security questionnaire answers in one place
- Incident response runbook tied to real alert sources — not a Google Doc nobody opens
- Evidence collection automated where possible (auditors love screenshots; engineers should not have to take them by hand)
You get to your Type I audit without a panic month — and a system that's already shaped right for Type II when it's time.
GDPR — data mapping, DPAs, breach response.
GDPR is the European data protection baseline — and the operating default for any product I've shipped in the last decade. Built and worked across Estonian and Norwegian companies (Lutso, Quantem Analytics, Teleplan Globe, Mooncascade, Motimate/Kahoot!, Nortal), each of which had to hold the GDPR line for their own customers.
What I've shipped
- Data mapping and processor inventories — what's collected, why, where it lives, who touches it
- Lawful-basis decisions and consent flows (typically contract or legitimate interest, not the cookie-banner kind)
- DPA chains: signed with subprocessors (cloud, email, analytics), surfaced to clients
- Data subject rights: access, export, deletion — wired up at the database layer, not as a manual playbook
- Breach response runbook (72-hour notification clock) and the audit logging that makes it actually possible
You get a product that survives a real DPA review — and the documentation that makes one easy to do.
Questions people actually ask.
Can you build a HIPAA-compliant system from scratch?
Yes. I've spent the last six months doing exactly that — PHI handling, encryption, access controls, audit logging, and the BAA chain to make a covered entity comfortable signing.
Are you doing SOC 2 audit prep right now?
Yes. I'm in the middle of one at the moment, which means the playbook is fresh — what auditors actually ask for, where evidence collection breaks down, and how to ship without burning the engineering team out.
Do you work in GDPR-scope environments?
Yes — every product I've shipped in the last decade has been in the EU, so GDPR is the operating default, not a bolt-on.
Can you sign a BAA?
Through Rouk OÜ, yes — once a project is in HIPAA scope, the BAA chain is part of the engagement, not a separate negotiation.
Do you handle the policy side or just the technical side?
Both. I write the technical controls and the policies that describe them, because dividing the two across two vendors is how compliance documents fall out of sync with code.
What's the difference between SOC 2 Type I and Type II for me as a buyer?
Type I says the controls are designed correctly on a specific day; Type II says they actually ran for a 6-12 month window. Most buyers eventually want Type II, but Type I is the door you walk through first.
Have you handled a real data subject request (GDPR) end-to-end?
Yes. The hard part is usually proving deletion across backups and analytics, not the legal language — that's where having an engineer who's also written the policy matters.
What's the realistic timeline to ship to a HIPAA-scope customer from a non-compliant codebase?
Usually 8–16 weeks of focused work, depending on how much PHI is already entangled in non-conforming systems. The gap is rarely encryption; it's almost always audit logging and access controls.
Talk to me.
If your project sits in regulated scope, the form on the homepage is the fastest way in.