Compliance

Compliance protocol for GDPR, CCPA, HIPAA, SOX, PCI-DSS

Source: packages/spec/src/system/compliance.zod.ts

TypeScript Usage

import { AuditFinding, AuditFindingSeverity, AuditFindingStatus, AuditLogConfig, AuditSchedule, ComplianceConfig, GDPRConfig, HIPAAConfig, PCIDSSConfig } from '@objectstack/spec/system';
import type { AuditFinding, AuditFindingSeverity, AuditFindingStatus, AuditLogConfig, AuditSchedule, ComplianceConfig, GDPRConfig, HIPAAConfig, PCIDSSConfig } from '@objectstack/spec/system';

// Validate data
const result = AuditFinding.parse(data);

AuditFinding

Audit finding with remediation tracking per ISO 27001:2022 A.5.35

Properties

Property	Type	Required	Description
id	`string`	✅	Unique finding identifier
title	`string`	✅	Finding title
description	`string`	✅	Finding description
severity	`Enum<'critical' \| 'major' \| 'minor' \| 'observation'>`	✅	Finding severity
status	`Enum<'open' \| 'in_remediation' \| 'remediated' \| 'verified' \| 'accepted_risk' \| 'closed'>`	✅	Finding status
controlReference	`string`	optional	ISO 27001 control reference
framework	`Enum<'gdpr' \| 'hipaa' \| 'sox' \| 'pci_dss' \| 'ccpa' \| 'iso27001'>`	optional	Related compliance framework
identifiedAt	`number`	✅	Identification timestamp
identifiedBy	`string`	✅	Identifier (auditor name or system)
remediationPlan	`string`	optional	Remediation plan
remediationDeadline	`number`	optional	Remediation deadline timestamp
verifiedAt	`number`	optional	Verification timestamp
verifiedBy	`string`	optional	Verifier name or role
notes	`string`	optional	Additional notes

AuditFindingSeverity

Allowed Values

critical
major
minor
observation

AuditFindingStatus

Allowed Values

open
in_remediation
remediated
verified
accepted_risk
closed

AuditLogConfig

Audit log configuration for compliance and security monitoring

Properties

Property	Type	Required	Description
enabled	`boolean`	✅	Enable audit logging
retentionDays	`number`	✅	Number of days to retain audit logs
immutable	`boolean`	✅	Prevent modification or deletion of audit logs
signLogs	`boolean`	✅	Cryptographically sign log entries for tamper detection
events	`Enum<'create' \| 'read' \| 'update' \| 'delete' \| 'export' \| 'permission-change' \| 'login' \| 'logout' \| 'failed-login'>[]`	✅	Event types to capture in the audit log

AuditSchedule

Audit schedule for independent security reviews per ISO 27001:2022 A.5.35

Properties

Property	Type	Required	Description
id	`string`	✅	Unique audit schedule identifier
title	`string`	✅	Audit title
scope	`string[]`	✅	Audit scope areas
framework	`Enum<'gdpr' \| 'hipaa' \| 'sox' \| 'pci_dss' \| 'ccpa' \| 'iso27001'>`	✅	Target compliance framework
scheduledAt	`number`	✅	Scheduled audit timestamp
completedAt	`number`	optional	Completion timestamp
assessor	`string`	✅	Assessor or audit team
isExternal	`boolean`	✅	Whether this is an external audit
recurrenceMonths	`number`	✅	Recurrence interval in months (0 = one-time)
findings	`Object[]`	optional	Audit findings

ComplianceConfig

Unified compliance configuration spanning GDPR, HIPAA, PCI-DSS, and audit governance

Properties

Property	Type	Required	Description
gdpr	`Object`	optional	GDPR compliance settings
hipaa	`Object`	optional	HIPAA compliance settings
pciDss	`Object`	optional	PCI-DSS compliance settings
auditLog	`Object`	✅	Audit log configuration
auditSchedules	`Object[]`	optional	Scheduled compliance audits (A.5.35)

GDPRConfig

GDPR (General Data Protection Regulation) compliance configuration

Properties

Property	Type	Required	Description
enabled	`boolean`	✅	Enable GDPR compliance controls
dataSubjectRights	`Object`	✅	Data subject rights configuration per GDPR Articles 15-21
legalBasis	`Enum<'consent' \| 'contract' \| 'legal-obligation' \| 'vital-interests' \| 'public-task' \| 'legitimate-interests'>`	✅	Legal basis for data processing under GDPR Article 6
consentTracking	`boolean`	✅	Track and record user consent
dataRetentionDays	`number`	optional	Maximum data retention period in days
dataProcessingAgreement	`string`	optional	URL or reference to the data processing agreement

HIPAAConfig

HIPAA (Health Insurance Portability and Accountability Act) compliance configuration

Properties

Property	Type	Required	Description
enabled	`boolean`	✅	Enable HIPAA compliance controls
phi	`Object`	✅	Protected Health Information safeguards
businessAssociateAgreement	`boolean`	✅	BAA is in place with third-party processors

PCIDSSConfig

PCI-DSS (Payment Card Industry Data Security Standard) compliance configuration

Properties

Property	Type	Required	Description
enabled	`boolean`	✅	Enable PCI-DSS compliance controls
level	`Enum<'1' \| '2' \| '3' \| '4'>`	✅	PCI-DSS compliance level (1 = highest)
cardDataFields	`string[]`	✅	Field names containing cardholder data
tokenization	`boolean`	✅	Replace card data with secure tokens
encryptionInTransit	`boolean`	✅	Encrypt cardholder data during transmission
encryptionAtRest	`boolean`	✅	Encrypt stored cardholder data

On this page