Security Compliance Basics for AI-Built Apps: SOC 2, GDPR, and Beyond

You're building fast with AI. Then an enterprise customer asks: "Are you SOC 2 compliant?"

Or a user in Germany asks: "How do you handle GDPR?"

Or you want to add payments and hear "PCI-DSS."

Here's what you need to know.

What It Is

SOC 2 is an auditing standard for service organizations. It verifies you have proper security controls.

When You Need It

• Enterprise sales ($50K+ deals)
• B2B customers with security teams
• Handling sensitive business data
• Partner integrations

The Five Trust Principles

1. Security: Protection against unauthorized access
2. Availability: System is operational and accessible
3. Processing Integrity: Processing is accurate and authorized
4. Confidentiality: Information is protected
5. Privacy: Personal information is handled properly

SOC 2 for AI-Built Apps

Special considerations:

Documentation Challenge:

• AI-generated code needs explanation
• Document your review process
• Show security scanning integration

Required Controls:
[ ] Access control (who can access what)
[ ] Change management (how code deploys)
[ ] Risk assessment (identified threats)
[ ] Monitoring (audit logs)
[ ] Incident response (what happens if breached)

AI-Specific Policies:

AI Code Generation Policy

Cost and Timeline

When to Start

• When you have enterprise pipeline
• 6+ months before first enterprise close
• When competitors have it

What It Is

European privacy regulation. Applies if you have ANY EU users.

Key Requirements

1. Lawful Basis for Processing

You need a legal reason to collect data:

• Consent (user agrees)
• Contract (needed for service)
• Legitimate interest (reasonable business need)

Users can:

• Access their data
• Delete their data
• Export their data
• Correct their data
• Object to processing

• Encryption in transit and at rest
• Access controls
• Breach notification (72 hours)
• Data minimization

GDPR for AI-Built Apps

Challenge: AI Code May Over-Collect

AI generates code that captures everything:

// AI-generated user tracking
const userData = {
  email,
  name,
  ip,
  browser,
  device,
  location,
  behavior,
  // ... everything
}

Fix: Minimize Collection

// Only collect what you need
const userData = {
  email,
  name,
}

Challenge: Data Subject Requests

You need to implement:

• Export user data endpoint
• Delete user data endpoint
• View/correct data interface

// Data export endpoint
app.get('/api/user/export', authenticate, async (req, res) => {
  const userData = await getUserData(req.user.id)
  res.json(userData)
})
// Data deletion endpoint
app.delete('/api/user', authenticate, async (req, res) => {
  await deleteUserData(req.user.id)
  res.json({ success: true })
})

GDPR Compliance Basics

[ ] Privacy policy explains data use
[ ] Consent collected before processing
[ ] Data export functionality exists
[ ] Data deletion functionality exists
[ ] Encryption in transit (HTTPS)
[ ] Encryption at rest (database encryption)
[ ] Breach notification process defined
[ ] Data minimization practiced

Cost

• Self-implementation: Time + legal review ($2K-$5K)
• Compliance platform: $200-$500/month
• Full legal review: $5K-$15K

When It Applies

If your app handles Protected Health Information (PHI):

• Medical records
• Health conditions
• Treatment information
• Healthcare provider data

Requirements

Technical Safeguards:

• Encryption
• Access controls
• Audit logs
• Automatic logoff

• Security officer
• Training
• Policies and procedures
• Business Associate Agreements

HIPAA for AI-Built Apps

Major Concern: AI Training Data

Never send PHI to AI services:

// NEVER DO THIS
const diagnosis = await ai.analyze(patientRecord)
// Instead, use HIPAA-compliant AI services
// Or process locally without AI

Required: Business Associate Agreements

With every vendor that touches PHI:

• Database provider
• Cloud hosting
• Analytics (if any PHI)
• Support tools

Cost

• Compliance program: $10K-$50K initial
• Annual maintenance: $5K-$20K
• BAA-compliant hosting: 2-3x standard pricing

When It Applies

If you accept credit cards.

The Shortcut

Don't handle card data directly.

Use Stripe, PayPal, or similar. They handle PCI compliance.

// WRONG - You handle card data
app.post('/pay', (req, res) => {
  const { cardNumber, cvv, expiry } = req.body
  // Now you're responsible for PCI compliance
})
// RIGHT - Stripe handles card data
// Card data never touches your server
const session = await stripe.checkout.sessions.create({
  // Stripe handles the card
})

If You Must Handle Card Data

Best Practice

Use Stripe/PayPal. Stay SAQ A. Move on.

Pre-Revenue

Required:   Privacy policy, Terms of Service
Should Do:  HTTPS, basic security scanning
Skip:       SOC 2, formal compliance

Early Revenue ($1K-$10K MRR)

Required:   Privacy policy, GDPR basics
Should Do:  Security scanning, data backups
Skip:       SOC 2 (unless enterprise deals)

Growth ($10K-$100K MRR)

Required:   GDPR compliance, security program
Should Do:  SOC 2 readiness
Consider:   SOC 2 Type I

Scale ($100K+ MRR)

Required:   SOC 2 Type II (for enterprise)
Should Do:  Formal security program
Consider:   Additional certifications as needed

Challenge 1: Documenting AI-Generated Code

Problem: Auditors want to understand your code. Solution: Document AI usage, review process, and security scanning.

Challenge 2: AI Service Data Handling

Problem: What data goes to AI providers? Solution: Never send PII/PHI to AI. Document data flows.

Challenge 3: Liability for AI Code

Problem: Who's responsible for AI vulnerabilities? Solution: You are. Scan everything.

Compliance seems daunting, but it's progressive:

1. Start with basics (privacy policy, HTTPS)
2. Add GDPR when you have EU users
3. Add SOC 2 when enterprises require it
4. Add others as specific needs arise