PartnerAlly Docs
Learning Hub

Framework Guides

Detailed guides for each compliance framework supported in PartnerAlly.

Framework Guides

Each compliance framework has specific requirements, terminology, and approaches. These guides help you understand what each framework requires and how to achieve compliance.

Supported Frameworks

SOC 2

Service Organization Control 2 for service providers

ISO 27001

International standard for information security management

HIPAA

Health Insurance Portability and Accountability Act

GDPR

General Data Protection Regulation (EU)

PCI DSS

Payment Card Industry Data Security Standard

AML/BSA

Anti-Money Laundering and Bank Secrecy Act

SOC 2

What Is SOC 2?

SOC 2 (Service Organization Control Type 2) is an auditing framework that verifies service providers securely manage data. It's based on five Trust Service Criteria.

Trust Service Criteria

CriteriaFocus
SecurityProtection against unauthorized access
AvailabilitySystem availability for operation
Processing IntegrityAccurate, complete processing
ConfidentialityProtection of confidential information
PrivacyCollection, use, and disposal of personal information

Key Requirements

  • Security policies and procedures
  • Access control mechanisms
  • Change management processes
  • Incident response procedures
  • Risk management program

Preparing for SOC 2 Audit

SOC 2 Type II audits cover a period (usually 6-12 months) and test operating effectiveness. Plan ahead to have evidence covering the entire period.

  1. Enable SOC 2 framework in PartnerAlly
  2. Upload all relevant policies
  3. Review and remediate gaps
  4. Collect evidence throughout the period
  5. Engage an auditor

ISO 27001

What Is ISO 27001?

ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for managing security risks.

Structure

ComponentDescription
Clauses 4-10Management system requirements
Annex A93 controls across 4 themes (ISO 27001:2022)

Annex A Themes

  • Organizational Controls (37 controls)
  • People Controls (8 controls)
  • Physical Controls (14 controls)
  • Technological Controls (34 controls)

Key Requirements

  • Information security policy
  • Risk assessment process
  • Statement of Applicability (SoA)
  • Internal audit program
  • Management review process

Achieving ISO 27001 Certification

  1. Define ISMS scope
  2. Conduct risk assessment
  3. Implement controls
  4. Conduct internal audit
  5. Undergo certification audit

HIPAA

What Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) protects health information privacy and security. It applies to covered entities and business associates.

Key Rules

RuleFocus
Privacy RuleHow PHI can be used and disclosed
Security RuleTechnical and physical safeguards
Breach NotificationReporting requirements for breaches

Safeguards

Administrative Safeguards:

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness training
  • Contingency plan
  • Evaluation

Physical Safeguards:

  • Facility access controls
  • Workstation use and security
  • Device and media controls

Technical Safeguards:

  • Access control
  • Audit controls
  • Integrity
  • Transmission security

HIPAA Compliance in PartnerAlly

  1. Enable HIPAA framework
  2. Upload BAA templates and policies
  3. Document safeguards implementation
  4. Conduct required risk assessment
  5. Track ongoing compliance

GDPR

What Is GDPR?

GDPR (General Data Protection Regulation) is the EU's data protection law. It applies to organizations processing EU residents' data.

Key Principles

PrincipleRequirement
LawfulnessLegal basis for processing
Purpose LimitationSpecific, legitimate purposes
Data MinimizationOnly necessary data
AccuracyKeep data accurate
Storage LimitationDon't keep longer than needed
SecurityAppropriate security measures
AccountabilityDemonstrate compliance

Data Subject Rights

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object

GDPR Compliance Steps

  1. Map data processing activities
  2. Establish lawful bases
  3. Implement security measures
  4. Document processing
  5. Enable data subject rights

GDPR requires demonstrating compliance, not just achieving it. Documentation is essential.

PCI DSS

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) protects cardholder data. It applies to any organization handling payment cards.

Requirements

RequirementFocus
1-2Network security
3-4Cardholder data protection
5-6Vulnerability management
7-9Access control
10-11Monitoring and testing
12Security policies

Compliance Levels

Based on transaction volume:

  • Level 1: Over 6 million transactions (annual assessment)
  • Level 2: 1-6 million transactions
  • Level 3: 20,000-1 million e-commerce
  • Level 4: Under 20,000 e-commerce

Key Controls

  • Encrypt cardholder data
  • Restrict access on need-to-know basis
  • Regular vulnerability scans
  • Penetration testing
  • Security awareness training

AML/BSA

What Is AML/BSA?

Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) regulations combat financial crimes. Required for financial institutions and money services businesses.

Key Requirements

RequirementDescription
Customer Due DiligenceKnow Your Customer (KYC)
Transaction MonitoringDetect suspicious activity
SAR FilingReport suspicious activity
CTR FilingReport large cash transactions
RecordkeepingMaintain required records

Crypto-Specific AML

For cryptocurrency businesses:

  • Travel Rule compliance
  • Wallet screening
  • Blockchain analytics
  • Exchange monitoring

Choosing Your Frameworks

Factors to Consider

FactorQuestions
IndustryWhat's required for your industry?
CustomersWhat do customers require?
GeographyWhat regulations apply where?
Data TypesWhat data do you handle?
Business ModelService provider? Processor?

Common Combinations

Business TypeTypical Frameworks
SaaS CompanySOC 2, GDPR
Healthcare SaaSSOC 2, HIPAA, GDPR
FinTechSOC 2, PCI DSS, AML
Crypto ExchangeAML, SOC 2
Enterprise SoftwareSOC 2, ISO 27001

Next Steps

Quick Start Guide

Get started with compliance essentials in PartnerAlly.

Best Practices

Industry best practices for compliance program management.

On this page

Framework GuidesSupported FrameworksSOC 2What Is SOC 2?Trust Service CriteriaKey RequirementsPreparing for SOC 2 AuditISO 27001What Is ISO 27001?StructureAnnex A ThemesKey RequirementsAchieving ISO 27001 CertificationHIPAAWhat Is HIPAA?Key RulesSafeguardsHIPAA Compliance in PartnerAllyGDPRWhat Is GDPR?Key PrinciplesData Subject RightsGDPR Compliance StepsPCI DSSWhat Is PCI DSS?RequirementsCompliance LevelsKey ControlsAML/BSAWhat Is AML/BSA?Key RequirementsCrypto-Specific AMLChoosing Your FrameworksFactors to ConsiderCommon CombinationsNext Steps