What it is: Data compliance frameworks are standards and certifications that tell customers a software vendor handles data responsibly. The most common are SOC 2 Type II, GDPR, HIPAA, CCPA, ISO 27001, and PCI-DSS — each one targets a different kind of data or regulation.
Who it’s for: Anyone evaluating AI or SaaS tools and seeing these acronyms in marketing
Best if: You need to understand what each certification actually guarantees
Skip if: You already work in security or compliance daily
The Main Compliance Types Explained
SOC 2 Type II
SOC 2 (Service Organization Control 2) is a US-focused security certification that checks whether a vendor’s internal controls actually work over time. Type I confirms controls exist at one point in time. Type II verifies those controls are operating effectively across a period (usually 6-12 months) — so a vendor with Type II has been audited for a full year of actual behavior, not just a snapshot.
SOC 2 covers five “Trust Service Criteria”: security, availability, processing integrity, confidentiality, and privacy. Every SOC 2 report covers at least security; the others are optional. When you see “SOC 2 Type II compliant” on a tool’s marketing page, it means an independent auditor has verified their practices over time.
When to care: If you’re handing business data to a tool (CRM, automation platform, cloud service), SOC 2 Type II is the most common baseline that enterprise buyers look for. It’s not perfect, but its absence is a red flag.
GDPR
The General Data Protection Regulation is European Union law governing how any company handles personal data of EU residents. It applies regardless of where the company is based — a US company serving EU customers must still comply.
Key GDPR principles: explicit consent for data collection, the right to access and delete your own data (“right to be forgotten”), breach notification within 72 hours, and mandatory Data Protection Officers for large organizations. Fines can reach 4% of global annual revenue — one of the reasons most major SaaS tools now default to GDPR-level practices even for non-EU users.
When to care: If your business has European users or customers, GDPR applies to you whether you’re based in Europe or not.
HIPAA
The Health Insurance Portability and Accountability Act is US law governing protected health information (PHI) — patient records, medical histories, insurance claims. Any tool that handles PHI must have a signed Business Associate Agreement (BAA) with the healthcare provider using it.
When to care: If you work in healthcare, therapy, medical billing, or handle any patient data, HIPAA is non-negotiable. Most mainstream AI tools (ChatGPT free, Claude free) are not HIPAA-compliant out of the box — you need their enterprise/BAA tiers.
CCPA (and CPRA)
The California Consumer Privacy Act is state law (now expanded by CPRA) governing data of California residents. Like GDPR, it grants rights to access and delete personal data, plus the right to opt out of sale of personal information.
When to care: If you have California users and process personal data, CCPA applies. Most SaaS companies that comply with GDPR are already CCPA-compliant by default.
ISO 27001
An international standard for Information Security Management Systems. ISO 27001 is process-oriented — it certifies that a vendor has a documented, implemented security program with ongoing risk management, rather than verifying specific controls at a specific time.
When to care: Common in enterprise procurement outside the US. Often required alongside SOC 2 for large European buyers.
PCI-DSS
The Payment Card Industry Data Security Standard governs anyone who stores, processes, or transmits credit card data. There are four compliance levels based on transaction volume, with more rigorous requirements at higher levels.
When to care: If you accept credit card payments. Most businesses outsource this to Stripe, Square, or similar processors so they don’t have to touch card data directly.
FERPA
The Family Educational Rights and Privacy Act is US law protecting student educational records. Schools and education-related vendors must comply.
When to care: If you build or use tools for K-12 or higher education, FERPA likely applies. Many AI tools in education have specific FERPA-compliant tiers.
Get Smarter About AI Every Morning
Free daily newsletter — one story, one tool, one tip. Plain English, no jargon.
Free forever. Unsubscribe anytime.
Quick Reference Table
| Standard | Region | Protects | Who needs it |
|---|---|---|---|
| SOC 2 Type II | US (widely accepted globally) | Business data integrity | Most B2B SaaS vendors |
| GDPR | EU | Personal data of EU residents | Any company serving EU users |
| HIPAA | US | Protected health information | Healthcare providers & their tools |
| CCPA / CPRA | California | Personal data of CA residents | Any company serving CA users |
| ISO 27001 | International | Information security programs | Enterprise vendors (especially EU) |
| PCI-DSS | Global | Credit card data | Anyone processing card payments |
| FERPA | US | Student education records | Schools & edtech vendors |
How to Verify a Vendor’s Claims
Marketing pages love throwing around compliance logos. Before trusting them, ask:
- Ask for the actual report. SOC 2 reports are confidential but vendors will share under NDA. If they refuse, they may not actually have one.
- Check the date. SOC 2 Type II reports are time-bounded. A 2022 report from a vendor claiming current compliance is stale.
- Verify the scope. A vendor may have SOC 2 Type II for their main product but not for a sub-product you’re considering.
- Look for a public trust center. Serious vendors maintain trust.vendor.com pages with certifications, sub-processors, and audit history.
- Check third-party registries. ISO certifications are verifiable via the ISO registry. BAAs (HIPAA) should be available on request.
AI Tools and Compliance
Major AI vendors’ compliance status as of 2026:
- OpenAI (ChatGPT, API): SOC 2 Type II + GDPR. HIPAA via Enterprise tier only.
- Anthropic (Claude): SOC 2 Type II + GDPR. HIPAA via Enterprise plan.
- Google (Gemini, Workspace): SOC 2 Type II, ISO 27001, HIPAA-compatible via Workspace business plans.
- Microsoft (Copilot, Azure OpenAI): Most comprehensive: SOC 2, ISO 27001, HIPAA, FedRAMP, FERPA.
- Make.com: SOC 2 Type II, GDPR.
- Zapier: SOC 2 Type II, GDPR.
- n8n (self-hosted): Compliance depends on your own infrastructure. Cloud version has SOC 2 Type II.