Live Demo
Blog   >   Compliance   >   How SaaS Companies Can Build a Compliance Roadmap

How SaaS Companies Can Build a Compliance Roadmap

Meeting compliance requirements can be a challenge, but it can also open up new markets, speed your sales process, and improve your company’s overall security posture. When it comes to improving your security maturity, compliance can be a useful part of your strategy.

Whether you’re targeting specific industry verticals or going after international customers, entering new markets requires continuous education about the latest in compliance and regulatory standards as they relate to data privacy and security. With that in mind, this post takes a brief look at key standards in order to give you insights into the security and privacy requirements that may be pertinent to the way your SaaS company engages with prospects and customers and handles sensitive data.

First Steps

If you are operating in Amazon Web Services (AWS), as many SaaS companies are, you’ll want to make sure your infrastructure is configured in accordance with CIS benchmarks and AWS best practices. Doing so can help you meet many security and compliance requirements, simplifying your compliance journey from the start.

Once you’ve secured your AWS infrastructure, your next move should be to determine which compliance regulations apply to you now and which you want to adopt in the future, and, if you are already compliant, what changes and updates you need to be aware of. This will help determine where your company should focus its compliance efforts as you move ahead.


As a component of the American Institute of CPAs Service Organization Control reporting platform, SOC 2’s goal is to assure that systems are configured for maximum security and privacy of customer data. SOC 2 is specifically designed for service providers storing customer data in the cloud, meaning that it applies to nearly every SaaS company. It is one of the most common compliance frameworks and, thus, is often the first that SaaS companies choose to comply with.

So what does it take to become SOC 2 compliant? SOC 2 goes beyond a simple technical audit, requiring you to establish and follow stringent security policies and procedures that encompass the security, availability, processing integrity, and confidentiality of any data stored in the cloud. 

In terms of monitoring, it’s important to set up a baseline of normal activity in order to continuously monitor for any unusual behavior. Detailed audit trails will allow for deep, contextual insight into the root cause of any attacks, allowing you to remediate the issues, thereby keeping up with SOC 2 requirements.

Threat Stack Successfully Completes Type 2 SOC 2 Examination

To learn about Threat Stack’s experience achieving Type 2 SOC 2 compliance, check out:


The General Data Protection Regulation (GDPR) has many companies working hard to understand and comply with some of the most stringent privacy standards we’ve seen yet. With beefed up enforcement, the new framework also establishes some of the highest financial penalties for those in breach, so you’ll want to pay attention. GDPR applies to any organization, regardless of location or industry, that processes or stores the personal data of EU subjects.

Enacted by the European Parliament, the Council of the European Union, and the European Commission, GDPR is designed to harmonize data privacy laws across Europe. The mandate aims to empower individuals within the EU to regain control of their data privacy and to reshape the way organizations across Europe approach data privacy, while also addressing the export and use of data by organizations outside the EU.

One major effect of GDPR is the firm legal requirement of “data protection by design” and “data protection by default,” meaning that data controllers must limit the processing of personal data to only what’s necessary for a specific purpose. In the case of a personal data breach, GDPR also requires notification to the supervisory authority or data subject within 72 hours. 

Compliance can be significantly aided by having data controls baked into systems by design, as well as by employing continuous monitoring and real-time intrusion detection.

ISO/IEC 27001

While not a regulation per se, ISO/IEC 27001 is a standard that your SaaS organization can choose to comply with to manage information security risks. It can also, optionally, be used as the basis for formal compliance assessment in order for your organization to become certified by accredited certification auditors. ISO/IEC 27001 formally specifies an Information Security Management System, a suite of activities concerning the management of information risks, and lays out an overarching management framework to identify, analyze, and address these risks.

The standard spans industry type, organization size, and market, meaning that it can apply to any SaaS company. The benefit to your SaaS organization of seeking out compliance and accreditation with ISO/IEC 27001 would be to demonstrate that you’re serious about security and to gain competitive advantage in a saturated market.

Because of the wide-reaching nature of ISO/IEC 27001, your SaaS company is free to choose from a menu of information security controls when adopting the standards in order to best meet your particular information risks. Certification, however, requires a host of documentation, including a clear information security policy, a risk assessment process, and evidence of information security monitoring and measurement.

Industry-Specific Regulations

In the following section, we give overviews of HIPAA, which is specific to protecting medical records and other personal health information, followed by PCI DSS, 23 NYCCRR 500, and FFIEC, which relate to businesses operating in the financial sector.


With HIPAA data breach investigations and enforcement activities on the increase, HIPAA compliance seems more important now than ever. Around since 1996, and updated multiple times since then, HIPAA refers to the Health Insurance Portability and Accountability Act, U.S. legislation that provides privacy and security provisions to protect individuals’ health data.

The regulations apply to any organization working in healthcare, from hospitals to insurers, as well as to anyone doing business with these organizations. Compliance can be a huge business driver in allowing you to enter the healthcare market. HIPAA compliance requires you to have certain administrative, physical, and technical safeguards in place to protect electronic protected health information (ePHI). Read more on this in our ebook.

Threat Stack Addresses Stratasan’s Growing Security & Compliance Needs for Healthcare IT and Services

Stratasan provides web-based software and professional services that are designed to help healthcare organizations maximize strategic growth through convenient access to useful information on healthcare markets. As such, they must comply with HIPAA regulations and complete a third-party audit every year. Read this Case Study to learn how Stratasan manages HIPAA compliance.

While the regulations and standards we’ve discussed above are quite far-reaching, there are also a couple of industry-specific standards you may want to consider depending on the profile of your customers — current and future.


The Payment Card Industry Data Security Standard (PCI DSS) is an “actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.” That’s according to the standard’s creators — Visa, MasterCard, Discover, and American Express — who put out the framework in 2004. Applicable to any company that stores, processes, or transmits credit card data, you should consider meeting PCI DSS standards if you deal with (or want to deal with) customers in ecommerce.

PCI DSS lays out 12 requirements for compliance. These include installing and maintaining a firewall, tracking and monitoring all access to network resources and cardholder data, and regularly testing security systems and processes. You can learn more about the requirements in our ebook, Fast Tracking Compliance in the Cloud.

New PCI Standards for New Ways of Building Software

Every major modern trend in how we build and operate software — Agile, DevOps, continuous delivery, containers, serverless — came about after PCI DSS. New ways of creating value with software exist, so new ways of assessing their security are needed as well. Fortunately, the PCI Security Standards Council has recognized this, too, with the introduction of the new PCI Software Security Framework which will eventually replace PCI DSS when it expires in 2022. 

In New PCI Standards for New Ways of Building Software, Tim Buntel explains how the PCI Security Standards Council has introduced its new PCI Software Security Framework to align PCI with modern software development and deployment practices such as DevOps, microservices, and containers.

23 NYCRR 500

The New York State Department of Financial Services enacted Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500) March 1, 2017, so any SaaS company working within the financial space, or looking to expand into finance, will want to familiarize themselves with this requirement. As we wrote in our blog on the subject, 23 NYCRR 500 applies to any organization licensed to operate under banking, insurance, or financial services laws of New York State. This includes:

  • Commercial banks and trust companies
  • Check cashers
  • Domestic and foreign representative bank offices
  • Health insurers
  • Life insurance companies
  • Money transmitters
  • Mortgage brokers, loan originators, and loan servicers
  • Property and casualty insurance companies
  • Sales finance companies
  • Service contract providers

Thus, these regulations apply to most SaaS companies that operate in the finance or fintech space. In order to comply with 23 NYCRR 500, you must conduct a periodic risk assessment of your information systems, and design and maintain a security program based on those assessments to protect the confidentiality, integrity, and availability of your information systems. Compliance also requires that you appoint a Chief Information Security Officer to head up these efforts.

NYDFS: Two Years Later, Let’s Check-In

For a detailed update on 23 NYCRR 500, and specifically, on how third-party service providers will be affected starting in 2020, take a look at NYDFS: Two Years Later, Let’s Check-In, written by Collin Varner, Senior Associate at Schellman & Company.


While FFIEC guidance, as expressed in its various publications, may not have the force of law or regulations, it serves as a blueprint for examiners to follow in conducting audits of your institution. Accordingly, if you fail to comply, you could fail an audit and therefore be prevented from entering new markets, introducing new products, or even merging with or acquiring another institution. For these reasons, it’s important for SaaS companies to understand how to meet the requirements of FFIEC guidance. 

Final Words . . .

Creating a strong and actionable compliance roadmap is well worth the effort. A platform such as Threat Stack’s Cloud Security Platform® can help you meet a great number of compliance requirements, allowing you to easily communicate compliance to auditors and customers alike. 

Compliance can be a powerful business driver, one that allows you to inspire trust and confidence that will help you stand out in the highly competitive SaaS market. If you’d like to learn more about how we can address your security and compliance requirements, contact us for a demo.