Claude Code Plugins

Community-maintained marketplace

Feedback

foundations-regulatory

@BellaBe/lean-os
10
0

Compliance and regulatory navigation for regulated industries. Use when identifying compliance requirements or assessing regulatory risks.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name foundations-regulatory
description Compliance and regulatory navigation for regulated industries. Use when identifying compliance requirements or assessing regulatory risks.

Regulatory Agent

Overview

The Regulatory Agent navigates complex compliance landscapes for startups operating in regulated industries, minimizing legal risk while maintaining operational velocity. This specialist agent is activated only when entering regulated markets, not for standard SaaS companies.

Primary Use Cases: Compliance mapping, risk assessment, licensing, data privacy, ongoing monitoring.

Lifecycle Phases: Market entry (regulated industries), product launch, expansion to new jurisdictions.

Core Functions

1. Compliance Mapping

Identify applicable regulations and create comprehensive compliance checklist with deadlines.

Workflow:

  1. Identify Applicable Regulations

    • Industry-Specific: Healthcare (HIPAA), Finance (SOC 2, PCI-DSS), Education (FERPA)
    • Data Privacy: GDPR (Europe), CCPA/CPRA (California), PIPEDA (Canada)
    • Employment: Labor laws, contractor vs employee classification
    • Consumer Protection: FTC regulations, state consumer laws
    • Sector-Specific: FDA (medical devices), FCC (telecom), SEC (financial products)

  2. Map Jurisdiction Requirements

    • US Federal: Cross-state regulations (COPPA, CAN-SPAM, ADA)
    • US State: California (CCPA), New York (SHIELD Act), Virginia, Colorado
    • International: EU (GDPR), UK (UK GDPR + DPA), Brazil (LGPD), China (PIPL)
    • Multi-Jurisdiction: Which regulations apply to your operations?

  3. Classify by Criticality

    • Mandatory: Legal requirement, penalties for non-compliance
    • Optional: Industry best practices, competitive necessity
    • Future: Upcoming regulations (prepare now or wait?)

  4. Timeline Assessment

    • Immediate (<30 days): Critical blockers to launch
    • Short-term (30-90 days): Required before scaling
    • Medium-term (3-12 months): Required before specific milestones
    • Long-term (12+ months): Strategic compliance investments

Output Template:

Compliance Checklist

Business Context:
├── Industry: [Healthcare/Finance/Education/Other]
├── Business Model: [B2B/B2C/Marketplace]
├── Data Collected: [PII, PHI, financial, children's data]
├── Jurisdictions: [US, EU, specific states]
└── Company Stage: [Pre-launch/Launched/Scaling]

Applicable Regulations:

Industry-Specific:

1. [Regulation Name] (e.g., HIPAA)
   ├── Applicability: [Who must comply]
   ├── Requirements: [Key obligations]
   ├── Deadline: [When compliance required]
   ├── Penalty: $X fine per violation, potential criminal charges
   ├── Effort: [Low/Medium/High]
   ├── Cost: $X (legal, consulting, implementation)
   └── Priority: CRITICAL / HIGH / MEDIUM / LOW

2. [Regulation]...

Data Privacy:

1. GDPR (if EU customers)
   ├── Applicability: Any EU resident data processing
   ├── Requirements: Consent, data minimization, right to deletion, DPO, DPIA
   ├── Deadline: Before collecting EU data
   ├── Penalty: Up to 4% global revenue or €20M
   ├── Effort: High (requires engineering + legal + process changes)
   ├── Cost: $50K-$150K (legal + implementation)
   └── Priority: CRITICAL (if EU customers)

2. CCPA/CPRA (if California customers)
   ├── Applicability: $25M+ revenue OR 50K+ CA consumers OR 50%+ revenue from selling data
   ├── Requirements: Privacy policy, opt-out rights, data deletion, no discrimination
   ├── Deadline: Immediate if thresholds met
   ├── Penalty: $2,500 per violation ($7,500 intentional)
   ├── Effort: Medium
   ├── Cost: $20K-$50K
   └── Priority: HIGH (if applicable)

3. [Other privacy law]...

Sector-Specific:

1. [Regulation]: [Requirements]...

Compliance Timeline:

Immediate (<30 days):
- [ ] [Compliance item]: [Brief description]
- [ ] [Compliance item]: [Brief description]

Short-term (30-90 days):
- [ ] [Compliance item]: [Brief description]
- [ ] [Compliance item]: [Brief description]

Medium-term (3-12 months):
- [ ] [Compliance item]: [Brief description]

Long-term (12+ months):
- [ ] [Compliance item]: [Brief description]

Total Compliance Cost: $X - $Y
Total Timeline: X months to full compliance

2. Risk Assessment

Evaluate compliance risks by severity, likelihood, and impact.

Workflow:

  1. Evaluate Violation Penalties

    • Financial: Fines, settlements, legal fees
    • Operational: Cease and desist, business restrictions
    • Reputational: PR damage, customer trust loss
    • Criminal: Personal liability for founders/executives

  2. Assess Enforcement Likelihood

    • High: Actively enforced, recent cases, clear violations
    • Medium: Sporadically enforced, complaint-driven
    • Low: Rarely enforced, unclear interpretation

  3. Calculate Impact

    • Severity Score: 1-5 (minor annoyance to existential threat)
    • Likelihood Score: 1-5 (very unlikely to very likely)
    • Risk Score: Severity × Likelihood (prioritize high scores)

  4. Prioritize by Risk

    • Critical Risk: High severity + high likelihood (address immediately)
    • High Risk: High severity OR high likelihood (address soon)
    • Medium Risk: Moderate severity and likelihood (monitor)
    • Low Risk: Low severity and low likelihood (defer)

  5. Design Mitigation Strategies

    • Prevent: Eliminate risk through compliance
    • Reduce: Lower likelihood or severity
    • Transfer: Insurance, indemnification clauses
    • Accept: Conscious decision to accept risk

Output Template:

Regulatory Risk Matrix

Risk Assessment:

| Risk Area | Severity | Likelihood | Risk Score | Priority |
|-----------|----------|------------|------------|----------|
| [Risk 1] | 5 | 4 | 20 | CRITICAL |
| [Risk 2] | 4 | 3 | 12 | HIGH |
| [Risk 3] | 3 | 3 | 9 | MEDIUM |
| [Risk 4] | 2 | 2 | 4 | LOW |

Critical Risks (Score ≥15):

1. [Risk Area]: [Description]
   ├── Severity: 5/5 - [Existential threat/Major fines/Shutdown]
   ├── Likelihood: 4/5 - [Why likely to occur]
   ├── Penalties: [Financial, operational, reputational, criminal]
   ├── Recent Enforcement: [Examples of companies penalized]
   ├── Mitigation Strategy: [How to address]
   ├── Cost to Mitigate: $X
   ├── Timeline: X weeks
   └── Owner: [Legal/Engineering/Operations]

2. [Risk]...

High Risks (Score 10-14):

1. [Risk Area]: [Description]
   ├── Severity: X/5
   ├── Likelihood: X/5
   ├── Mitigation: [Strategy]
   └── Timeline: X weeks

Medium Risks (Score 5-9):
- [Risk]: [Brief mitigation]
- [Risk]: [Brief mitigation]

Low Risks (Score <5):
- [Risk]: Accept and monitor
- [Risk]: Accept and monitor

Risk Mitigation Roadmap:

Phase 1 (Weeks 1-4): Critical Risks
├── [Risk 1]: [Mitigation action]
├── [Risk 2]: [Mitigation action]
├── Budget: $X
└── Owner: [Legal team + Engineering]

Phase 2 (Weeks 5-12): High Risks
├── [Risk 3]: [Mitigation action]
├── [Risk 4]: [Mitigation action]
├── Budget: $X
└── Owner: [Operations team]

Phase 3 (Months 4-12): Medium Risks
├── [Risk 5]: [Monitoring + mitigation if needed]
├── Budget: $X
└── Owner: [Compliance officer]

Ongoing Monitoring:
- Quarterly risk reassessment
- Track regulatory changes
- Monitor enforcement trends
- Update mitigation strategies

Insurance Recommendations:
├── Cyber Liability: $X coverage (data breaches, privacy violations)
├── D&O Insurance: $X coverage (personal liability for executives)
├── Professional Liability: $X coverage (errors and omissions)
└── Total Premium: $X/year

3. License & Permit Planning

Research required licenses, application processes, and create licensing roadmap.

Workflow:

  1. Research Required Licenses

    • Business Licenses: General business operation permits
    • Industry Licenses: Healthcare provider, money transmitter, contractor
    • Professional Licenses: Individual practitioner licenses
    • Special Permits: Food handling, alcohol, controlled substances

  2. Map Application Processes

    • Application Requirements: Forms, documentation, background checks
    • Review Timeline: Processing time (weeks to months)
    • Renewal Cycles: Annual, biennial, or longer
    • Fees: Application fees, renewal fees, maintenance costs

  3. Estimate Time to Obtain

    • Fast Track: <30 days (simple business licenses)
    • Standard: 2-6 months (state licenses, permits)
    • Slow: 6-24 months (federal licenses, complex applications)
    • Critical Path: What blocks launch or expansion?

  4. Calculate Total Costs

    • Application Fees: One-time costs per license
    • Legal/Consulting: Professional fees for complex applications
    • Renewal Fees: Ongoing annual or biennial costs
    • Maintenance: Continuing education, audits, reporting

  5. Create Licensing Roadmap

    • Pre-Launch Licenses: Must have before operating
    • Growth Licenses: Required when hitting thresholds
    • Expansion Licenses: Needed for new jurisdictions or services

Output Template:

Licensing Roadmap

Required Licenses:

Pre-Launch (Before Operating):

1. [License Name]
   ├── Jurisdiction: [Federal/State/Local]
   ├── Issuing Authority: [Agency name]
   ├── Application Requirements:
   │   ├── Forms: [List]
   │   ├── Documentation: [Corporate docs, financials, background checks]
   │   └── Prerequisites: [Other licenses, bonds, insurance]
   ├── Processing Time: X weeks/months
   ├── Fees:
   │   ├── Application: $X
   │   ├── Background Check: $X
   │   └── Total: $X
   ├── Renewal: Every X years ($X fee)
   ├── Ongoing Obligations: [Reporting, audits, continuing education]
   ├── Critical Path: YES - Blocks launch
   └── Next Steps: [Apply by date X]

2. [License]...

Growth Phase (When Scaling):

1. [License Name]
   ├── Trigger: [When required - e.g., $X revenue, X employees, specific services]
   ├── Processing Time: X months
   ├── Cost: $X
   └── Lead Time: Start application X months before trigger

Expansion Licenses (New Jurisdictions):

| State/Country | License Required | Processing Time | Cost | Priority |
|---------------|------------------|-----------------|------|----------|
| [State 1] | [License] | X months | $X | High |
| [State 2] | [License] | X months | $X | Medium |
| [State 3] | [License] | X months | $X | Low |

License Application Timeline:

Month 1-2:
├── Prepare documentation (corporate records, financials, policies)
├── Background checks for key personnel
├── Obtain prerequisite licenses or bonds
└── Cost: $X

Month 3-4:
├── Submit applications for [License 1], [License 2]
├── Respond to information requests
├── Pay application fees
└── Cost: $X

Month 5-6:
├── Final review and approval
├── Receive licenses
├── Implement compliance processes
└── Cost: $X

Total Licensing Costs:
├── Pre-Launch: $X (one-time)
├── Ongoing: $X/year (renewals + maintenance)
└── Expansion: $X per new jurisdiction

Critical Dates:
- [Date]: Submit [License] application
- [Date]: Expected [License] approval
- [Date]: Launch allowed (assuming approvals)

4. Data Privacy Architecture

Design and implement data privacy frameworks compliant with global regulations.

Workflow:

  1. Select Applicable Frameworks

    • GDPR (EU): Consent, data minimization, right to deletion, portability
    • CCPA/CPRA (California): Opt-out, data deletion, no discrimination
    • HIPAA (Healthcare): PHI protection, business associate agreements
    • COPPA (Children <13): Parental consent, restricted data collection
    • Industry Standards: SOC 2, ISO 27001, PCI-DSS

  2. Implement Consent Flows

    • Explicit Consent: Clear, affirmative opt-in (GDPR requirement)
    • Granular Consent: Separate consent for different data uses
    • Withdraw Consent: Easy mechanism to revoke consent
    • Record Keeping: Log consent timestamp, IP, version of terms

  3. Design Data Retention

    • Retention Periods: How long to keep each data type
    • Deletion Process: Automated or manual deletion workflows
    • Archival: Long-term storage requirements (legal holds)
    • Anonymization: De-identify data for analytics retention

  4. Build Breach Response Protocol

    • Detection: How to identify data breaches
    • Notification Timeline: 72 hours (GDPR), state-specific (US)
    • Notification Recipients: Regulators, affected individuals, media
    • Response Team: Roles and responsibilities during breach

  5. Document Privacy Practices

    • Privacy Policy: Customer-facing policy (clear, accessible)
    • Data Processing Agreements: B2B contracts, vendor agreements
    • Internal Procedures: Employee training, data handling SOPs
    • Privacy Impact Assessments: Required for high-risk processing

Output Template:

Data Privacy Compliance Blueprint

Applicable Frameworks:
├── GDPR: YES (EU customers or employees)
├── CCPA/CPRA: YES (California customers, meets thresholds)
├── HIPAA: NO (not handling PHI)
├── COPPA: NO (no users under 13)
└── SOC 2: Recommended for B2B credibility

Data Inventory:

| Data Type | Source | Purpose | Retention | Sensitivity |
|-----------|--------|---------|-----------|-------------|
| Email, name | Signup | Account management | Account lifetime + 1 year | PII |
| Payment info | Stripe | Billing | Transaction + 7 years | Financial |
| Usage data | Product | Analytics | 2 years | Non-PII |
| Support tickets | Zendesk | Customer support | 3 years | PII |

Consent Management:

Consent Flow:
1. User lands on signup page
2. Pre-checked boxes: NONE (explicit consent required)
3. User checks boxes for:
   ├── Required: Terms of Service, Privacy Policy
   ├── Optional: Marketing emails (separate opt-in)
   └── Optional: Analytics cookies (separate opt-in)
4. Record consent: timestamp, IP, version of terms
5. Allow consent withdrawal: Account settings → Privacy

Consent Storage:
├── Database: User_id, consent_type, granted (boolean), timestamp, IP, terms_version
├── Logs: Immutable audit trail
└── Backup: Encrypted backups with same retention as user data

Data Subject Rights Implementation:

Right to Access:
├── User Portal: Download all your data (JSON format)
├── Timeline: Automated, instant download
├── Contents: All personal data, usage history, consent records
└── Implementation: API endpoint + UI

Right to Deletion:
├── User Portal: "Delete my account" button
├── Timeline: Immediate anonymization, full deletion in 30 days
├── Exceptions: Legal hold, fraud prevention (7 days), financial (7 years)
├── Implementation: Automated job, cascading deletes
└── Confirmation: Email confirmation of deletion

Right to Portability:
├── User Portal: Export data in machine-readable format (JSON, CSV)
├── Timeline: Instant download
└── Implementation: API endpoint

Right to Object:
├── Marketing Opt-Out: Unsubscribe link in all emails
├── Analytics Opt-Out: Cookie consent banner
└── Implementation: Preference center

Data Retention Policy:

| Data Type | Retention Period | Deletion Method | Reason |
|-----------|------------------|-----------------|--------|
| Account data | Account lifetime + 1 year | Automated deletion | Legal compliance |
| Payment records | 7 years | Encrypted archive | Tax/legal |
| Usage analytics | 2 years | Automated deletion | Business need |
| Anonymized data | Indefinite | N/A - de-identified | Analytics |

Breach Response Protocol:

Detection:
├── Monitoring: Automated alerts on unusual data access
├── Reporting: Employee hotline for suspected breaches
└── Logging: Comprehensive access logs

Response Timeline:
├── Hour 0: Breach detected, assemble response team
├── Hour 4: Contain breach, assess scope
├── Hour 12: Notify leadership, engage legal counsel
├── Hour 24: Determine notification requirements
├── Hour 48: Prepare notifications (regulator, customers, media if >500 affected)
├── Hour 72: Submit regulator notifications (GDPR requirement)
└── Week 1: Public communication, offer credit monitoring if warranted

Response Team:
├── Incident Commander: CTO
├── Legal: General Counsel or external counsel
├── Communications: CEO or PR lead
├── Technical: Lead Engineer
└── Compliance: Privacy Officer or DPO

Privacy Policy Requirements:

Must Include:
├── Data collected and why
├── Legal basis for processing (consent, contract, legitimate interest)
├── Data retention periods
├── Third-party sharing (subprocessors)
├── Data subject rights and how to exercise
├── Contact information (email, DPO if EU)
├── Cookie policy (if applicable)
└── Last updated date

Review Frequency: Annually or when processing changes

Vendor Management:

Data Processors (Subprocessors):
├── AWS: Hosting (DPA signed, BAA if healthcare)
├── Stripe: Payments (PCI-DSS compliant, DPA signed)
├── Sendgrid: Emails (DPA signed)
└── Mixpanel: Analytics (DPA signed, data minimization configured)

Due Diligence Checklist:
- [ ] Vendor has SOC 2 or ISO 27001 certification
- [ ] Data Processing Agreement (DPA) signed
- [ ] Vendor's privacy policy reviewed
- [ ] Data location confirmed (EU data stays in EU for GDPR)
- [ ] Subprocessor list reviewed
- [ ] Annual vendor audit scheduled

Implementation Checklist:

Engineering:
- [ ] Consent management system built
- [ ] Data deletion API implemented
- [ ] Data export API implemented
- [ ] Anonymization scripts written
- [ ] Breach detection monitoring deployed

Legal:
- [ ] Privacy policy drafted and reviewed
- [ ] Data Processing Agreements with vendors
- [ ] Terms of Service updated
- [ ] Employee privacy training materials
- [ ] Data breach response plan documented

Product:
- [ ] Consent UI designed and implemented
- [ ] Privacy settings in user account
- [ ] Cookie consent banner (if needed)
- [ ] Unsubscribe links in all emails
- [ ] Data export/deletion flows in product

Estimated Cost: $50K-$100K (legal + engineering + ongoing)
Timeline: 8-12 weeks for full implementation

5. Ongoing Monitoring

Track regulatory changes, conduct audits, and maintain compliance over time.

Workflow:

  1. Track Regulatory Changes

    • News Sources: Regulatory agency announcements, industry publications
    • Legal Updates: Law firm newsletters, compliance platforms
    • Case Law: Enforcement actions, settlements, court rulings
    • Industry Groups: Trade associations, peer networks

  2. Conduct Regular Audits

    • Internal Audits: Quarterly compliance checks against checklist
    • External Audits: Annual SOC 2, ISO audits if required
    • Vendor Audits: Annual review of subprocessor compliance
    • Penetration Testing: Semi-annual security assessments

  3. Maintain Documentation

    • Policies: Privacy policy, security policy, acceptable use
    • Procedures: SOPs for data handling, incident response
    • Training Records: Employee completion of compliance training
    • Audit Logs: Access logs, consent records, deletion records

  4. Update Compliance Program

    • New Regulations: Integrate new requirements into checklist
    • Process Improvements: Address audit findings
    • Technology Updates: New tools for compliance automation
    • Training Refreshers: Annual or when policies change

Output Template:

Compliance Monitoring Dashboard

Regulatory Change Tracking:

Monitoring Sources:
├── Agency Newsletters: [FDA, FTC, State AGs] - Weekly review
├── Legal Platforms: [Compliance.ai, OneTrust] - Automated alerts
├── Law Firm Updates: [Firm name] - Monthly newsletter
└── Industry Groups: [Association name] - Quarterly meetings

Recent Changes (Last Quarter):
1. [Regulation/Policy Change]
   ├── Effective Date: [Date]
   ├── Impact: [High/Medium/Low]
   ├── Action Required: [What must change]
   ├── Deadline: [When to comply]
   └── Owner: [Who's responsible]

2. [Change]...

Upcoming Changes (Next 6 Months):
- [Date]: [Regulation] takes effect - [Action required]
- [Date]: [Regulation] takes effect - [Action required]

Audit Schedule:

Quarterly Internal Audits:
├── Q1: [Month] - Data privacy practices
├── Q2: [Month] - Vendor compliance
├── Q3: [Month] - Security controls
└── Q4: [Month] - Employee training completion

Annual External Audits:
├── SOC 2 Type II: [Month] - [Auditor]
├── Penetration Test: [Month] - [Security firm]
└── Cost: $X

Last Audit Findings:

High Priority (Must Fix):
- [Finding]: [Remediation plan, deadline]
- [Finding]: [Remediation plan, deadline]

Medium Priority (Should Fix):
- [Finding]: [Remediation plan, deadline]

Low Priority (Nice to Fix):
- [Finding]: [Remediation plan]

Documentation Maintenance:

| Document | Last Updated | Review Frequency | Next Review | Owner |
|----------|--------------|------------------|-------------|-------|
| Privacy Policy | [Date] | Annually | [Date] | Legal |
| Security Policy | [Date] | Annually | [Date] | CTO |
| Breach Response | [Date] | Annually | [Date] | Legal + CTO |
| Employee Training | [Date] | Annually | [Date] | HR |

Training Program:

New Employee Onboarding:
├── Privacy & Security Training: Day 1
├── Role-Specific Training: Week 1
├── Compliance Quiz: Week 1 (must pass 80%)
└── Acknowledgment: Sign policy acceptance

Annual Refresher:
├── All Employees: [Month] annually
├── Format: Online modules + quiz
├── Topics: Privacy, security, compliance updates
└── Tracking: HR system records completion

Compliance Metrics:

| Metric | Current | Target | Trend |
|--------|---------|--------|-------|
| Training Completion | 95% | 100% | ↑ |
| Audit Findings (High) | 2 | 0 | ↓ |
| Breach Incidents | 0 | 0 | → |
| Privacy Requests | 5/mo | <10/mo | → |
| Vendor DPAs Signed | 90% | 100% | ↑ |

Alert Thresholds:
├── Critical: Data breach, regulator inquiry → Immediate escalation to CEO + Legal
├── High: Audit finding (high severity) → 48-hour response required
├── Medium: New regulation applicable → 30-day assessment required
└── Low: Vendor non-compliance → 90-day remediation

Annual Compliance Budget:
├── Legal Counsel: $X (retainer + ad hoc)
├── External Audits: $X (SOC 2, pentests)
├── Compliance Tools: $X (software subscriptions)
├── Training: $X (platforms, materials)
├── Insurance: $X (cyber liability, D&O)
└── Total: $X/year

Input Requirements

Required:

  • business_model: What you're building, how you make money
  • jurisdictions: Where you operate (US states, countries)
  • data_types_collected: PII, PHI, financial data, children's data
  • industry_vertical: Healthcare, finance, education, etc.

Optional:

  • current_stage: Pre-launch, launched, scaling
  • existing_compliance: What's already in place
  • budget: Available budget for compliance

Example Input:

{
  "business_model": "B2C telehealth platform connecting patients with licensed therapists",
  "jurisdictions": ["United States", "Canada"],
  "data_types_collected": ["PII", "PHI", "payment information"],
  "industry_vertical": "Healthcare"
}

Output Structure

{
  "compliance_requirements": [
    {
      "regulation": "HIPAA",
      "deadline": "Before launch",
      "cost": 75000
    },
    {
      "regulation": "State telehealth licenses",
      "deadline": "Per state entry",
      "cost": 5000
    }
  ],
  "licenses_needed": [
    {
      "license": "Business Associate Agreement with providers",
      "jurisdiction": "Federal (HIPAA)",
      "timeline": "4 weeks"
    }
  ],
  "data_privacy": {
    "frameworks": ["HIPAA", "CCPA"],
    "implementation": {
      "consent_flow": "Explicit opt-in for PHI sharing",
      "retention": "PHI retained 7 years per HIPAA",
      "breach_protocol": "72-hour notification to HHS"
    }
  },
  "risk_areas": [
    {
      "area": "Unauthorized PHI disclosure",
      "severity": "H",
      "mitigation": "Encryption at rest and in transit, access controls, audit logs"
    }
  ],
  "ongoing_obligations": [
    {
      "obligation": "Annual HIPAA risk assessment",
      "frequency": "Annually",
      "owner": "Compliance Officer"
    }
  ],
  "legal_structure": {
    "recommended": "Delaware C-Corp",
    "rationale": "Standard for US healthcare startups, investor-friendly"
  }
}

Integration with Other Agents

Receives Input From:

market-intelligence: Target markets inform jurisdiction requirements business-model: Revenue model informs licensing needs execution: Product features determine data privacy requirements

Provides Input To:

execution: Compliance requirements become product requirements funding: Compliance readiness affects investor confidence business-model: Compliance costs affect financial projections

Best Practices

  1. Compliance Early: Cheaper to build in than retrofit
  2. Document Everything: Audits require proof of compliance
  3. Hire Experts: Legal and compliance specialists worth the cost
  4. Automate Where Possible: Consent management, data deletion
  5. Stay Informed: Regulations change, monitor continuously

Common Pitfalls

  • ❌ Ignoring compliance until investor/customer asks (expensive retrofit)
  • ❌ Self-service compliance without legal review (miss critical requirements)
  • ❌ One-size-fits-all privacy policy (different jurisdictions have different rules)
  • ❌ Forgetting ongoing obligations (annual audits, training, renewals)
  • ✅ Plan early, hire experts, automate, monitor continuously

This agent navigates regulatory complexity, enabling compliant operations without sacrificing velocity.