How to Do Compliance Checks Before Shipping
A practical guide for product managers and engineering leads who need to ship features that satisfy GDPR, HIPAA, and SOC 2 requirements without slowing down the team.
TL;DR
Compliance checks before shipping protect your company from regulatory fines, customer churn, and legal liability. This guide covers the three most common compliance frameworks for product teams (GDPR, HIPAA, SOC 2), provides actionable checklists for each, and shows how to integrate compliance into your development workflow so it does not become a last-minute bottleneck.
Why Compliance Checks Matter for Product Teams
Compliance is not just a legal checkbox. It is a product quality signal. When a product team ships a feature that mishandles personal data, the consequences range from regulatory fines (GDPR penalties can reach 4% of global annual revenue) to customer trust erosion that takes years to rebuild.
The challenge is that compliance requirements are written by lawyers and regulators, not by product managers. They are dense, ambiguous, and scattered across hundreds of pages of regulatory text. Translating those requirements into actionable engineering tasks is one of the hardest parts of the PM role in regulated industries.
Most teams handle compliance in one of two ways. The first is the “compliance team reviews everything before launch” approach. This creates a bottleneck where features sit in a review queue for days or weeks, frustrating engineering teams and slowing release velocity. The second is the “we will deal with it later” approach, which works until the first audit or data breach.
The better path is to build compliance into the development workflow so checks happen continuously, not as a gate at the end. This guide shows you how to do that for the three frameworks product teams encounter most often.
Understanding the Big Three Frameworks
Before diving into checklists, it helps to understand what each framework actually requires and who it applies to. Here is a practical summary.
GDPR (General Data Protection Regulation)
GDPR applies to any organization that processes personal data of people in the European Union, regardless of where the organization is based. If your SaaS product has even one EU user, GDPR applies to you. The regulation centers on six principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and integrity/confidentiality.
For product teams, GDPR translates into concrete requirements: you need a legal basis for every piece of personal data you collect, users must be able to access, correct, and delete their data, you must document your data processing activities, and you need to report breaches within 72 hours. The “right to be forgotten” alone has significant engineering implications for data architecture.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA applies if your product stores, processes, or transmits protected health information (PHI). This includes obvious cases like electronic health records software, but also less obvious ones: a fitness app that stores heart rate data, a telehealth platform, or even a scheduling tool used by a medical practice.
HIPAA has two main rules that affect product teams. The Privacy Rule governs who can access PHI and under what circumstances. The Security Rule sets standards for protecting electronic PHI (ePHI), including requirements for access controls, audit logs, encryption, and transmission security. If your product is a “business associate” (you handle PHI on behalf of a covered entity like a hospital), you need a Business Associate Agreement (BAA) and must comply with the Security Rule.
SOC 2 (System and Organization Controls 2)
SOC 2 is not a law. It is an auditing standard developed by the AICPA that evaluates your controls around five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Enterprise customers increasingly require SOC 2 Type II reports before signing contracts.
For product teams, SOC 2 means you need documented policies and evidence that you follow them. Change management procedures, access control reviews, incident response plans, and vendor risk assessments are all in scope. The key difference from GDPR and HIPAA is that SOC 2 is about demonstrating controls to auditors, not complying with a specific regulation. This means the standard is more flexible but also more ambiguous about exactly what “good enough” looks like.
Pre-Shipping Compliance Checklist: GDPR
Run through this checklist for every feature that collects, stores, or processes personal data of EU users. Not every item will apply to every feature, but reviewing the full list ensures nothing slips through.
- Identify the legal basis. For each piece of personal data the feature collects, document the legal basis: consent, contract performance, legitimate interest, legal obligation, vital interests, or public task. If you are relying on consent, verify that the consent mechanism is opt-in (not pre-checked), specific to the purpose, and easy to withdraw.
- Data minimization review. Confirm that the feature only collects data that is strictly necessary for its stated purpose. If you are collecting an email address, a name, and a phone number, ask whether all three are truly required. Remove any fields that are “nice to have” but not essential.
- Privacy notice update. Verify that your privacy policy covers the new data processing activity. If the feature introduces a new purpose for data collection, the privacy notice must be updated before launch. Users must be informed about what data is collected, why, how long it is retained, and who it is shared with.
- Data subject rights. Confirm that the feature supports the right to access (users can see their data), right to rectification (users can correct their data), right to erasure (users can delete their data), and right to portability (users can export their data in a machine-readable format). Test the deletion flow end-to-end, including backups and third-party services.
- Data processing agreements. If the feature sends personal data to a third-party service (analytics, email provider, CDN), verify that a Data Processing Agreement (DPA) is in place with that vendor. Check that the DPA covers the specific data types the feature transmits.
- Cross-border transfer check. If personal data is stored or processed outside the EU, verify that an adequate transfer mechanism is in place: Standard Contractual Clauses (SCCs), an adequacy decision, or Binding Corporate Rules.
- Data Protection Impact Assessment (DPIA). If the feature involves high-risk processing (large-scale profiling, systematic monitoring, sensitive data categories), conduct a DPIA before launch. Document the risks, the mitigations, and the residual risk level.
- Breach notification readiness. Verify that the feature has logging and alerting in place to detect unauthorized access. Confirm that your incident response plan covers the 72-hour notification requirement. Test the notification workflow with a simulated breach scenario.
- Retention policy. Define how long the data collected by this feature will be retained. Set up automated deletion or anonymization for data that exceeds its retention period. Document the retention schedule and the justification for the chosen timeframe.
Pre-Shipping Compliance Checklist: HIPAA
This checklist applies to features that handle protected health information (PHI). Even if your product is not a healthcare application, review this list if any feature touches health-related data.
- PHI identification. Map every data field in the feature to determine if it qualifies as PHI. HIPAA defines 18 identifiers that make health information “protected,” including names, dates, phone numbers, email addresses, Social Security numbers, medical record numbers, and biometric identifiers. If any health data can be linked to these identifiers, it is PHI.
- Encryption at rest and in transit. Verify that all PHI is encrypted using AES-256 (or equivalent) at rest and TLS 1.2+ in transit. This includes database storage, file uploads, API calls, and any temporary caches. Check that encryption keys are managed through a key management service, not hard-coded.
- Access controls. Implement role-based access control (RBAC) so that only authorized users can view or modify PHI. Apply the minimum necessary standard: each role should have access to only the PHI required for its function. Log every access event, including the user identity, timestamp, and data accessed.
- Audit logging. Every action involving PHI (create, read, update, delete) must be logged in a tamper-evident audit trail. Logs must include who accessed the data, when, from where, and what action was taken. Store audit logs for a minimum of six years (the HIPAA retention requirement). Ensure logs themselves do not contain PHI.
- Business Associate Agreement. If the feature sends PHI to any third-party service (cloud hosting, analytics, backup provider), verify that a signed BAA is in place with that vendor. Review the BAA to confirm it covers the specific types of PHI and processing activities involved.
- Session management. Implement automatic session timeout for any interface that displays PHI. HIPAA does not specify a timeout duration, but industry best practice is 15 minutes of inactivity. Ensure that session tokens are invalidated on the server side, not just cleared from the client.
- Backup and disaster recovery. Verify that PHI is backed up and that backups are encrypted. Test the restoration process to confirm that PHI can be recovered. Document the recovery time objective (RTO) and recovery point objective (RPO) for the feature.
- De-identification for analytics. If you need to use health data for analytics, product improvements, or reporting, de-identify it using either the Safe Harbor method (remove all 18 identifiers) or the Expert Determination method. Never use identifiable PHI for analytics purposes.
Pre-Shipping Compliance Checklist: SOC 2
SOC 2 is not prescriptive about specific technologies, but it requires you to demonstrate that controls are in place and operating effectively. This checklist maps SOC 2 trust service criteria to concrete engineering and product tasks.
- Change management documentation. Every code change that reaches production must have a documented review and approval trail. This means pull request reviews, CI/CD pipeline logs, and deployment records. Verify that the feature follows your team's change management process and that all commits are traceable to approved work items.
- Access review. Confirm that access to production systems, databases, and infrastructure follows the principle of least privilege. Review the IAM roles and permissions for any new services the feature introduces. Document who has access and why.
- Vulnerability scanning. Run a vulnerability scan on the feature before deployment. This includes dependency scanning (checking for known vulnerabilities in third-party libraries), static analysis (SAST), and dynamic analysis (DAST) if applicable. Document the results and remediate any critical or high-severity findings before shipping.
- Incident response readiness. Verify that the feature has monitoring and alerting configured. Confirm that alerts route to the on-call team and that the escalation path is documented. If the feature introduces a new failure mode, update the incident response runbook.
- Availability monitoring. Set up uptime monitoring for any new endpoints or services the feature introduces. Define SLAs and SLOs for the feature. Configure alerts for latency degradation, error rate spikes, and downtime.
- Data classification. Classify the data the feature handles according to your data classification policy (public, internal, confidential, restricted). Apply the appropriate controls for each classification level. Document the classification in the feature's technical spec or PRD.
- Vendor risk assessment. If the feature integrates with a new third-party service, conduct a vendor risk assessment. Verify the vendor's SOC 2 report (or equivalent), review their security practices, and document the assessment. Add the vendor to your vendor management register.
- Evidence collection. SOC 2 auditors need evidence that controls are operating effectively. Before shipping, verify that all required evidence is being captured automatically: PR approvals, deployment logs, access reviews, vulnerability scan results, and monitoring dashboards. If any evidence is manual, schedule recurring tasks to collect it.
Building Compliance into Your Development Workflow
Running through checklists manually before every release is better than ignoring compliance, but it does not scale. The goal is to embed compliance checks into the workflow so they happen automatically at the right moments.
Step 1: Add Compliance to Your PRD Template
Start at the beginning of the product development cycle. Add a “Compliance Requirements” section to your PRD template. This section should answer three questions: What personal or sensitive data does this feature handle? Which compliance frameworks apply? What specific requirements must be met? Forcing PMs to answer these questions during the spec phase catches compliance issues before any code is written.
Step 2: Automate What You Can in CI/CD
Add automated checks to your CI/CD pipeline. Dependency scanning tools like Snyk or Dependabot catch known vulnerabilities in third-party libraries. Static analysis tools can flag hard-coded secrets, unencrypted data stores, and insecure API configurations. Infrastructure-as-code scanners like Checkov or tfsec verify that cloud resources meet security baselines. These checks run on every pull request and block merging if critical issues are found.
Step 3: Create a Compliance Review Gate
For features that handle sensitive data, add a compliance review step to your release process. This is not a months-long audit. It is a structured 30-minute review where a compliance-aware team member walks through the relevant checklist with the PM and engineering lead. The output is a signed-off checklist that becomes part of the release record.
The key is making this review fast and focused. Use a template with yes/no questions for each checklist item. Pre-populate answers with evidence from automated checks. The human review focuses on the items that cannot be automated: consent flows, data processing agreements, and risk assessments.
Step 4: Track Compliance Status Alongside Feature Status
Compliance should be visible in the same tools where you track feature progress. Add a “Compliance Status” property to your project tracker (whether that is Linear, Jira, or Notion). The statuses should be: Not Applicable, Pending Review, In Review, Approved, and Blocked. This makes compliance status visible during standups and sprint reviews instead of hiding it in a separate spreadsheet.
Step 5: Document Everything for Auditors
Auditors do not care about your Slack conversations or verbal agreements. They need documented evidence that controls exist and are followed. For every compliance check, keep a record of: what was checked, who checked it, when it was checked, what the result was, and what action was taken for any findings. Store this evidence in a structured format that can be retrieved during an audit.
Common Compliance Mistakes Product Teams Make
Treating compliance as a one-time event
Compliance is not something you achieve and forget. Regulations change, your product evolves, and new data flows are introduced with every feature. Teams that run a compliance audit once and then stop checking will drift out of compliance within months. Build recurring reviews into your sprint cycle.
Confusing compliance with security
Security is one component of compliance, but they are not the same thing. You can have excellent security practices and still violate GDPR because you lack a legal basis for data processing or have not implemented data subject rights. Compliance covers legal, procedural, and organizational requirements that go beyond technical security controls.
Not involving engineering early enough
When compliance requirements are handed to engineering after the feature is built, the result is rework, delays, and resentment. Involve engineering during the PRD phase so they can flag technical constraints (like deletion across distributed systems) before the design is finalized.
Relying on manual checklists at scale
Checklists work for small teams shipping a few features per quarter. But as your product and team grow, manual checklists become error-prone and inconsistent. The person running the checklist may miss items, skip steps under time pressure, or interpret requirements differently than a colleague. Automation and tooling become essential.
How Vantage Handles Compliance Checks
Vantage is the AI operating system for building products. Its compliance checking capability connects your product specs to compliance frameworks so requirements are checked automatically, not manually.
Here is how it works in practice:
Automatic compliance mapping
When you write a PRD or product spec in Vantage, the system identifies data handling requirements and maps them to the relevant compliance frameworks (GDPR, HIPAA, SOC 2). Each requirement in your spec is linked to the compliance controls it needs to satisfy through the decision graph.
Continuous compliance monitoring
As your specs evolve, Vantage re-evaluates compliance requirements. If a new feature introduces a data flow that was not in the original spec, Vantage flags the additional compliance requirements. This catches issues that would otherwise slip through between the initial review and the actual implementation.
Traceable compliance evidence
Every compliance check in Vantage produces traceable evidence: which requirement was checked, what the result was, and which data sources informed the decision. This evidence is structured and exportable, making audit preparation significantly faster than assembling evidence from scattered documents and spreadsheets.
The difference between manual checklists and Vantage is structural. Manual checklists are point-in-time snapshots that degrade as your product changes. Vantage maintains live connections between specs, data flows, and compliance requirements so nothing falls out of sync.
When Manual Checklists Are Enough
Not every team needs automated compliance tooling. Manual checklists work well if:
- Your team ships 1-3 features per quarter and has a dedicated compliance or legal team member who can review each one.
- Your product handles a limited set of data types and the compliance surface area is small and well-understood.
- You are in the early stages of building your compliance program and need to understand the requirements before automating them.
- Your team has strong institutional knowledge about compliance requirements and rarely misses items during reviews.
For teams in this category, the checklists in this guide will serve you well. Print them, customize them for your specific regulatory requirements, and make them part of your release process. The important thing is that compliance checks happen consistently, not that they are automated.
When to Consider Compliance Tooling
Consider investing in compliance tooling when:
- Your team ships frequently and the manual review bottleneck is slowing down releases.
- You have had compliance gaps slip through because someone missed a checklist item under time pressure.
- Your product is expanding into new markets or industries that introduce additional compliance frameworks.
- Audit preparation takes weeks of manual evidence gathering across scattered documents, spreadsheets, and tools.
- You need to demonstrate compliance traceability to enterprise customers as part of the sales process.
Vantage integrates compliance checking into the product development workflow so it is not a separate process. When compliance is connected to your specs, your data flows, and your engineering tickets through the decision graph, it stops being a bottleneck and becomes a continuous quality signal.