5a2fce162a
Replaced bottom-of-section 'See also' blocks with inline Org-mode file: links at the first natural mention of each concept, wiki-style. Links now live in the body text — compute-marketplace, verification-monopoly, domain-gate-packages, infrastructure-lock-in, evaluation-harness all linked at their first relevant usage per section.
11 KiB
Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP
- HIPAA (Health Insurance Portability and Accountability Act)
- SOC 2 (System and Organization Controls 2)
- GDPR (General Data Protection Regulation)
- FedRAMP (Federal Risk and Authorization Management Program)
- What Each Framework Means for Revenue
The verification monopoly and domain gate package revenue streams depend on selling into regulated industries. These industries buy compliance, not software. The four frameworks below are the most commonly referenced across the triad knowledge base. This file defines each one, the economic pressure it creates, and where it maps to the revenue model.
HIPAA (Health Insurance Portability and Accountability Act)
What it is
US federal law enacted 1996. Governs how protected health information (PHI) is stored, transmitted, and accessed. Two relevant rules:
- Privacy Rule: controls use and disclosure of PHI. Patients have rights to access, amend, and request accounting of disclosures. Minimum necessary standard — only the minimum PHI needed for the task may be used.
- Security Rule: administrative, physical, and technical safeguards for electronic PHI (ePHI). Requires access controls, audit controls, integrity controls, person/entity authentication, and transmission security.
Who must comply
Covered entities (health plans, healthcare clearinghouses, healthcare providers who transmit any ePHI) and business associates (any vendor handling PHI on behalf of a covered entity). Business Associate Agreements (BAAs) are mandatory.
Penalties
Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per violation category. Criminal penalties for knowing misuse (up to 10 years imprisonment). State AGs can also bring civil actions.
Why it matters for the triad
HIPAA is the largest single compliance market in US healthcare — every hospital, clinic, insurer, and health-tech vendor must comply. The HIPAA gate package ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control requirement automatically. No separate logging infrastructure needed. Over a five-year deployment, the accumulated fact store and proof history create infrastructure lock-in — switching to a competitor means discarding all of it.
SOC 2 (System and Organization Controls 2)
What it is
An auditing standard developed by AICPA (American Institute of CPAs). Not a law. Certifies that a service organization's controls over security, availability, processing integrity, confidentiality, and privacy meet defined criteria.
Five Trust Service Criteria (TSC):
- Security (mandatory): protection against unauthorized access (firewall, access control, intrusion detection)
- Availability (optional): system available for operation and use as committed (uptime, redundancy, disaster recovery)
- Processing Integrity (optional): system processing is complete, valid, accurate, timely, and authorized
- Confidentiality (optional): information designated as confidential is protected as committed
- Privacy (optional): personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments
Two types:
- Type I: controls are suitably designed at a specific point in time
- Type II: controls operated effectively over a period (6-12 months)
Who must comply
Any SaaS or cloud service provider whose enterprise customers require audited vendors. Table stakes for B2B — most enterprise procurement contracts require SOC 2 Type II.
Penalties
No direct fines (not a law). But losing SOC 2 certification means losing enterprise customers. Misrepresentation of certification status is fraud.
Why it matters for the triad
SOC 2 is the entry-level certification for the compute marketplace. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger verification monopoly play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure.
GDPR (General Data Protection Regulation)
What it is
EU regulation (effective May 2018) governing the processing of personal data of natural persons in the EU. Extraterritorial — applies to any organization processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten), data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
Who must comply
Any organization that processes personal data of EU residents. Includes controllers (determine purposes and means) and processors (process on behalf of controller). Non-EU organizations with EU data subjects are in scope.
Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered system. Supervisory authorities in each member state enforce. Private right of action for damages.
Why it matters for the triad
GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the compute marketplace: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the GDPR gate package includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's evaluation harness.
FedRAMP (Federal Risk and Authorization Management Program)
What it is
US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud services. OMB policy mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---|---|---|---|---|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- JAB (Joint Authorization Board): provisional authorization by DHS, GSA, DOD. Hardest path, most reusable across agencies.
- Agency: authorization by a single federal agency for its own use. Faster but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M for findings).
Who must comply
Any cloud service provider that sells to US federal agencies. Including IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies are strongly discouraged from using non-authorized services.
Penalties
No direct fines. Non-authorized providers are simply ineligible for federal contracts. FedRAMP is a procurement gate, not a regulatory one.
Why it matters for the triad
FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. For the triad: a compute marketplace provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not just during the annual assessment. This is what justifies the FedRAMP gate package at $100K/yr (the highest price) — it is not a software package, it is the evidence pipeline for a certification that costs $1M-$5M and 12-36 months to obtain independently. The verification monopoly argument applies hardest here: an agency that has relied on a FedRAMP-authorized compute provider for five years cannot switch without re-running the entire authorization process with a new provider.
What Each Framework Means for Revenue
| Framework | Gate package price | What it buys | Buyer |
|---|---|---|---|
| HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech |
| SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement |
| GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects |
| FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra |
A single enterprise running all four packages generates $250K/yr in gate package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr by year five as the fact store accumulates compliance decisions.
See also: Domain gate packages, Infrastructure lock-in, Verification monopoly, Compute marketplace, Evaluation harness, Passepartout economics index