sf-agent-framework/sf-core/tasks/compliance-check.md

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

# Compliance Check Task

## Task Overview

**Objective:** Perform comprehensive compliance assessment of Salesforce
implementation against regulatory requirements and industry standards.

**When to Use:**

- Pre-audit preparation
- Quarterly compliance reviews
- After major system changes
- New regulation implementation
- M&A due diligence
- Security incident follow-up

## Prerequisites

- Compliance requirements documented
- System Administrator access
- Audit tools access
- Understanding of applicable regulations (GDPR, CCPA, HIPAA, SOC 2, etc.)
- Previous audit reports (if available)

## Task Steps

### Step 1: Identify Applicable Regulations

```javascript
// Define compliance requirements
const complianceRequirements = {
  GDPR: {
    applicable: true,
    requirements: [
      'Data subject rights implementation',
      'Consent management',
      'Data retention policies',
      'Right to erasure',
      'Data portability',
      'Privacy by design',
    ],
  },
  CCPA: {
    applicable: true,
    requirements: [
      'Consumer rights implementation',
      'Opt-out mechanisms',
      'Data sale disclosures',
      'Privacy policy updates',
      'Data inventory',
    ],
  },
  HIPAA: {
    applicable: false,
    requirements: ['PHI encryption', 'Access controls', 'Audit trails', 'BAA agreements', 'Minimum necessary standard'],
  },
  SOC2: {
    applicable: true,
    requirements: [
      'Security controls',
      'Availability measures',
      'Processing integrity',
      'Confidentiality controls',
      'Privacy controls',
    ],
  },
};
```

### Step 2: Data Classification and Inventory

```apex
public class DataClassificationAnalyzer {

    public class DataClassification {
        public String objectName;
        public String fieldName;
        public String dataType;
        public String classification; // PII, Sensitive, Confidential, Public
        public Boolean isEncrypted;
        public Boolean hasRetentionPolicy;
    }

    public static List<DataClassification> analyzeDataFields() {
        List<DataClassification> classifications = new List<DataClassification>();

        // Define patterns for sensitive data
        Map<String, String> sensitivePatterns = new Map<String, String>{
            'SSN' => 'PII',
            'Social_Security' => 'PII',
            'Tax_ID' => 'PII',
            'Birth_Date' => 'PII',
            'Email' => 'PII',
            'Phone' => 'PII',
            'Credit_Card' => 'Sensitive',
            'Bank_Account' => 'Sensitive',
            'Medical' => 'PHI',
            'Health' => 'PHI'
        };

        // Scan all custom fields
        List<EntityDefinition> entities = [
            SELECT QualifiedApiName
            FROM EntityDefinition
            WHERE IsCustomizable = true
        ];

        for (EntityDefinition entity : entities) {
            List<FieldDefinition> fields = [
                SELECT QualifiedApiName, DataType, IsEncrypted
                FROM FieldDefinition
                WHERE EntityDefinition.QualifiedApiName = :entity.QualifiedApiName
            ];

            for (FieldDefinition field : fields) {
                DataClassification dc = new DataClassification();
                dc.objectName = entity.QualifiedApiName;
                dc.fieldName = field.QualifiedApiName;
                dc.dataType = field.DataType;
                dc.isEncrypted = field.IsEncrypted;

                // Check for sensitive patterns
                for (String pattern : sensitivePatterns.keySet()) {
                    if (field.QualifiedApiName.containsIgnoreCase(pattern)) {
                        dc.classification = sensitivePatterns.get(pattern);
                        break;
                    }
                }

                if (dc.classification != null) {
                    classifications.add(dc);
                }
            }
        }

        return classifications;
    }
}
```

### Step 3: Access Control Compliance

```soql
-- Check for appropriate access controls on sensitive data
SELECT
    Parent.Profile.Name,
    Field,
    PermissionsRead,
    PermissionsEdit
FROM FieldPermissions
WHERE Field IN (
    SELECT QualifiedApiName
    FROM FieldDefinition
    WHERE QualifiedApiName LIKE '%SSN%'
       OR QualifiedApiName LIKE '%TaxId%'
       OR QualifiedApiName LIKE '%Medical%'
)
AND Parent.IsOwnedByProfile = true
ORDER BY Parent.Profile.Name, Field

-- Verify encryption on sensitive fields
SELECT
    EntityDefinition.QualifiedApiName,
    QualifiedApiName,
    IsEncrypted,
    DataType
FROM FieldDefinition
WHERE (QualifiedApiName LIKE '%SSN%'
    OR QualifiedApiName LIKE '%CreditCard%'
    OR QualifiedApiName LIKE '%BankAccount%')
AND IsEncrypted = false
```

### Step 4: Audit Trail Verification

```apex
public class AuditTrailCompliance {

    public static void verifyAuditConfiguration() {
        // Check field history tracking
        List<EntityDefinition> entitiesWithoutHistory = [
            SELECT QualifiedApiName
            FROM EntityDefinition
            WHERE IsCustomizable = true
            AND NOT QualifiedApiName IN (
                SELECT EntityDefinition.QualifiedApiName
                FROM FieldDefinition
                WHERE IsFieldHistoryTracked = true
            )
        ];

        System.debug('Entities without field history: ' + entitiesWithoutHistory);

        // Check setup audit trail retention
        DateTime oldestSetupAuditEntry = [
            SELECT MIN(CreatedDate) MinDate
            FROM SetupAuditTrail
        ][0].MinDate;

        Integer retentionDays = Date.today().daysBetween(oldestSetupAuditEntry.date());
        System.debug('Setup audit trail retention: ' + retentionDays + ' days');

        // Verify login history retention
        DateTime oldestLoginEntry = [
            SELECT MIN(LoginTime) MinDate
            FROM LoginHistory
        ][0].MinDate;

        Integer loginRetentionDays = Date.today().daysBetween(oldestLoginEntry.date());
        System.debug('Login history retention: ' + loginRetentionDays + ' days');
    }
}
```

### Step 5: Data Retention Compliance

```apex
public class DataRetentionCompliance {

    public static void analyzeDataRetention() {
        Map<String, Integer> objectRecordAge = new Map<String, Integer>();

        // Check age of records in key objects
        List<String> keyObjects = new List<String>{
            'Account', 'Contact', 'Case', 'Opportunity'
        };

        for (String objName : keyObjects) {
            String query = 'SELECT COUNT(Id) total, MIN(CreatedDate) oldest ' +
                          'FROM ' + objName;

            try {
                AggregateResult[] results = Database.query(query);
                if (!results.isEmpty() && results[0].get('oldest') != null) {
                    DateTime oldest = (DateTime)results[0].get('oldest');
                    Integer ageInDays = oldest.date().daysBetween(Date.today());
                    objectRecordAge.put(objName, ageInDays);
                }
            } catch (Exception e) {
                System.debug('Error querying ' + objName + ': ' + e.getMessage());
            }
        }

        // Check for retention policies
        for (String objName : objectRecordAge.keySet()) {
            Integer age = objectRecordAge.get(objName);
            if (age > 2555) { // 7 years
                System.debug('WARNING: ' + objName + ' has records older than 7 years');
            }
        }
    }
}
```

### Step 6: Privacy Rights Implementation

```apex
public class PrivacyRightsChecker {

    public static void verifyGDPRCompliance() {
        List<String> missingFeatures = new List<String>();

        // Check for consent management
        if (!Schema.getGlobalDescribe().containsKey('Individual')) {
            missingFeatures.add('Individual object for consent management');
        }

        // Check for data portability
        List<DataExportDefinition> exports = [
            SELECT Id, Name FROM DataExportDefinition
        ];
        if (exports.isEmpty()) {
            missingFeatures.add('Data export definitions for portability');
        }

        // Check for deletion capabilities
        List<ApexClass> deletionClasses = [
            SELECT Name FROM ApexClass
            WHERE Name LIKE '%DataDeletion%'
               OR Name LIKE '%Anonymiz%'
        ];
        if (deletionClasses.isEmpty()) {
            missingFeatures.add('Data deletion/anonymization utilities');
        }

        System.debug('Missing GDPR features: ' + missingFeatures);
    }

    public static void verifyCCPACompliance() {
        // Check for opt-out mechanisms
        List<FieldDefinition> optOutFields = [
            SELECT QualifiedApiName, EntityDefinition.QualifiedApiName
            FROM FieldDefinition
            WHERE QualifiedApiName LIKE '%Opt_Out%'
               OR QualifiedApiName LIKE '%Do_Not_Sell%'
        ];

        if (optOutFields.isEmpty()) {
            System.debug('WARNING: No opt-out fields found for CCPA compliance');
        }
    }
}
```

### Step 7: Security Configuration Check

```apex
public class SecurityComplianceChecker {

    public static Map<String, Boolean> checkSecuritySettings() {
        Map<String, Boolean> settings = new Map<String, Boolean>();

        // Check password policies
        List<PasswordPolicy> policies = [
            SELECT Id, MinPasswordLength, Complexity, MaxLoginAttempts
            FROM PasswordPolicy
        ];

        for (PasswordPolicy policy : policies) {
            settings.put('MinPasswordLength_8', policy.MinPasswordLength >= 8);
            settings.put('ComplexityRequired', policy.Complexity != 'No restriction');
            settings.put('LoginAttemptsLimited', policy.MaxLoginAttempts != null);
        }

        // Check session settings
        List<SessionSetting> sessions = [
            SELECT SessionTimeout, ForceLogout
            FROM SessionSetting
        ];

        for (SessionSetting session : sessions) {
            settings.put('SessionTimeoutConfigured', session.SessionTimeout <= 120);
            settings.put('ForceLogoutEnabled', session.ForceLogout);
        }

        // Check encryption settings
        Organization org = [
            SELECT IsSandbox, TrialExpirationDate, ComplianceGroup
            FROM Organization
        ];

        settings.put('PlatformEncryption',
            Schema.getGlobalDescribe().containsKey('TenantSecret'));

        return settings;
    }
}
```

### Step 8: Third-Party Integration Compliance

```soql
-- Check connected apps
SELECT
    Name,
    ContactEmail,
    CreatedDate,
    LastModifiedDate,
    OptionsAllowAdminApprovedUsersOnly,
    OptionsFullContentPushNotifications
FROM ConnectedApplication

-- Check external data sources
SELECT
    DeveloperName,
    Type,
    Endpoint,
    PrincipalType,
    Protocol
FROM ExternalDataSource

-- Review API usage
SELECT
    ApiType,
    ApiVersion,
    Application,
    Client,
    ConnectedAppId,
    UserId
FROM ApiEvent
WHERE EventDate = TODAY
```

### Step 9: Generate Compliance Report

```apex
public class ComplianceReportGenerator {

    public class ComplianceReport {
        public String regulationType;
        public Decimal complianceScore;
        public List<Finding> findings;
        public List<Recommendation> recommendations;
        public Map<String, String> evidenceLinks;
    }

    public class Finding {
        public String category;
        public String requirement;
        public String status; // Compliant, Non-Compliant, Partial
        public String evidence;
        public String risk;
        public String remediation;
    }

    public static ComplianceReport generateGDPRReport() {
        ComplianceReport report = new ComplianceReport();
        report.regulationType = 'GDPR';
        report.findings = new List<Finding>();

        // Check data subject rights
        Finding dsrFinding = new Finding();
        dsrFinding.category = 'Data Subject Rights';
        dsrFinding.requirement = 'Right to Access Implementation';

        // Verify implementation
        List<ApexClass> dsrClasses = [
            SELECT Name FROM ApexClass
            WHERE Name LIKE '%DataSubjectRequest%'
        ];

        if (!dsrClasses.isEmpty()) {
            dsrFinding.status = 'Compliant';
            dsrFinding.evidence = 'DataSubjectRequest class implemented';
        } else {
            dsrFinding.status = 'Non-Compliant';
            dsrFinding.risk = 'Cannot process data subject requests';
            dsrFinding.remediation = 'Implement automated DSR processing';
        }

        report.findings.add(dsrFinding);

        // Calculate compliance score
        Integer compliantCount = 0;
        for (Finding f : report.findings) {
            if (f.status == 'Compliant') {
                compliantCount++;
            }
        }

        report.complianceScore = (Decimal)compliantCount / report.findings.size() * 100;

        return report;
    }
}
```

### Step 10: Create Remediation Plan

```javascript
// Generate remediation timeline
function createRemediationPlan(findings) {
  const plan = {
    immediate: [], // 0-30 days
    shortTerm: [], // 30-90 days
    longTerm: [], // 90+ days
  };

  findings.forEach((finding) => {
    const task = {
      finding: finding.description,
      action: finding.remediation,
      owner: assignOwner(finding.category),
      dueDate: calculateDueDate(finding.risk),
      effort: estimateEffort(finding.remediation),
      dependencies: finding.dependencies || [],
    };

    if (finding.risk === 'Critical') {
      plan.immediate.push(task);
    } else if (finding.risk === 'High') {
      plan.shortTerm.push(task);
    } else {
      plan.longTerm.push(task);
    }
  });

  return plan;
}

function generateComplianceRoadmap(plan) {
  const roadmap = `
# Compliance Remediation Roadmap

## Phase 1: Immediate Actions (0-30 days)
${plan.immediate
  .map(
    (task) => `
### ${task.finding}
- **Action:** ${task.action}
- **Owner:** ${task.owner}
- **Due Date:** ${task.dueDate}
- **Effort:** ${task.effort}
`
  )
  .join('')}

## Phase 2: Short-term Actions (30-90 days)
${plan.shortTerm
  .map(
    (task) => `
### ${task.finding}
- **Action:** ${task.action}
- **Owner:** ${task.owner}
- **Due Date:** ${task.dueDate}
- **Effort:** ${task.effort}
`
  )
  .join('')}

## Phase 3: Long-term Actions (90+ days)
${plan.longTerm
  .map(
    (task) => `
### ${task.finding}
- **Action:** ${task.action}
- **Owner:** ${task.owner}
- **Due Date:** ${task.dueDate}
- **Effort:** ${task.effort}
`
  )
  .join('')}
`;

  return roadmap;
}
```

## Compliance Checklists

### GDPR Compliance Checklist

- [ ] Lawful basis for processing documented
- [ ] Privacy notices updated and accessible
- [ ] Consent mechanisms implemented
- [ ] Data subject request process automated
- [ ] Data retention policies enforced
- [ ] Right to erasure functionality
- [ ] Data portability tools available
- [ ] Privacy by design implemented
- [ ] DPO appointed (if required)
- [ ] DPIA process established

### CCPA Compliance Checklist

- [ ] Privacy policy updated with CCPA disclosures
- [ ] Consumer rights request process
- [ ] Opt-out mechanisms implemented
- [ ] Data inventory maintained
- [ ] Third-party data sharing documented
- [ ] Employee training completed
- [ ] Vendor agreements updated

### SOC 2 Compliance Checklist

- [ ] Security policies documented
- [ ] Access controls implemented
- [ ] Change management process
- [ ] Incident response procedures
- [ ] Business continuity plan
- [ ] Vendor management program
- [ ] Risk assessment completed
- [ ] Monitoring and logging enabled

## Success Criteria

- [ ] All applicable regulations identified
- [ ] Compliance gaps documented
- [ ] Risk assessment completed
- [ ] Remediation plan approved
- [ ] Evidence collected and organized
- [ ] Compliance score calculated
- [ ] Stakeholder sign-off obtained

## References

- [Salesforce Compliance Resources](https://compliance.salesforce.com/)
- [GDPR Implementation Guide](https://help.salesforce.com/s/articleView?id=sf.data_protection_and_privacy.htm)
- Compliance report template: `templates#compliance-report-tmpl.md`