sf-agent-framework/sf-core/tasks/compliance-validation.md

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

# Compliance Validation

## Purpose

Validate Salesforce implementations against regulatory requirements, industry
standards, and organizational compliance policies.

## Instructions

1. **Compliance Requirements Analysis**
   - Identify applicable regulations (GDPR, HIPAA, SOX, etc.)
   - Document industry-specific requirements
   - Review organizational policies
   - Map compliance controls to Salesforce features

2. **Data Privacy Assessment**
   - Review data classification and handling
   - Validate PII protection measures
   - Check data retention policies
   - Assess cross-border data transfers
   - Verify consent management

3. **Security Controls Validation**
   - Review authentication mechanisms
   - Validate encryption at rest and in transit
   - Check audit trail configuration
   - Assess access control implementation
   - Verify security monitoring

4. **Audit and Logging**
   - Configure field history tracking
   - Enable setup audit trail
   - Implement Shield Event Monitoring
   - Review login history retention
   - Validate change tracking

5. **Compliance Testing**
   - Execute compliance test scenarios
   - Document evidence collection
   - Perform penetration testing
   - Conduct vulnerability assessments
   - Review third-party integrations

6. **Documentation and Reporting**
   - Create compliance matrix
   - Document control implementations
   - Generate audit reports
   - Prepare remediation plans
   - Maintain compliance artifacts

## Input Requirements

- Regulatory requirements
- Industry standards
- Organizational policies
- Data classification schema
- System architecture documentation
- Integration inventory

## Output Format

- Compliance Assessment Report
- Control Implementation Matrix
- Gap Analysis Document
- Remediation Roadmap
- Audit Evidence Package
- Compliance Certificates

## Compliance Frameworks

- **GDPR**: Data protection and privacy
- **HIPAA**: Healthcare information security
- **SOX**: Financial reporting controls
- **PCI DSS**: Payment card security
- **ISO 27001**: Information security
- **SOC 2**: Service organization controls

## Best Practices

- Implement defense in depth
- Document all controls
- Automate compliance monitoring
- Regular compliance reviews
- Maintain audit readiness
- Track regulatory changes
- Engage compliance experts early