← Back to SkillsView on GitHub
moai-security-compliance
modu-ai
Updated Yesterday
24 views
424
78
424
Metaai
About
This enterprise skill provides a comprehensive compliance framework for major regulations like GDPR, HIPAA, SOC 2, ISO 27001, and PCI DSS. It enables developers to implement audit logging, data classification, retention policies, and evidence collection for regulatory audits. Use this skill when building applications that require compliance with data protection, healthcare, payment security, or information security standards.
Quick Install
Claude Code
RecommendedPlugin CommandRecommended
/plugin add https://github.com/modu-ai/moai-adkGit CloneAlternative
git clone https://github.com/modu-ai/moai-adk.git ~/.claude/skills/moai-security-complianceCopy and paste this command in Claude Code to install this skill
Documentation
moai-security-compliance: Regulatory Compliance & Audit Logging
GDPR, HIPAA, SOC 2, ISO 27001, PCI DSS Compliance Framework
Trust Score: 9.9/10 | Version: 4.0.0 | Enterprise Mode | Last Updated: 2025-11-12
Overview
Comprehensive regulatory compliance framework for GDPR, HIPAA, SOC 2, ISO 27001, and PCI DSS. Covers audit logging, data classification, retention policies, and evidence collection for regulatory audits. 2025 trend: 83-85% of enterprises now require SOC 2 compliance from vendors.
When to use this Skill:
- Implementing GDPR compliance (EU data protection)
- HIPAA PHI protection (healthcare)
- SOC 2 audit preparation (security & availability)
- ISO 27001 information security
- PCI DSS payment card security
- Building audit trails for regulatory proof
- GDPR right-to-erasure implementation
Level 1: Foundations
Regulatory Framework Overview
GDPR (EU):
├─ Scope: Any organization processing EU citizen data
├─ Key: Right-to-erasure, data portability, consent
├─ Penalties: Up to EUR 20 million or 4% revenue
└─ Focus: Privacy & data protection
HIPAA (USA):
├─ Scope: Healthcare providers, insurers, PHI handlers
├─ Key: Confidentiality, integrity, availability (CIA triad)
├─ Penalties: Up to USD 1.5 million per violation
└─ Focus: Patient health information security
SOC 2 (USA):
├─ Scope: Service organizations (any industry)
├─ Key: Security, availability, processing integrity, confidentiality, privacy
├─ Type I: Design of controls at point in time
├─ Type II: Operating effectiveness over 6-12 months
└─ Note: Not legally required, but customer-demanded
ISO 27001 (International):
├─ Scope: Information security management
├─ Key: 114 controls across 4 domains
├─ Requires: Annual audit, continuous monitoring
└─ Focus: Systematic security approach
PCI DSS (Payment cards):
├─ Scope: Any organization handling payment card data
├─ Key: Cardholder data protection (CHD)
├─ Compliance: Annual assessment
└─ Levels: 1-4 based on transaction volume
Data Classification
class DataClassifier {
classify(data) {
// Classify data for compliance purposes
if (this.isPII(data)) return 'SENSITIVE';
if (this.isPHI(data)) return 'RESTRICTED';
if (this.isPaymentData(data)) return 'CONFIDENTIAL';
if (this.isPublicData(data)) return 'PUBLIC';
return 'INTERNAL';
}
isPII(data) {
// Personal Identifiable Information
return /(\d{3}-\d{2}-\d{4}|email|phone|address)/.test(JSON.stringify(data));
}
isPHI(data) {
// Protected Health Information (HIPAA)
return /(diagnosis|medication|patient|medical_record)/.test(JSON.stringify(data));
}
isPaymentData(data) {
// Credit card, bank account (PCI DSS)
return /(\d{16}|\d{9}|BIC|IBAN)/.test(JSON.stringify(data));
}
isPublicData(data) {
// Explicitly marked as public
return data.classification === 'PUBLIC';
}
}
Level 2: Core Patterns
Pattern 1: Winston-Based Audit Logging
const winston = require('winston');
const Transport = require('winston-transport');
class AuditLogger {
constructor(config) {
this.config = config;
this.logger = this.createLogger();
}
createLogger() {
return winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp({ format: 'YYYY-MM-DD HH:mm:ss' }),
winston.format.json(),
// Custom format for audit logging
winston.format.printf(({ timestamp, level, message, ...meta }) => ({
timestamp,
level,
message,
...meta,
// Add compliance fields
compliance_tags: ['audit_trail'],
data_classification: 'SENSITIVE',
retention_days: 2555, // 7 years (GDPR default)
}))
),
transports: [
// File storage (tamper-proof)
new winston.transports.File({
filename: './logs/audit.log',
maxsize: 5242880, // 5MB
maxFiles: 5,
tailable: true,
options: { flags: 'a', mode: 0o640 }, // Read-only for security
}),
// Database storage (queryable)
new DatabaseTransport({
collection: 'audit_logs',
db: this.config.db,
}),
// Cloud storage (immutable)
new S3Transport({
bucket: 'audit-logs',
prefix: `${new Date().getFullYear()}`,
}),
],
});
}
logUserAccess(userId, action, resource, result) {
this.logger.info('User action', {
userId,
action,
resource,
result,
timestamp: new Date().toISOString(),
ip_address: this.getIpAddress(),
user_agent: this.getUserAgent(),
compliance: {
gdpr: true,
soc2: true,
hipaa: true,
},
});
}
logDataAccess(userId, dataType, action, timestamp) {
this.logger.info('Data access', {
userId,
dataType,
action,
timestamp,
classification: this.classifyData(dataType),
retention_until: this.calculateRetention(dataType),
});
}
logSecurityEvent(severity, eventType, details) {
this.logger.warn('Security event', {
severity,
eventType,
details,
timestamp: new Date().toISOString(),
action_required: severity >= 'HIGH',
});
}
classifyData(dataType) {
const classifications = {
'health_record': 'RESTRICTED', // HIPAA
'payment_card': 'CONFIDENTIAL', // PCI DSS
'social_security': 'SENSITIVE', // GDPR
'user_email': 'SENSITIVE', // GDPR
};
return classifications[dataType] || 'INTERNAL';
}
calculateRetention(dataType) {
const retentionDays = {
'audit_log': 2555, // 7 years (GDPR)
'payment_log': 2555, // 7 years (PCI DSS)
'access_log': 365, // 1 year (SOC 2)
};
const days = retentionDays[dataType] || 90;
const date = new Date();
date.setDate(date.getDate() + days);
return date.toISOString();
}
}
// Custom Winston transport for database
class DatabaseTransport extends Transport {
constructor(opts) {
super(opts);
this.db = opts.db;
this.collection = opts.collection;
}
log(info, callback) {
setImmediate(() => {
this.db.collection(this.collection).insertOne({
...info,
_id: new ObjectId(),
timestamp: new Date(),
});
});
if (callback) {
callback();
}
}
}
Pattern 2: Data Retention & Erasure (GDPR Right-to-Erasure)
class DataRetentionManager {
constructor(db) {
this.db = db;
}
// Schedule automatic retention-based deletion
scheduleRetention() {
// Run daily
cron.schedule('0 2 * * *', async () => {
console.log('Running retention cleanup');
await this.deleteExpiredData();
await this.archiveOldLogs();
});
}
async deleteExpiredData() {
const now = new Date();
// GDPR: Delete personal data when retention expires
const expiredUsers = await this.db.users.find({
deletion_scheduled_at: { $lt: now },
deleted: false,
});
for (const user of expiredUsers) {
await this.eraseUserData(user.id);
}
}
async eraseUserData(userId) {
const user = await this.db.users.findById(userId);
// 1. Delete all personal data
await this.db.users.deleteOne({ _id: userId });
await this.db.user_profiles.deleteMany({ userId });
await this.db.user_preferences.deleteMany({ userId });
// 2. Anonymize audit logs (keep for compliance)
await this.db.audit_logs.updateMany(
{ userId },
{
$set: {
userId: null,
userName: '[REDACTED]',
anonymized: true,
anonymized_at: new Date(),
},
}
);
// 3. Log the erasure
await this.db.erasure_logs.insertOne({
userId,
erasedAt: new Date(),
reason: 'GDPR right-to-erasure',
dataErased: [
'user_profile',
'preferences',
'settings',
],
});
console.log(`User ${userId} data erased per GDPR request`);
}
async archiveOldLogs() {
// Archive logs older than 1 year to cold storage
const oneYearAgo = new Date();
oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
const oldLogs = await this.db.audit_logs.find({
timestamp: { $lt: oneYearAgo },
archived: false,
});
for (const log of oldLogs) {
// Compress and upload to S3 Glacier
await this.archiveToS3(log);
// Mark as archived in database
await this.db.audit_logs.updateOne(
{ _id: log._id },
{ $set: { archived: true } }
);
}
}
async requestErasure(userId) {
// User initiates GDPR right-to-erasure
await this.db.users.updateOne(
{ _id: userId },
{
$set: {
deletion_requested_at: new Date(),
deletion_scheduled_at: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000), // 30 days
},
}
);
// Send confirmation email
await sendEmail({
to: user.email,
subject: 'Data Erasure Request Confirmed',
body: 'Your data will be permanently deleted within 30 days.',
});
}
}
Pattern 3: SOC 2 Evidence Collection
class SOC2EvidenceCollector {
constructor() {
this.evidence = [];
}
// Collect evidence for SOC 2 Type II audit
async collectEvidence() {
// CC (Change Control)
await this.collectChangeControlEvidence();
// AC (Access Control)
await this.collectAccessControlEvidence();
// CA (Cryptography)
await this.collectCryptographyEvidence();
// IL (Incident & Logging)
await this.collectIncidentLoggingEvidence();
return this.generateAuditReport();
}
async collectAccessControlEvidence() {
const evidence = {
access_policies: await fs.readFile('./policies/access-control.md'),
mfa_enabled: await this.checkMFAStatus(),
privileged_access_logs: await this.queryAuditLogs({
action: 'privileged_access',
days: 90,
}),
access_reviews: await this.getMonthlyAccessReviews(),
user_provisioning_logs: await this.getProvisioningLogs(),
};
this.evidence.push({
domain: 'ACCESS_CONTROL',
timestamp: new Date(),
evidence,
});
}
async collectChangeControlEvidence() {
const evidence = {
code_deployment_logs: await this.getDeploymentLogs(),
approval_chain: await this.getChangeApprovals(),
testing_results: await this.getTestResults(),
rollback_procedures: await fs.readFile('./procedures/rollback.md'),
deployment_frequency: await this.calculateDeploymentFrequency(),
};
this.evidence.push({
domain: 'CHANGE_CONTROL',
timestamp: new Date(),
evidence,
});
}
generateAuditReport() {
return {
auditType: 'SOC 2 Type II',
period: {
start: this.auditStartDate,
end: this.auditEndDate,
},
evidence: this.evidence,
summary: this.generateSummary(),
};
}
}
Level 3: Advanced
Advanced: Drata Integration (Automated Compliance)
const { DrataClient } = require('drata-api');
class AutomatedComplianceMonitoring {
constructor(apiKey) {
this.drata = new DrataClient(apiKey);
}
// Automatically collect evidence for Drata audits
async syncComplianceEvidence() {
const frameworks = ['SOC2', 'GDPR', 'HIPAA', 'ISO27001'];
for (const framework of frameworks) {
const evidence = await this.collectFrameworkEvidence(framework);
await this.drata.uploadEvidence(framework, evidence);
}
}
async collectFrameworkEvidence(framework) {
// Query system for framework-specific evidence
// Push to Drata for audit preparation
const controlsMapping = {
'SOC2': this.soC2Controls,
'GDPR': this.gdprControls,
'HIPAA': this.hipaaControls,
};
return controlsMapping[framework];
}
get soC2Controls() {
return {
'CC6.1': this.getSecurityIncidentLogs(),
'CC6.2': this.getIncidentResponseLogs(),
'CC7.2': this.getSystemMonitoringLogs(),
'A1.2': this.getAccessReviewLogs(),
};
}
}
Checklist
- Data classification system implemented
- Audit logging to file, database, and cloud
- GDPR right-to-erasure process working
- Retention policies scheduled and tested
- Access logs collected and retained
- Change control logs for deployments
- SOC 2 evidence collection automated
- Drata integration for audit readiness
- HIPAA BAA signed if processing PHI
- PCI DSS self-assessment annual review
Quick Reference
| Regulation | Key Focus | Retention |
|---|---|---|
| GDPR | Privacy | 7 years (after processing ends) |
| HIPAA | Health Info | 6 years |
| SOC 2 | Security | 6-12 months (audit period) |
| ISO 27001 | InfoSec | 3 years |
| PCI DSS | Payment Cards | 1 year minimum |
GitHub Repository
modu-ai/moai-adk
Path: src/moai_adk/templates/.claude/skills/moai-security-compliance
agentic-aiagentic-codingagentic-workflowclaudeclaudecodevibe-coding
Related Skills
sglang
MetaSGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.
View skill
evaluating-llms-harness
TestingThis Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.
View skill
llamaguard
OtherLlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.
View skill
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.
View skill