Compliance Testing
<default_to_action> When validating regulatory compliance:
-
IDENTIFY applicable regulations (GDPR, HIPAA, PCI-DSS, etc.)
-
MAP requirements to testable controls
-
TEST data rights (access, erasure, portability)
-
VERIFY encryption and access logging
-
GENERATE audit-ready reports with evidence
Quick Compliance Checklist:
-
Data subject rights work (access, delete, export)
-
PII is encrypted at rest and in transit
-
Access to sensitive data is logged
-
Consent is tracked with timestamps
-
Payment card data not stored (only tokenized)
Critical Success Factors:
-
Non-compliance = €20M or 4% revenue (GDPR)
-
Audit trail everything
-
Test continuously, not just before audits </default_to_action>
Quick Reference Card
When to Use
-
Legal compliance requirements
-
Before security audits
-
Handling PII/PHI/PCI data
-
Entering new markets (EU, CA, healthcare)
Major Regulations
Regulation Scope Key Focus
GDPR EU data Privacy rights, consent
CCPA California Consumer data rights
HIPAA Healthcare PHI protection
PCI-DSS Payments Card data security
SOC2 SaaS Security controls
Penalties
Regulation Maximum Fine
GDPR €20M or 4% revenue
HIPAA $1.5M per violation
PCI-DSS $100k/month
CCPA $7,500 per violation
GDPR Compliance Testing
// Test data subject rights test('user can request their data', async () => { const response = await api.post('/data-export', { userId });
expect(response.status).toBe(200); expect(response.data.downloadUrl).toBeDefined();
const data = await downloadFile(response.data.downloadUrl); expect(data).toHaveProperty('profile'); expect(data).toHaveProperty('orders'); });
test('user can delete their account', async () => {
await api.delete(/users/${userId});
// All personal data deleted expect(await db.users.findOne({ id: userId })).toBeNull(); expect(await db.orders.find({ userId })).toHaveLength(0);
// Audit log retained (legal requirement) expect(await db.auditLogs.find({ userId })).toBeDefined(); });
test('consent is tracked', async () => { await api.post('/consent', { userId, type: 'marketing', granted: true, timestamp: new Date(), ipAddress: '192.168.1.1' });
const consent = await db.consents.findOne({ userId, type: 'marketing' }); expect(consent.timestamp).toBeDefined(); expect(consent.ipAddress).toBeDefined(); });
HIPAA Compliance Testing
// Test PHI security test('PHI is encrypted at rest', async () => { const patient = await db.patients.create({ ssn: '123-45-6789', medicalHistory: 'Diabetes' });
const raw = await db.raw('SELECT * FROM patients WHERE id = ?', patient.id); expect(raw.ssn).not.toBe('123-45-6789'); // Should be encrypted });
test('access to PHI is logged', async () => { await api.get('/patients/123', { headers: { 'User-Id': 'doctor456' } });
const auditLog = await db.auditLogs.findOne({ resourceType: 'patient', resourceId: '123', userId: 'doctor456' });
expect(auditLog.action).toBe('read'); expect(auditLog.timestamp).toBeDefined(); });
PCI-DSS Compliance Testing
// Test payment card handling test('credit card numbers not stored', async () => { await api.post('/payment', { cardNumber: '4242424242424242', expiry: '12/25', cvv: '123' });
const payment = await db.payments.findOne({ /* ... */ }); expect(payment.cardNumber).toBeUndefined(); expect(payment.last4).toBe('4242'); // Only last 4 expect(payment.tokenId).toBeDefined(); // Token from gateway });
test('CVV never stored', async () => { const payments = await db.raw('SELECT * FROM payments'); const hasCVV = payments.some(p => JSON.stringify(p).toLowerCase().includes('cvv') ); expect(hasCVV).toBe(false); });
Agent-Driven Compliance
// Comprehensive compliance validation await Task("Compliance Validation", { regulations: ['GDPR', 'PCI-DSS'], scope: 'full-application', generateAuditReport: true }, "qe-security-scanner");
// Returns: // { // gdpr: { compliant: true, controls: 12, passed: 12 }, // pciDss: { compliant: false, controls: 8, passed: 7 }, // violations: [{ control: 'card-storage', severity: 'critical' }], // auditReport: 'compliance-audit-2025-12-02.pdf' // }
Agent Coordination Hints
Memory Namespace
aqe/compliance-testing/ ├── regulations/* - Regulation requirements ├── controls/* - Control test results ├── audit-reports/* - Generated audit reports └── violations/* - Compliance violations
Fleet Coordination
const complianceFleet = await FleetManager.coordinate({ strategy: 'compliance-validation', agents: [ 'qe-security-scanner', // Scan for vulnerabilities 'qe-test-executor', // Execute compliance tests 'qe-quality-gate' // Block non-compliant releases ], topology: 'sequential' });
Related Skills
-
security-testing - Security vulnerabilities
-
test-data-management - PII handling
-
accessibility-testing - Legal requirements
Remember
Compliance is mandatory, not optional. Fines are severe: GDPR up to €20M or 4% of revenue, HIPAA up to $1.5M per violation. But beyond fines, non-compliance damages reputation and user trust.
Audit trail everything. Every access to sensitive data, every consent, every deletion must be logged with timestamps and user IDs.
With Agents: Agents validate compliance requirements continuously, detect violations early, and generate audit-ready reports. Catch compliance issues in development, not in audits.