The named regime (SOC 2, ISO 27001, GDPR) a product commits to, above individual controls and audits.
A compliance framework is a named regime of controls a product commits to, such as SOC 2, ISO 27001, GDPR, or HIPAA. The framework names the standard at the top level; the individual controls it mandates are separate, and the proof that those controls work comes from an external audit. The regime, the requirement, and the evidenceEvidenceValidationData supporting or refuting a hypothesisView reference → are three distinct layers.
The named frameworks arrived from different lineages. SOC 2 grew out of the AICPA's audit standards; its current shape, the 2017 Trust Services Criteria, organises controls around security, availability, processing integrity, confidentiality, and privacy. ISO/IEC 27001 was first published in 2005 and revised in 2013 and 2022, defining an information-security management system rather than a fixed checklist. The GDPR was adopted in 2016 and became enforceable on 25 May 2018, turning data protection into a legal regime with real penalties.
What unites them is the certificationCertificationCustomer EducationA certification programView reference → cycle: a product declares scope, implements controls, and submits to a periodic audit that issues a report or certificate with an expiry. The framework is a standing commitment, renewed on a clock.
A B2B SaaS company commits to SOC 2 Type II to close enterprise deals. The framework expands into roughly sixty individual requirements covering access control, change management, and incidentIncidentDevOps & PlatformA production incidentView reference → response. Over a three-month observationObservationUser ResearchA specific behaviour or statement observedView reference → window, an external auditor samples evidence for each. One requirement (quarterly access reviews) has a gap: two reviews were skipped. The auditor notes the exception, the company remediates, and the next cycle clears it. The framework holds; the requirement was the thing that moved.
In the Unified Product Graph, a compliance framework anchors the governance and compliance region. A product commits through Productgoverned byCompliance Frameworkhierarchy; the framework expands via product_governed_by_compliance_frameworkCompliance FrameworkmandatesCompliance Requirementhierarchy, is checked by compliance_framework_mandates_compliance_requirementCompliance Frameworkverified bySecurity Audithierarchy, and triggers documentation through compliance_framework_verified_by_security_auditCompliance FrameworkrequiresPrivacy Policyhierarchy. Separating the regime from its requirements and its audits keeps the structure honest: a framework with no verified requirements is visibly a claim without proof.compliance_framework_requires_privacy_policy
Type-specific fields on BaseNode
framework_namestringName of the framework (e.g. "SOC 2 Type II", "ISO 27001")
audit_datestringDate of the last audit (ISO format)
next_auditstringDate of the next scheduled audit (ISO format)
idstringrequiredUnique identifier (UUID)
typeNodeTyperequiredDiscriminator for the entity type
titlestringrequiredDisplay name
descriptionstringOptional detailed description
statusstringLifecycle status
tagsstring[]Freeform tags for filtering
5 phases, initial: proposed · template: APPROVAL
10 edge types connected to this entity.
product_governed_by_compliance_frameworkcompliance_framework_verified_by_security_auditcompliance_framework_mandates_compliance_requirementcompliance_framework_requires_privacy_policycompliance_framework_requires_audit_log_policycompliance_framework_identifies_riskcompliance_framework_governs_data_contractcompliance_framework_applies_to_legal_entitycompliance_framework_requires_security_controlsecurity_audit_validates_compliance_framework