LogoComply
Advisory
Compliance Advisory · Active 2026
0
Regulations Tracked Across 50 States
0+
Audit Hours Completed Last Quarter
0
Average Days to Full Compliance Readiness
CA · CaliforniaNY · New YorkTX · TexasEU · European UnionIL · IllinoisVA · Virginia

Your industry. Your state. Your deadline. Handled.

Comply maps your regulatory exposure, prioritizes your gaps, and walks your team through remediation — before the enforcement letter arrives.

Get Your Compliance SnapshotExplore Frameworks
Scroll
Frameworks We Navigate
Trusted By
SOC2
SOC 2 Type II
ISO27001
ISO 27001
HITRUST
HITRUST CSF
NIST
NIST CSF
PCIDSS
PCI DSS
FedRAMP
FedRAMP
GDPR
GDPR Compliant
HIPAA
HIPAA Certified
CCPA
CCPA Ready
CMMC
CMMC Level 2
SOC2
SOC 2 Type II
ISO27001
ISO 27001
HITRUST
HITRUST CSF
NIST
NIST CSF
PCIDSS
PCI DSS
FedRAMP
FedRAMP
GDPR
GDPR Compliant
HIPAA
HIPAA Certified
CCPA
CCPA Ready
CMMC
CMMC Level 2
Meridian Health Systems
Vertex Capital
Clearbridge Fintech
Northlake SaaS
Atlas Manufacturing
Crestview Analytics
Meridian Health Systems
Vertex Capital
Clearbridge Fintech
Northlake SaaS
Atlas Manufacturing
Crestview Analytics

How to use this guide

Each section below explains a regulation in plain language, tells you what it actually requires, and gives you a checklist to assess your current posture. Expand any drawer for line-by-line guidance.

SOC 2High RiskFor: SaaS founders, startup CTOs
0%

SOC 2 Type II Audit Preparation

SOC 2 is a voluntary framework developed by the AICPA that evaluates how a service organization handles customer data across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

If you're selling to enterprise customers, they will ask for your SOC 2 report. A Type II report — which covers a 6–12 month observation period — signals that your controls aren't just documented, they're consistently operating. Without it, deals stall in legal review.

Our Methodology

  • 1Gap assessment against all five Trust Service Criteria
  • 2Control design and policy documentation
  • 3Evidence collection playbook (90-day readiness sprint)
  • 4Auditor selection and pre-audit readiness review
  • 5Remediation support during audit window

Self-Assessment Checklist

0/6 complete
Access control policy documented and enforced
Multi-factor authentication on all production systems
Incident response plan tested in last 12 months
Vendor risk management program in place
Encryption at rest and in transit verified
Change management procedures documented
90–180 days to Type II readiness
Start Assessment
HIPAAHigh RiskFor: Healthcare operations directors, digital health startups
0%

HIPAA Gap Assessment & Remediation

HIPAA — the Health Insurance Portability and Accountability Act — establishes national standards for protecting individually identifiable health information (PHI). The Security Rule covers electronic PHI; the Privacy Rule covers all forms.

If your platform touches patient records, claims data, or any information that could identify a patient, you're a Covered Entity or Business Associate. The OCR can issue penalties up to $1.9 million per violation category per year. A gap assessment tells you exactly where you stand before an audit or breach investigation.

Our Methodology

  • 1PHI inventory and data flow mapping across all systems
  • 2Security Rule gap analysis (Administrative, Physical, Technical safeguards)
  • 3Business Associate Agreement audit and remediation
  • 4Risk analysis documentation per §164.308(a)(1)
  • 5Workforce training program design

Self-Assessment Checklist

0/6 complete
Formal risk analysis completed and documented
All Business Associate Agreements current and signed
PHI data flow map created and maintained
Minimum necessary standard applied to PHI access
Breach notification procedures documented
Annual workforce HIPAA training completed
30–60 days for gap assessment; 90 days for full remediation
Start Assessment
GDPRMedium RiskFor: CFOs at mid-market companies with EU customers or employees
0%

GDPR Data Mapping & Compliance

The General Data Protection Regulation applies to any organization that processes personal data of EU residents — regardless of where the organization is headquartered. Articles 13–14 require transparency; Article 35 requires a DPIA for high-risk processing.

If you have EU customers, run EU advertising, or employ EU-based staff, you're in scope. Fines reach 4% of global annual turnover or €20M — whichever is higher. Most US companies are underprepared because they assume GDPR is a European problem. It isn't.

Our Methodology

  • 1Records of Processing Activities (RoPA) creation
  • 2Lawful basis analysis for each processing activity
  • 3Data subject rights workflow implementation
  • 4Cross-border transfer mechanism review (SCCs, adequacy decisions)
  • 5Data Protection Impact Assessment for high-risk processing

Self-Assessment Checklist

0/6 complete
Records of Processing Activities (RoPA) documented
Privacy notice updated with all required disclosures
Consent mechanisms audited and compliant
Data subject rights request process in place
International transfer mechanisms validated
DPA appointed if required under Article 37
45–90 days for full data mapping and gap closure
Start Assessment
CCPAMedium RiskFor: CFOs managing multi-state operations, e-commerce, SaaS
0%

CCPA / CPRA & State Privacy Law Patchwork

The California Consumer Privacy Act (amended by CPRA) grants California residents rights to know, delete, correct, and opt out of the sale of their personal information. As of 2026, 19 states have enacted similar frameworks — each with different thresholds, exemptions, and enforcement timelines.

You don't need to be a California company to be subject to CCPA. If you do business with California residents and meet revenue or data volume thresholds, you're covered. Multiply that by 19 states and you have a compliance matrix that changes every legislative session.

Our Methodology

  • 1Multi-state applicability assessment (all 19 active frameworks)
  • 2Consumer rights request infrastructure build
  • 3Data broker registration review (CA, TX, OR, TX)
  • 4Privacy notice and cookie consent audit
  • 5Annual data inventory refresh process design

Self-Assessment Checklist

0/6 complete
Applicability assessment for all 19 state frameworks
"Do Not Sell or Share" opt-out mechanism live
Consumer rights request portal operational
Data broker registrations filed where required
Service provider agreements updated with required terms
Sensitive data processing controls implemented
60–90 days for initial compliance; ongoing monitoring required
Start Assessment

Jurisdiction Map

State-by-State Risk Exposure

Your compliance obligations are determined by where your customers live, not where you're incorporated. Here's what each major jurisdiction requires.

California

CCPA/CPRACMIA
high exposure

Threshold

≥$25M revenue OR 100K+ consumer records

Effective / Deadline

Ongoing; CPRA effective Jan 2023

Strongest consumer rights in the US. Includes sensitive data categories, opt-out of sharing, and data minimization requirements.

New York

SHIELD ActNYDFS 23 NYCRR 500
high exposure

Threshold

Any entity with NY resident data

Effective / Deadline

NYDFS amendments effective Nov 2023

NYDFS 500 applies to financial services companies. The SHIELD Act has a broad definition of 'private information' including biometric data.

Texas

TDPSA
medium exposure

Threshold

Processing data of 100K+ Texans OR 25K+ with >50% revenue from data

Effective / Deadline

Effective July 1, 2024

No private right of action. AG enforcement only. Opt-out rights for targeted advertising and sale of data.

Virginia

VCDPA
medium exposure

Threshold

100K+ Virginia consumers OR 25K+ with >50% revenue from data

Effective / Deadline

Effective Jan 1, 2023

Data Protection Assessments required for high-risk processing activities. Similar structure to GDPR.

Illinois

BIPA
high exposure

Threshold

Any collection of biometric data from IL residents

Effective / Deadline

Ongoing; active litigation environment

Biometric Information Privacy Act. Private right of action with statutory damages $1K–$5K per violation. Class action exposure is significant.

14 additional states have enacted or proposed privacy legislation since 2024. Comply monitors all 50 states and alerts you when new laws affect your operations.Set up your monitoring alert →

Start Here

Two ways to get your compliance picture in 48 hours.

Neither requires a commitment. Both deliver immediate, actionable information about your regulatory exposure.

Get Your Compliance Snapshot

Tell us your context. We'll map your top 3 regulatory exposures and deliver a prioritized remediation brief within 48 hours — no sales call required.

Delivered within 48 hours · No commitment required

Free Download

50-State Privacy Law Cheat Sheet

  • All 19 enacted state privacy laws in one table
  • Applicability thresholds and exemptions
  • Key compliance deadlines through 2027
  • Enforcement agency and penalty structure
  • Updated quarterly by our regulatory team

No spam. Unsubscribe anytime.

What Clients Say

MO

"We had an enterprise deal on hold for 6 weeks because of a SOC 2 requirement. Comply got us audit-ready in 90 days. The deal closed the week after the report landed."

Marcus Okonkwo

CTO, Clearbridge Fintech

PK

"I'd been staring at the HIPAA Security Rule for two months and couldn't figure out where to start. Their gap assessment gave us a prioritized list of 12 items. We completed 10 of them in 30 days."

Priya Krishnamurthy

VP Operations, Meridian Health Systems