Find Your Compliance Requirements

Discover what applies to your business, get a clear checklist, and avoid penalties while protecting customer trust

Select the primary industry your software targets
How do you primarily operate?
Select all that apply
Select all that apply
Web, mobile, or desktop interface that users interact with
This affects which certifications you may need
Some regulations have thresholds based on company size

Your Compliance Report

Assessment Summary

What to Do Next

This assessment provides a starting point for understanding your compliance landscape. We strongly recommend:

  • Consulting with a qualified attorney who specializes in technology law
  • Working with a compliance specialist for detailed gap analysis
  • Reviewing official regulatory guidance for each identified area
  • Implementing a compliance management system as you grow

Compliance Directory

Browse major compliance frameworks and standards. Click any framework to learn about requirements, who it applies to, and official resources.

Data Privacy & Protection

Regulations governing how businesses collect, store, and process personal data.

GDPR

EU/Global Critical Priority
Who It's For
Any business processing personal data of EU residents, regardless of company location.
Key Requirements
  • Lawful basis for data processing
  • User consent mechanisms
  • Data protection impact assessments
  • Right to access, erasure, and portability
  • Data Protection Officer (for certain organizations)
Official GDPR Resources

CCPA/CPRA

California/US High Priority
Who It's For
Businesses collecting personal information from California residents meeting revenue or data volume thresholds.
Key Requirements
  • Privacy policy disclosures
  • "Do Not Sell" opt-out mechanisms
  • Consumer rights requests processing
  • Data deletion upon request
  • Non-discrimination for privacy rights
California AG CCPA Info

UK GDPR

United Kingdom Critical Priority
Who It's For
Organizations processing personal data of UK residents post-Brexit.
Key Requirements
  • Similar to EU GDPR requirements
  • ICO registration for data controllers
  • UK representative if based outside UK
  • Breach notification to ICO
UK ICO Official Site

PIPEDA

Canada High Priority
Who It's For
Private sector organizations collecting, using, or disclosing personal information in Canada.
Key Requirements
  • Consent for collection and use
  • Accountability for data protection
  • Limiting collection and use
  • Individual access rights
Privacy Commissioner of Canada

Industry-Specific Compliance

Sector-specific regulations for healthcare, finance, education, and more.

HIPAA

Healthcare United States Critical Priority
Who It's For
Healthcare providers, health plans, and businesses handling Protected Health Information (PHI).
Key Requirements
  • Business Associate Agreements (BAAs)
  • Administrative, physical, technical safeguards
  • Risk assessments and security policies
  • Breach notification procedures
  • Employee training programs
HHS HIPAA Information

PCI DSS

Payment Processing Global Critical Priority
Who It's For
Any organization that stores, processes, or transmits credit card information.
Key Requirements
  • Secure network infrastructure
  • Encryption of cardholder data
  • Access control measures
  • Regular security testing
  • Annual compliance validation
PCI Security Standards

GLBA

Financial Services United States Critical Priority
Who It's For
Financial institutions and companies receiving customer financial information from them.
Key Requirements
  • Information security program
  • Privacy notices to customers
  • Opt-out rights for information sharing
  • Third-party service provider oversight
FTC GLBA Guidance

FERPA

Education United States Critical Priority
Who It's For
Software handling student education records from US educational institutions.
Key Requirements
  • Proper data use agreements with schools
  • Access controls for education records
  • Parental consent for disclosure
  • Staff training on FERPA compliance
US Dept of Education FERPA

COPPA

Children's Services United States Critical Priority
Who It's For
Websites and apps directed at children under 13 or knowingly collecting their data.
Key Requirements
  • Verifiable parental consent
  • Age verification mechanisms
  • Limited data collection
  • Parent access and deletion rights
  • Privacy policy requirements
FTC COPPA Information

Security & Audit Standards

Certifications and standards demonstrating security controls and operational maturity.

SOC 2

B2B/SaaS Global High Priority
Who It's For
Service providers storing customer data, especially B2B SaaS companies serving enterprise clients.
Key Requirements
  • Security controls and policies
  • Risk assessment processes
  • Third-party audit by CPA firm
  • Type I (point-in-time) or Type II (period) reports
  • Trust Service Criteria compliance
AICPA SOC 2 Info

ISO 27001

Enterprise/Global International Medium Priority
Who It's For
Organizations wanting international recognition for information security management, especially common in Europe.
Key Requirements
  • Information Security Management System (ISMS)
  • Risk assessment methodology
  • Security controls from Annex A
  • Continuous improvement process
  • Certification audit by accredited body
ISO 27001 Standard

FedRAMP

Government Cloud United States Critical Priority
Who It's For
Cloud service providers wanting to work with US federal government agencies.
Key Requirements
  • Authorization at Low, Moderate, or High impact level
  • NIST 800-53 security controls
  • Third Party Assessment Organization (3PAO) audit
  • Continuous monitoring requirements
  • Significant time and resource investment
FedRAMP Official Site

Accessibility Standards

Requirements ensuring software is usable by people with disabilities.

WCAG 2.1

Web/Mobile International High Priority
Who It's For
Any software with a user interface, legally required in many jurisdictions.
Key Requirements
  • Perceivable content (text alternatives, captions)
  • Operable interface (keyboard accessible)
  • Understandable information
  • Robust compatibility with assistive tech
  • Level A, AA, or AAA conformance
WCAG Quick Reference

ADA Title III

Digital Accessibility United States High Priority
Who It's For
Businesses serving the public in the US, including websites and mobile apps (B2C).
Key Requirements
  • Accessible to people with disabilities
  • Follow WCAG 2.1 Level AA guidelines
  • Screen reader compatibility
  • Keyboard navigation support
  • Alternative access methods
ADA Official Website

Section 508

Government Federal Critical Priority
Who It's For
Software sold to US federal government agencies or federal contractors.
Key Requirements
  • WCAG 2.0 Level AA compliance
  • Accessibility Conformance Report (ACR/VPAT)
  • Testing with assistive technologies
  • Documentation of accessibility features
Section 508 Resources

Frequently Asked Questions

Common questions about compliance requirements for software businesses

Do I really need to worry about compliance if I'm just starting out?

It depends on your business, but many compliance requirements apply from day one. For example:

  • GDPR applies if you process any EU resident's data, regardless of company size
  • PCI DSS is mandatory if you handle credit card information, even for small businesses
  • CCPA can apply to businesses of any size if they meet revenue or data thresholds

Starting with compliance from the beginning is often easier and cheaper than retrofitting later. This tool helps you identify what applies to your specific situation.

How accurate is this compliance assessment tool?

This tool provides a starting point based on common compliance triggers, but it's not a substitute for professional legal advice. The assessment:

  • Identifies potential compliance requirements based on your business profile
  • Helps you understand what regulations might apply to your situation
  • Provides educational information and official resources

However, compliance requirements can be complex and depend on many factors. Always consult with qualified legal and compliance professionals who can review your specific circumstances, contracts, and business operations.

How much does compliance cost?

Compliance costs vary significantly depending on the requirements:

  • Basic privacy compliance (GDPR, CCPA basics): Often manageable with proper documentation, privacy policies, and data handling processes
  • Security certifications (SOC 2, ISO 27001): Typically $10,000-$50,000+ for initial audits, plus ongoing costs
  • Industry-specific (HIPAA, PCI DSS): Can range from minimal (if using compliant vendors) to substantial (if building your own infrastructure)
  • Government certifications (FedRAMP): Often $100,000+ and significant time investment

Many requirements can be addressed incrementally. Start with the critical items identified in your report, and prioritize based on your customer needs and business growth.

Can I handle compliance myself, or do I need to hire someone?

It depends on the compliance requirement and your expertise:

  • Basic privacy policies and data handling: Many startups can handle this with research and templates, though legal review is recommended
  • Security certifications (SOC 2, ISO 27001): Require third-party auditors—you can't certify yourself
  • Industry-specific regulations (HIPAA, GLBA): Usually require legal and compliance expertise
  • Complex requirements: Often benefit from consultants or in-house compliance staff

Many companies start by doing what they can themselves, then bring in professionals for complex areas or when scaling. Use this tool to identify what applies, then assess whether you need professional help for each requirement.

What happens if I don't comply with these regulations?

Non-compliance consequences vary by regulation and jurisdiction:

  • GDPR: Fines up to 4% of global annual revenue or €20 million, whichever is higher
  • CCPA: $2,500-$7,500 per violation, plus potential class action lawsuits
  • HIPAA: Fines from $100 to $1.5 million per violation, plus potential criminal penalties
  • PCI DSS: Fines from payment card networks, potential loss of ability to process payments
  • Accessibility (ADA): Lawsuits, mandatory accessibility improvements, potential damages

Beyond fines, non-compliance can damage customer trust, block enterprise sales, and create legal liability. Many enterprise customers require proof of compliance before signing contracts. This tool helps you identify requirements early so you can address them proactively.