Governance & Compliance

Governance & Compliance

Architecture governance, policy management, and compliance frameworks

Governance & Compliance

Ensure your architectures meet organizational, regulatory, and security requirements through policy-as-code and automated governance.

Architecture Governance

What is Governance?

Architecture governance is the process of ensuring infrastructure decisions:

  • Align with organizational strategy
  • Comply with regulatory requirements
  • Follow security and cost policies
  • Support operational standards

Why Governance Matters

  • Risk Management — Prevent expensive mistakes before they happen
  • Compliance — Meet regulatory requirements (SOC2, HIPAA, PCI, GDPR)
  • Cost Control — Enforce cost optimization policies
  • Security — Ensure consistent security posture
  • Operational Excellence — Standardize on proven patterns

Policy as Code

Define architecture requirements as policies that are automatically enforced.

Example Policies

Policy: Encryption Required

All databases must be encrypted at rest.
All data in transit must use TLS 1.3.

Policy: High Availability

All databases must be deployed in multi-AZ configuration.
All load balancers must span at least 2 availability zones.

Policy: Security Groups

No security groups allowing inbound from 0.0.0.0/0 on port 22 or 3389.
All databases must be in private subnets (not internet-facing).

Policy: Cost Control

No instances larger than t3.xlarge without approval.
Maximum database storage of 1TB without approval.
All reserved instances must be 1-year or longer.

Policy: Tags

All resources must have:
- owner: name of responsible person
- cost-center: department paying for resource
- environment: prod, staging, dev
- data-classification: public, internal, confidential, restricted

Implementing Policies

(Coming soon: Built-in policy editor and enforcement engine)

  1. Define policies in Architecto
  2. Apply to organization or team
  3. Existing architectures automatically validated
  4. New architectures checked on creation
  5. Violations highlighted with remediation steps

Compliance Frameworks

SOC 2 Type II

Security, Availability, Processing Integrity, Confidentiality, and Privacy controls.

Architecto Helps With:

  • Encryption (at-rest and in-transit)
  • Access controls (IAM policies)
  • Audit logging (CloudTrail, CloudWatch)
  • Change management (infrastructure as code)
  • Incident response (documented procedures)

Architecture Review:

✓ Data encrypted at rest (AES-256)
✓ Data encrypted in transit (TLS 1.3)
✓ Multi-AZ deployment (availability)
✓ Access controls configured (least privilege)
✓ Audit logging enabled
✓ Backup and recovery tested

HIPAA (Health Insurance Portability & Accountability Act)

Protects healthcare data privacy and security.

Key Requirements:

  • Encryption for all PHI (Protected Health Information)
  • Access controls and authentication
  • Audit logging of all access
  • Backup and disaster recovery
  • Incident response procedures
  • Business associate agreements

Architecto Architecture Pattern for HIPAA:

VPC (isolated network)
├─ VPN for healthcare provider access
├─ Encrypted RDS database with encryption keys in AWS KMS
├─ CloudTrail logging all access
├─ VPC Flow Logs for network monitoring
├─ S3 with encryption and versioning for backups
└─ Multi-region disaster recovery

PCI DSS (Payment Card Industry Data Security Standard)

Protects credit card and payment data.

Key Requirements:

  • Firewall and network segmentation
  • Encryption for cardholder data
  • Vulnerability scanning
  • Access control and authentication
  • Monitoring and logging
  • Regular security testing

Architecto Architecture Pattern for PCI DSS:

Internet-Facing Components (DMZ)
├─ WAF (Web Application Firewall)
├─ Load Balancer (all traffic encrypted)

Application Servers (separated segment)
├─ API Gateway with authentication
├─ Encryption for cardholder data (tokenization)
├─ No storage of sensitive card data

Database Servers (isolated)
├─ Never stores card numbers (only tokens)
├─ Encrypted at rest and in transit
├─ Network segmentation (private subnet)
├─ CloudTrail and database audit logs

GDPR (General Data Protection Regulation)

Protects personal data of EU residents.

Key Rights:

  • Right to access (data subject can request their data)
  • Right to be forgotten (data can be deleted)
  • Right to data portability (export data in standard format)
  • Right to object to processing
  • Data protection by design

Architecto Considerations:

  • Data residency (data must stay in EU)
  • Data retention policies (delete old data)
  • Privacy by design (minimize personal data collection)
  • Consent management
  • Data processing agreements with vendors

Monitoring & Drift Detection

What is Drift?

Drift occurs when running infrastructure differs from documented architecture:

Designed Architecture:
- 3 EC2 instances behind load balancer
- Multi-AZ database with 2 read replicas
- CloudFront CDN for static assets

Actual Infrastructure:
- 2 EC2 instances (someone manually shut one down)
- Single database with no replicas (maintenance never done)
- No CDN (disabled to debug issue, never re-enabled)

Preventing Drift

1. Infrastructure as Code

  • Everything defined in Terraform/CloudFormation
  • Changes reviewed and approved before applying
  • Prevents "fat finger" mistakes

2. Drift Detection (Coming soon)

  • Scheduled checks comparing design vs. reality
  • Alerts when drift detected
  • Automated remediation (optional)

3. Change Management

  • All infrastructure changes through CI/CD
  • Manual changes not allowed (or flagged)
  • Audit trail of all changes
  • Automated rollback if issues detected

Audit & Compliance Reporting

Generate Compliance Reports

Export compliance documentation:

✓ SOC 2 Readiness Report
✓ HIPAA Compliance Checklist
✓ PCI DSS Gap Analysis
✓ GDPR Compliance Inventory
✓ Custom Policy Compliance

Audit Trail

Complete history of:

  • Who created/modified each architecture
  • What changes were made and when
  • Approvals and reviews
  • Analysis results at each stage
  • Export and sharing activity

Documentation

Auto-generate required documentation:

  • Data flow diagrams for HIPAA/PCI compliance
  • Security architecture documentation
  • Business continuity plan
  • Disaster recovery runbook
  • Risk assessment matrices

Multi-Tenant & Enterprise Governance

Organization Policies

Set org-wide standards:

  • Approved cloud providers (AWS, GCP, Azure)
  • Approved patterns and technologies
  • Cost limits and budget controls
  • Required tags and naming conventions
  • Required compliance frameworks

Team-Level Governance

Teams can override org policies with:

  • Exceptions and waivers
  • Temporary approvals
  • Time-bound deviations

Audit & Logging

Complete audit trail:

Organization Level:
- Organization created/modified
- Members added/removed
- Policies created/changed
- Budget alerts triggered

Team Level:
- Architectures created/deleted
- Analysis results
- Shares and exports
- Comments and reviews

User Level:
- Login/logout
- API calls
- Document edits
- Settings changes

Incident Response

Preparation Phase

  1. Document architecture in Architecto
  2. Generate runbook for each critical component
  3. Define escalation procedures
  4. List contacts (on-call, managers, vendors)
  5. Test disaster recovery quarterly

Response Phase

During incident:

  1. Share architecture with war room team
  2. Annotate affected components
  3. Use Threat Modeler to identify attack vectors
  4. Check analysis modules for root causes
  5. Document timeline and actions taken

Recovery Phase

After incident:

  1. Generate post-incident report (from Architecto history)
  2. Create ADR documenting what happened and prevention
  3. Update architecture to prevent recurrence
  4. Update runbooks based on learnings
  5. Schedule post-mortem with team

Training & Knowledge Management

Documentation

Architecto helps organizations:

  • Store approved patterns and architectures
  • Share knowledge with onboarding team members
  • Document decisions and trade-offs
  • Create institutional memory

Learning Paths

Architecto includes:

  • 1,000+ quizzes on architecture, security, compliance
  • Flashcards for spaced repetition
  • Real-world case studies
  • Best practices guides

Customize for organization:

  • Company-specific architectures (examples)
  • Custom policies and requirements
  • Organization's technology stack

Compliance Roadmap

Architecto roadmap includes:

  • Q2 2024: Policy-as-code engine
  • Q3 2024: SOC 2, HIPAA, PCI DSS policy templates
  • Q3 2024: Automated compliance reporting
  • Q4 2024: Drift detection and remediation
  • Q1 2025: Custom compliance framework builder
  • Q2 2025: Advanced audit and forensics

Next Steps

  • Define Policies → Create organization policies (coming soon)
  • Select Framework → Choose HIPAA, PCI, SOC2, or custom
  • Audit Existing → Run compliance analysis on current architectures
  • Generate Reports → Export compliance documentation
  • Learn MoreBest Practices

Questions? Contact compliance@architecto.dev or join Community Discord

Best Practices

Architecture patterns, design principles, and optimization strategies

On this page

Governance & ComplianceArchitecture GovernanceWhat is Governance?Why Governance MattersPolicy as CodeExample PoliciesImplementing PoliciesCompliance FrameworksSOC 2 Type IIHIPAA (Health Insurance Portability & Accountability Act)PCI DSS (Payment Card Industry Data Security Standard)GDPR (General Data Protection Regulation)Monitoring & Drift DetectionWhat is Drift?Preventing DriftAudit & Compliance ReportingGenerate Compliance ReportsAudit TrailDocumentationMulti-Tenant & Enterprise GovernanceOrganization PoliciesTeam-Level GovernanceAudit & LoggingIncident ResponsePreparation PhaseResponse PhaseRecovery PhaseTraining & Knowledge ManagementDocumentationLearning PathsCompliance RoadmapNext Steps
Governance & Compliance | Documentation | Architecto