Compliance Readiness for Claude Agents
How to make your Claude agent operations audit-ready for SOC 2, HIPAA, GDPR, and beyond
Chapter 1: Which Frameworks Apply?
SOC 2 Type II — You sell software to businesses and customers ask about your security practices. If you’ve ever received a security questionnaire from a prospect, you need SOC 2. It’s the baseline for B2B trust.
HIPAA — You handle Protected Health Information in any form. If agents process medical records, patient data, insurance claims, or health-related data, HIPAA applies regardless of company size.
GDPR — You process personal data of EU residents. Applies regardless of where your company is located.
PCI-DSS — You process, store, or transmit credit card data.
Most startups need SOC 2 first, GDPR if they have EU customers, HIPAA only if in healthcare.
Chapter 2: SOC 2 Type II
SOC 2 evaluates five Trust Service Criteria. Sentrely satisfies each:
Security (required): Per-agent RBAC, session tokens with automatic expiration, deny-by-default, approval gates for privileged operations.
Processing Integrity: Every agent action logged with timestamp, identity, resource, and outcome. Data pipelines include validation gates.
Confidentiality: Per-project isolation prevents cross-project access. Scoped credentials mean agents only access what they need.
Evidence for auditors:
- Policy files showing per-agent permissions
- Audit logs showing denied events (proves enforcement, not just declaration)
- Approval logs showing human-in-the-loop for privileged operations
Chapter 3: HIPAA for AI Agents
HIPAA adds specific technical safeguards:
Access Control (164.312(a)) — Unique user identification and automatic logoff. → Sentrely: Per-agent identity with session tokens that expire automatically.
Audit Controls (164.312(b)) — Record and examine activity in PHI-containing systems. → Sentrely: Complete audit trail of every data access, automatically generated.
Transmission Security (164.312(e)) — Protect PHI during transmission. → Sentrely: All communication encrypted (TLS). Gateway-to-agent traffic is HTTPS only.
VPC Deployment: For HIPAA, deploy Sentrely within your VPC. Enterprise tier supports VPC deployment where no PHI leaves your environment.
BAA Requirement: If using Sentrely’s managed cloud with PHI, a Business Associate Agreement is required. Contact sales.
Chapter 4: GDPR Data Residency and Erasure
Data Residency (Articles 44-49): EU resident data must stay in the EU or adequately protected countries.
data_residency:
region: eu-central-1
audit_storage: s3://eu-audit-bucket/
retention:
personal_data_logs: 365d
anonymized_metrics: 2555d
Right to Erasure (Article 17): Audit logs containing personal data must be deletable on request. Configure retention policies that automatically purge old records. Session data that processed personal data must be traceable so you can identify and delete relevant logs.
Chapter 5: The Universal Audit Trail
One well-designed audit trail satisfies SOC 2, HIPAA, and GDPR simultaneously:
| Field | SOC 2 | HIPAA | GDPR |
|---|---|---|---|
| Timestamp | ✓ | ✓ | ✓ |
| Agent identity | ✓ | ✓ | ✓ |
| Action type | ✓ | ✓ | ✓ |
| Resource accessed | ✓ | ✓ | ✓ |
| Outcome (allowed/denied) | ✓ | ✓ | ✓ |
| Policy applied | ✓ | — | ✓ |
| Data category (PHI/PII) | — | ✓ | ✓ |
| Session ID | ✓ | ✓ | — |
Configure Sentrely:
audit:
fields: [timestamp, agent, action, resource, outcome, policy, data_category, session_id]
export:
destination: s3://audit-bucket/
format: json
encryption: AES-256
frequency: hourly
Chapter 6: Preparing for an Audit
Auditors want to see three things:
- Policies — Human-readable YAML showing what each agent can and cannot do
- Enforcement evidence — Denied requests in the audit log (proves policies are enforced, not just declared)
- Incident response — Walk through what happens when something goes wrong
The most powerful moment in an audit: when the auditor asks “what would happen if an agent tried to access data outside its scope?” and you can open the audit log and show them a previous denied request with timestamp, agent identity, and the policy that blocked it.
Chapter 7: Ongoing Compliance Operations
Monthly: Review agent policies for accuracy. Check audit log completeness. Review approval gate effectiveness.
Quarterly: Run a mock audit. Update data retention policies. Verify log exports are working.
Annually: Full policy review, remove unused agents and stale permissions. Assess whether new frameworks apply.
On policy change: Document the reason, log the approver, verify the new policy works via testing.
The goal: compliance evidence generated automatically as a byproduct of normal operations — not assembled manually before each audit.
Put this playbook into practice
Sentrely is the managed control plane this playbook is built around. Get early access and deploy in minutes.