Compliance Framework Guide: Which Framework Does Your SaaS Actually Need?
The wrong first compliance framework wastes 6 to 12 months and burns budget you cannot get back. This compliance framework guide is a decision tree, not a survey. Answer three questions and the framework selection becomes obvious.
Most founders inherit the compliance conversation from a lost deal or a security questionnaire, then over-index on the specific framework that lost the deal. That is not a strategy. The right first framework is a function of who your buyer is, what data you handle, and where your customers are located.
Start Here: Three Questions
The framework choice comes down to three inputs. Answer each honestly before reading further.
- Who is your primary buyer? US mid-market, US enterprise, European enterprise, healthcare, financial services, government, or a mix.
- What data do you handle? Generic B2B business data, Protected Health Information, financial account data, EU personal data, California resident personal data, or AI-processed data used in high-stakes decisions.
- Where are your customers located? United States only, United States and Europe, global, or United States with California-heavy usage.
Every framework decision below flows from these three answers.
Question 1: Who Is Your Buyer?
The buyer's procurement process dictates the framework, not any theoretical maturity model.
US Mid-Market SaaS Buyers
Ask for SOC 2 Type II. Every enterprise vendor risk questionnaire ships with a SOC 2 checkbox. Type I bridges gaps if the deal cannot wait for a Type II report period. See SOC 2 for startups for the pragmatic mechanics.
US Enterprise SaaS Buyers
Ask for SOC 2 Type II and increasingly for ISO 27001. Both frameworks appear on the same vendor security questionnaire from Fortune 1000 buyers. Buyers use them for slightly different purposes: SOC 2 for the CPA-attested control snapshot, ISO 27001 for the international framework signal that matters when the buyer operates globally.
European Enterprise SaaS Buyers
Prefer ISO 27001. European procurement teams recognize the international standard reflexively. SOC 2 is negotiable but suboptimal. Add ISO 27701 for privacy-specific extensions if you handle EU personal data at scale. See ISO 27001 vs SOC 2 for the trade-off in detail.
Healthcare Buyers (Hospitals, Payors, Pharma)
Require both SOC 2 Type II for the security control review and a signed Business Associate Agreement for the legal handling of Protected Health Information (PHI). HIPAA compliance is the underlying obligation the BAA references. See SOC 2 HIPAA compliance for how to run them as one program.
Financial Services Buyers
SOC 2 Type II is the baseline. Depending on your specific product surface, you may also need PCI-DSS (if you touch cardholder data), SOX-relevant controls (for public issuers), or ISO 27001 for global institutions. Financial services is the buyer segment fastest to ask for ISO 42001 as an AI governance addition.
Government Buyers
Depends on the specific procurement vehicle. FedRAMP dominates federal cloud services and has no substitute. StateRAMP or state-specific attestations govern state contracts. SOC 2 is often a precursor to FedRAMP but does not replace it. This guide does not cover FedRAMP because the timelines and cost profile are fundamentally different from commercial procurement.
Question 2: What Data Do You Handle?
Data type determines which frameworks are legal obligations versus voluntary attestations.
Generic B2B Business Data
No specific data-type-triggered framework. Framework selection is entirely buyer-driven per Question 1.
Protected Health Information (PHI)
HIPAA compliance is a legal obligation the moment PHI touches your platform. This is not optional and cannot be replaced by SOC 2. Run HIPAA and SOC 2 as a combined program from the start. See the HIPAA compliance checklist for the operational foundation.
Payment Card Data (Cardholder Data)
PCI-DSS applies if you store, process, or transmit cardholder data. Most SaaS companies engineer this out by using tokenization providers (Stripe, Adyen, Braintree) and reducing PCI scope to SAQ A. If you cannot engineer out of cardholder data handling, PCI-DSS is a separate program parallel to SOC 2.
EU Personal Data
GDPR applies extraterritorially. Even a US-only company that accepts sign-ups from EU users has GDPR obligations under Article 3(2). See GDPR for SaaS for the operational implementation.
California Resident Personal Data
CCPA (with CPRA amendments) applies if you meet the revenue or data-volume thresholds and sell to California residents. See CCPA requirements for the specific thresholds and consumer rights.
AI-Processed Data Used in Decisions
ISO 42001 applies if AI or machine learning materially drives decisions in your product, especially for high-stakes decisions (credit, healthcare, employment). ISO 42001 is the AI Management System standard published in December 2023 and is the emerging AI governance attestation for enterprise buyers. If AI is a productivity tool internally, ISO 42001 is not urgent.
Question 3: Where Are Your Customers?
Geography drives the cross-framework overlay.
United States Only
SOC 2 is the primary framework. Layer HIPAA if you handle PHI, PCI-DSS if you touch cardholder data. CCPA if you have California users at scale.
United States and Europe
SOC 2 for US buyers, ISO 27001 for European buyers, GDPR for the underlying EU personal data obligations. Plan for all three as a combined program. See GDPR and CCPA compliance for the privacy stack.
Global (US, Europe, Asia-Pacific)
ISO 27001 becomes the international anchor because it is recognized across regions in a way SOC 2 is not. GDPR still applies for EU data. Regional privacy laws (LGPD in Brazil, PIPEDA in Canada, POPIA in South Africa) may layer additional obligations.
US-Only with Heavy California Concentration
SOC 2 and CCPA. GDPR only applies if any EU-resident users are in scope. Do not conflate California residents with EU residents; the laws differ significantly on lawful basis, data subject rights, and enforcement.
The Framework Map
For quick reference, this is what each major framework is and what it is not.
- SOC 2 — CPA-attested control audit against Trust Services Criteria. Voluntary attestation. US-buyer-driven. Type I is point-in-time, Type II covers a period. Standard for US B2B SaaS.
- ISO 27001 — International information security management system standard. Certification against a fixed control set (Annex A). Preferred by European and global buyers. Certifiable through accredited certification bodies.
- HIPAA — US federal law governing Protected Health Information. Legal obligation for Business Associates handling PHI. No attestation report; demonstrated through documentation, safeguards, and BAAs.
- GDPR — EU regulation governing processing of personal data of EU residents. Applies extraterritorially. Enforced by national supervisory authorities. No attestation report.
- CCPA — California state law governing personal data of California residents. Threshold-triggered. Consumer rights of access, deletion, opt-out of sale, and non-discrimination.
- ISO 42001 — International AI Management System standard published December 2023. Voluntary certification. Emerging AI governance signal for enterprise buyers.
- ISO 27701 — Privacy extension to ISO 27001. Certification-eligible. Useful for demonstrating GDPR-aligned privacy controls to European buyers.
Common Combinations
Most SaaS companies end up running two or three frameworks. The predictable stacks:
US B2B SaaS at Series A-B: SOC 2 Type II alone. Everything else is deferred until buyer demand or data expansion triggers it.
HealthTech SaaS at Series A-B: SOC 2 Type II + HIPAA as a combined program from day one.
US B2B SaaS expanding to Europe (Series B-C): SOC 2 Type II + ISO 27001, plus GDPR obligations layered on. See the standard combinations page for pre-mapped bundles.
AI-Native SaaS selling into regulated buyers: SOC 2 Type II + ISO 42001. ISO 27001 layered on when European deal volume justifies it.
Payments-adjacent SaaS: SOC 2 Type II + PCI-DSS (scoped down to SAQ A where possible).
What NOT to Do First
Founders make three predictable mistakes early.
Do Not Start with ISO 27001 for a US-Only SaaS
Unless European deal flow justifies it. SOC 2 is faster to certify and matches US buyer expectations more precisely. ISO 27001 is not wrong; it is premature.
Do Not Skip HIPAA if You Touch PHI
There is no such thing as being SOC 2-compliant instead of HIPAA-compliant when PHI is involved. HIPAA is a legal obligation. A SOC 2 report will not defend an HHS OCR enforcement action.
Do Not Chase Every Framework a Prospect Mentions
One deal asking for FedRAMP is not a mandate to build a FedRAMP program. Compliance framework selection is a portfolio decision, not a per-deal reaction. If three deals in a quarter require FedRAMP, it is a signal. One deal is a data point.
For a specific framework's mechanics, see the SOC 2 service page, ISO 27001 service page, HIPAA service page, GDPR service page, CCPA service page, and ISO 42001 service page. For pre-mapped multi-framework programs, see standard combinations. For the underlying control overlap across frameworks, see the overlap explorer.
Frequently Asked Questions
Which compliance framework should a SaaS company get first? For most US B2B SaaS, SOC 2 Type II is the correct first framework. HealthTech handling PHI should run HIPAA in parallel because it is a legal obligation. AI-native platforms selling to regulated buyers should consider ISO 42001. European-headquartered SaaS often starts with ISO 27001 because European buyers recognize it more readily.
Do I need SOC 2 and ISO 27001 or just one? Depends on buyer geography. US buyers accept SOC 2. European buyers prefer ISO 27001. If you sell to both, run one combined program: the two share roughly 65% of their underlying controls. Typical sequence: SOC 2 first (faster), ISO 27001 layered on when European deal volume justifies it.
Does GDPR apply to a US SaaS company? Yes, if you have EU-resident users or your service is directed at the EU market. GDPR applies extraterritorially under Article 3(2). Having no EU office does not exempt you.
When is ISO 42001 worth pursuing? If you are an AI-native SaaS whose product materially depends on machine learning models, and you sell into regulated enterprise buyers (financial services, healthcare, government) who are starting to ask for AI governance attestation. If AI is only internal productivity tooling, ISO 42001 is not on the critical path.
Ready to Pick the Right Compliance Program?
ShieldKey Solutions helps SaaS founders select the correct compliance framework based on buyer, data, and geography, then builds the program to close deals. No template dumps, no framework-of-the-month.