## Compliance

Agen for SaaS provides built-in capabilities to help your organization meet regulatory compliance requirements when exposing product capabilities to AI agents.

### Compliance capabilities by regulation

#### SOC 2

| Requirement | How Agen for SaaS helps |
|  --- | --- |
| **Access control** | Role-based and permission-based tool restrictions using JWT attributes. |
| **Audit logging** | Full audit trail of every tool call, policy decision, and approval event. |
| **Change management** | Policy and configuration changes are tracked with timestamps. |
| **Incident response** | Real-time monitoring and log streaming to SIEM platforms. |


#### GDPR

| Requirement | How Agen for SaaS helps |
|  --- | --- |
| **Data minimization** | Data protection policies mask GDPR-regulated data types in tool responses. |
| **Lawful processing** | Access control and policies ensure data is only accessed by authorized users for authorized purposes. |
| **Data subject rights** | Conditional targeting applies masking based on user geography (e.g., EU data subjects). |
| **Accountability** | Complete audit trail demonstrates compliance with data protection principles. |


#### HIPAA

| Requirement | How Agen for SaaS helps |
|  --- | --- |
| **Access controls** | Role-based restrictions on health data tools. |
| **Audit controls** | Comprehensive logging of all PHI access through AI agents. |
| **Transmission security** | TLS encryption for all MCP Gateway communications. |
| **Data protection** | 39 predefined PHI masking types covering international health identifiers. |


#### PCI DSS

| Requirement | How Agen for SaaS helps |
|  --- | --- |
| **Restrict access** | Access control rules limit which users can invoke payment-related tools. |
| **Protect cardholder data** | PCI data masking in tool responses prevents exposure of card numbers and CVVs. |
| **Monitor access** | Full logging of all payment tool interactions. |


#### CCPA / COPPA

| Requirement | How Agen for SaaS helps |
|  --- | --- |
| **Data protection** | Dedicated masking categories for CCPA and COPPA data types. |
| **Conditional enforcement** | Policy targeting allows geography-specific and age-specific compliance rules. |


### Related topics

- [Security and compliance overview](/agen-for-saas/security-compliance/overview)
- [Data protection](/agen-for-saas/data-protection/overview)
- [Masking types](/agen-for-saas/data-protection/masking-types)
- [Monitoring](/agen-for-saas/monitoring/overview)