← Back to Resources
Compliance14 min read

Security & Compliance for AI Agents

SOC 2, GDPR, HIPAA, and data governance requirements for enterprise deployments.

Enterprise AI agent deployments require rigorous security and compliance due diligence. This guide covers the key frameworks and what to ask vendors.
## SOC 2 Type II Require the vendor to provide their SOC 2 Type II report covering Security, Availability, and Confidentiality trust service criteria. Read the report — do not just accept a badge.
## GDPR Considerations If you process EU personal data, ensure your agent vendor offers data processing agreements (DPAs), EU data residency options, and right-to-erasure workflows.
## HIPAA for Healthcare Any agent handling PHI must sign a Business Associate Agreement (BAA). Verify end-to-end encryption, audit logging, and minimum-necessary data access.
## Data Retention Define retention periods for conversation logs upfront. Most compliance frameworks require 90-day minimum; some require 7 years for financial services.