Compliance Implementation Roadmap
Prioritized Actions for Full Compliance
Last Updated: February 12, 2026 (v3.2.1)
Implementation Overview
This roadmap prioritizes compliance actions based on risk, regulatory requirement, and implementation effort. Technical items have been largely completed through the v3.0–v3.2.1 hardening sprints. Legal and operational items remain as pre-launch requirements for each clinic.
Legal & Contractual
| Action |
Owner |
Deliverable |
Status |
| Appoint Privacy Officer |
Leadership |
Designated individual |
⬜ Per clinic |
| Vapi BAA execution |
Legal |
Signed agreement |
⬜ DPA template drafted |
| Clinic BAA template |
Legal |
Agreement template |
⬜ DPA template drafted |
Documentation
| Action |
Owner |
Deliverable |
Status |
| Update privacy policy |
Privacy Officer |
Published policy |
⬜ Per clinic |
| Breach notification procedure |
Security |
Documented procedure |
✅ breach-response.md |
| Data retention schedule |
Privacy Officer |
Documented schedule |
✅ jobs/data-retention.ts (90d transcripts, 365d logs) |
Technical
| Action |
Owner |
Deliverable |
Status |
| Verify OSCAR credential encryption |
Engineering |
Verification report |
✅ AES-256-GCM (lib/crypto.ts) |
| Confirm no PHI in logs |
Engineering |
Log audit report |
✅ redactPhi() in vapi-webhook.ts (v3.2.1) |
Phase 2: Short-Term (Week 3-4)
Documentation
| Action |
Owner |
Deliverable |
Status |
| Access request procedure |
Privacy Officer |
Documented procedure |
⬜ |
| Complaint handling procedure |
Privacy Officer |
Documented procedure |
⬜ |
| Sub-processor list |
Privacy Officer |
Published list |
⬜ |
| Security policies |
Security |
Policy documents |
⬜ |
Technical
| Action |
Owner |
Deliverable |
Status |
| Implement vulnerability scanning |
Engineering |
Trivy integration |
⬜ No CI pipeline yet |
| Automated log retention |
Engineering |
1-year purge job |
✅ jobs/data-retention.ts (node-cron, 3 AM daily) |
| Backup encryption verification |
Engineering |
Verification report |
⬜ pg_dump backups exist, encryption pending |
Phase 3: Medium-Term (Month 2)
Operational
| Action |
Owner |
Deliverable |
Status |
| Incident response plan |
Security |
Documented plan |
✅ breach-response.md covers this |
| Access review process |
Security |
Quarterly schedule |
⬜ |
| Vendor review process |
Security |
Annual schedule |
⬜ |
| Risk assessment |
Security |
Risk register |
⬜ |
Technical
| Action |
Owner |
Deliverable |
Status |
| Centralized logging |
Engineering |
Loki deployment |
⬜ Pino structured logging in place, centralized aggregation pending |
| Alerting integration |
Engineering |
PagerDuty/Slack |
⬜ |
| DR testing |
Engineering |
DR test report |
⬜ |
Phase 4: Long-Term (Month 3+)
SOC 2 Preparation
| Action |
Owner |
Deliverable |
Status |
| Evidence collection |
Security |
Evidence repository |
⬜ |
| Readiness assessment |
Security |
Gap analysis |
⬜ |
| Auditor selection |
Leadership |
Signed engagement |
⬜ |
| SOC 2 audit |
External |
Type II report |
⬜ |
Ongoing
| Action |
Owner |
Frequency |
Status |
| Security review |
Security |
Annual |
⬜ |
| Penetration testing |
External |
Annual |
⬜ |
| Privacy training |
Privacy Officer |
Annual |
⬜ |
| Policy review |
Privacy Officer |
Annual |
⬜ |
| Access review |
Security |
Quarterly |
⬜ |
Key Dependencies
┌─────────────────────────────────────────────────────────────────┐
│ DEPENDENCY CHAIN │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Week 1-2 │
│ ──────── │
│ Privacy Officer → Privacy Policy → Clinic BAAs │
│ → Breach Procedure │
│ → Retention Schedule │
│ │
│ Week 3-4 │
│ ──────── │
│ Security Policies → Access Review → Incident Response │
│ │
│ Month 2 │
│ ─────── │
│ Risk Assessment → Evidence Collection → SOC 2 Readiness │
│ │
│ Month 3+ │
│ ──────── │
│ SOC 2 Readiness → Auditor Selection → SOC 2 Audit │
│ │
└─────────────────────────────────────────────────────────────────┘
Success Metrics
| Milestone |
Target Date |
Measure |
| Privacy Officer appointed |
Week 1 |
Named individual |
| Vapi BAA signed |
Week 2 |
Executed agreement |
| Privacy policy live |
Week 2 |
Published on website |
| Vulnerability scanning |
Week 4 |
Trivy in CI/CD |
| SOC 2 readiness |
Month 3 |
Internal assessment |
| SOC 2 Type II report |
Month 6-8 |
Auditor report |
Risk Matrix
| Risk |
Likelihood |
Impact |
Mitigation |
| Breach without BAA |
Medium |
High |
Priority 1: Execute BAAs |
| Privacy complaint |
Low |
Medium |
Priority 1: Privacy policy |
| OSCAR credential exposure |
Low |
Critical |
Verify encryption |
| Audit failure |
Medium |
High |
Follow roadmap |
| Vendor non-compliance |
Low |
Medium |
Vapi BAA, monitoring |
Compliance Calendar
Monthly
| Task |
Week |
Owner |
| Log review |
1 |
Engineering |
| Alert review |
1 |
Engineering |
| Vulnerability scan review |
2 |
Security |
Quarterly
| Task |
Month |
Owner |
| Access review |
1, 4, 7, 10 |
Security |
| Policy review |
1, 4, 7, 10 |
Privacy Officer |
Annual
| Task |
Month |
Owner |
| Risk assessment |
January |
Security |
| Security review |
January |
Security |
| Penetration test |
February |
External |
| Privacy training |
March |
Privacy Officer |
| Vendor review |
April |
Security |
| DR test |
May |
Engineering |
| SOC 2 audit |
August |
External |
Next Steps