Compliance by Construction: Generating SOC 2 and GDPR Controls from an Architecture Model

The standard approach to software compliance is sequential: build the product, then add compliance. This approach is expensive. Security auditors at top consulting firms consistently estimate that retrofitting SOC 2 controls onto an existing codebase costs 3-5× the cost of building them in from the start. For GDPR, the ratio is similar — the law requires privacy by design, not privacy by retrofit.

Compliance by construction is the architectural alternative: controls are generated as structural properties of the system from the same formal model that generates the application code. This post explains how it works in practice.

The Structural Difference

Retrofit approach:

1. Build the application (auth, data model, API, frontend)
2. Engage a compliance consultant or auditor
3. Map existing controls to framework requirements (SOC 2 CC6, HIPAA §164.312, GDPR Art. 25)
4. Discover gaps; retrofit missing controls (RLS, audit logging, encryption, access reviews)
5. Write evidence documentation describing what exists

Compliance by construction:

1. Define architecture model including compliance flags (compliance_targets: [soc2, gdpr])
2. Generate application code + compliance documentation from the same model
3. Controls are wired in at generation time — not added later

The difference is not cosmetic. A system generated with SOC 2 targets has row-level security, audit logging, and access control baked into the data model. A system retrofitted for SOC 2 has these controls added in a later sprint, often inconsistently.

SOC 2 Trust Services Criteria — What Gets Generated

Archiet maps the SOC 2 Trust Services Criteria directly to generated code:

CC6 — Logical and Physical Access Controls:

• Generated: RBAC model with workspace isolation (workspace_id FK on every tenant-scoped table)
• Generated: Row-level security policies via PostgreSQL RLS
• Generated: JWT via httpOnly cookies (never localStorage — a common audit finding)
• Generated: Token refresh and revocation logic
• Generated: CC6.2 evidence checklist documenting the controls

CC7 — System Operations:

• Generated: Audit log table with event_type, actor_id, resource_id, timestamp, ip_address
• Generated: Alembic migration that creates the audit log at deployment time
• Generated: CC7.2 evidence narrative explaining the logging mechanism

CC8 — Change Management:

• Generated: ARCHITECTURE.md with change rationale (ADRs)
• Generated: DELIVERY_RECEIPT.md with generation provenance
• Generated: CC8.1 evidence checklist for deployment controls

A1 — Availability:

• Generated: docker-compose.yml with health checks and restart policies
• Generated: nginx.conf with rate limiting
• Generated: A1.2 evidence narrative for the uptime controls

GDPR Article Mapping

The GDPR mapping focuses on Articles 5, 25, 30, 32, and 35:

Article 5 — Data minimisation and purpose limitation:

• Generated genome captures which entities exist and why — creates traceability between data stored and purpose claimed in privacy policy
• Generated GDPR_DATA_MAP.md documenting each entity and its legal basis

Article 25 — Data protection by design:

• Generated: workspace isolation ensures tenant separation by construction
• Generated: no plaintext PII in logs (generated audit logger uses structured fields, not free-text messages)

Article 30 — Records of processing activities (ROPA):

• Generated: GDPR_ROPA.md with processing activity register derived from the application's entity model

Article 32 — Security of processing:

• Generated: encryption at rest flag in database config
• Generated: TLS enforcement in nginx config
• Generated: Article 32 evidence checklist

Article 35 — Data Protection Impact Assessment (DPIA):

• Generated: DPIA template pre-populated with the application's data flows and processing activities, for completion by the Data Protection Officer

What the Output Looks Like

A generated ZIP for a SOC 2-targeted application includes:

compliance/
  soc2/
    CC6_access_controls.md      ← evidence narrative
    CC7_operations.md
    CC8_change_management.md
    A1_availability.md
    trust_services_matrix.md    ← control × criterion mapping
  gdpr/
    GDPR_DATA_MAP.md
    GDPR_ROPA.md
    GDPR_DPIA_template.md
    gdpr_article_matrix.md
ARCHITECTURE.md                 ← headline architecture doc with ADRs
DELIVERY_RECEIPT.md             ← provenance + generation metadata

Every control narrative cites the specific generated code artifact that implements it. An auditor reviewing CC6 access controls can follow the reference to the exact model file and migration that creates RLS.

The ROI Calculation

A typical Series A SaaS company pursuing SOC 2 Type II spends:

• Compliance consultant: $20,000-$50,000
• Engineering time to retrofit controls: 2-4 engineer-months at $15,000-$25,000/month = $30,000-$100,000
• Auditor fees: $15,000-$35,000

Total: $65,000-$185,000 for a greenfield system that didn't start with compliance.

For a system built with compliance by construction:

• Archiet generation: included in subscription ($599/mo Professional)
• Engineering time to customize generated controls to specific requirements: 1-2 weeks
• Auditor fees: unchanged — auditors charge for their time, not yours

The arithmetic is not subtle.

Try It

The architecture audit tool at archiet.com/audit-my-architecture generates a traceability report for your existing architecture — showing SOC 2 and GDPR coverage percentages and gap analysis — in under 60 seconds.

For a new system, the Professional plan includes SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS, DORA, and NIS2 compliance packs alongside every code generation.