Security & Compliance for Python Development
HIPAA, SOC2, GDPR, PCI-DSS requirements and vetting checklists for regulated industries. Written for CTOs choosing Python agencies.
Critical: 68% of data breaches involve third-party vendors. If you're in healthcare, fintech, or handle EU data, compliance isn't optional—it's existential. This guide shows what to require from Python development agencies.
Quick Decision Matrix: Which Compliance Do You Need?
| If you're building... | Required | Recommended | Nice to Have |
|---|---|---|---|
| Healthcare app (US) | HIPAA, BAA | SOC2, ISO 27001 | HITRUST |
| SaaS for enterprises | SOC2 Type II | ISO 27001 | ISO 9001 |
| Payment processing | PCI-DSS Level 1/2 | SOC2 | ISO 27001 |
| EU customer data | GDPR compliance | SOC2, ISO 27001 | Privacy Shield (defunct, avoid) |
| Financial services | SOC2, Industry regs | ISO 27001 | FedRAMP (gov only) |
HIPAA Compliance for Python Healthcare Applications
What HIPAA Actually Requires
HIPAA = Health Insurance Portability and Accountability Act
Applies to: Any app handling PHI (Protected Health Information) - medical records, appointments, prescriptions, insurance, etc.
Non-Negotiable Requirements for Your Python Agency:
1. Business Associate Agreement (BAA)
What it is: Legal contract making the agency responsible for PHI security
Red flag: If they hesitate or say "we'll sign that later" = walk away
Must include: Data handling procedures, breach notification (60 days), liability terms, audit rights
2. Technical Safeguards
- Encryption at rest: AES-256 minimum for databases (PostgreSQL, MySQL with encryption enabled)
- Encryption in transit: TLS 1.2 or 1.3 (no TLS 1.0/1.1)
- Access controls: Role-based (RBAC), multi-factor authentication (MFA) for admin access
- Audit logs: All PHI access logged with user ID, timestamp, action - retained 6 years
- Session management: Auto-logout after 15 min inactivity
3. Administrative Safeguards
- Security risk assessment: Updated annually, documented
- Workforce training: All developers HIPAA-trained before touching code
- Incident response plan: Written procedure for data breaches
- Background checks: Criminal background checks for all staff with PHI access
4. Python-Specific Implementation
- Django: django-encrypted-model-fields or django-fernet-fields for PHI
- FastAPI: Use Pydantic models with field-level encryption
- Database: PostgreSQL with pgcrypto extension or AWS RDS with encryption
- File storage: AWS S3 with server-side encryption (SSE-S3/SSE-KMS), not client-side
- Secrets management: HashiCorp Vault, AWS Secrets Manager - no .env files in production
HIPAA Vetting Checklist for Agencies
Questions to ask during evaluation:
- "How many HIPAA-compliant Python apps have you built?" (Want: 3+)
- "Show me a signed BAA from a past client" (redacted is fine)
- "What's your process for encrypting PHI in Django/FastAPI?" (Should be specific, not vague)
- "Who at your company has access to production PHI?" (Want: <5 people, named)
- "Walk me through your breach notification process" (Must be documented)
- "How do you handle PHI in development/staging environments?" (Want: synthetic data only)
- "What audit logging solution do you use?" (CloudWatch, Splunk, ELK - something enterprise)
- "Show me your most recent penetration test report" (Want: within 12 months)
Red flags: "We're HIPAA-ready" (not the same as compliant), No written policies, Offshore team without BAA, Shared credentials, No MFA, Logs not retained, No incident response plan, Hesitation about BAA
For a complete agency vetting process beyond compliance, see our technical evaluation framework. Ready to find HIPAA-experienced agencies? Compare all 30 companies with compliance experience data.
SOC2 Compliance for SaaS Python Applications
Understanding SOC2
SOC2 = Service Organization Control 2
Purpose: Proves your agency has proper security controls for handling customer data
Audited by: Independent CPA firms (Big 4 or specialized firms)
| SOC2 Type I | SOC2 Type II | |
|---|---|---|
| What it proves | Controls exist (point in time) | Controls work (6-12 months) |
| Audit duration | 1-2 months | 6-12 months of testing |
| Suitable for | New agencies, interim proof | Enterprise sales, critical systems |
| Cost | $15-40K | $25-80K |
| Renewal | Annual | Annual |
Five Trust Service Criteria (TSC)
Security (Required)
System is protected against unauthorized access (physical and logical)
- Firewalls, intrusion detection, network segmentation
- Access controls with principle of least privilege
- Vulnerability management and patch management
- Security incident response procedures
Availability (Optional but common)
System is available for operation and use as committed
- 99.9%+ uptime commitment
- Redundancy, failover, disaster recovery
- Performance monitoring and capacity planning
Processing Integrity (Optional)
System processing is complete, valid, accurate, timely, and authorized
Confidentiality (Optional but recommended)
Confidential information is protected
- Encryption (at rest and in transit)
- Access logging and monitoring
- Secure deletion procedures
Privacy (Optional, for GDPR compliance)
Personal information is collected, used, retained, disclosed, and disposed properly
What to Require from Python Agencies
Minimum for enterprise SaaS: SOC2 Type II with Security + Availability criteria
Verification steps:
- Request copy of most recent SOC2 report (should be <12 months old)
- Check report date and auditor name (Big 4 or reputable firm)
- Review "Qualified Opinion" section - any findings/exceptions?
- Verify criteria covered (Security is mandatory, check for Availability/Confidentiality)
- Ask about remediation plan for any exceptions/findings
Pro tip: If agency says "SOC2 in progress" ask for expected completion date and interim proof (Type I, ISO 27001, or detailed security questionnaire). Don't accept vague "we're working on it."
GDPR Compliance for Python Applications with EU Data
When GDPR Applies
You need GDPR compliance if:
- EU residents use your app (even if you're US-based)
- You process/store personal data of EU citizens
- You monitor behavior of EU users (analytics, tracking)
Personal data under GDPR: Name, email, IP address, location, cookies, device IDs, behavioral data
Key GDPR Requirements for Python Development
1. Data Processing Agreement (DPA)
Like BAA for HIPAA, but for EU data. Agency must sign DPA committing to GDPR compliance.
2. Lawful Basis for Processing
- Consent: Explicit opt-in (no pre-checked boxes)
- Contract: Necessary for service delivery
- Legitimate interest: For analytics, with opt-out
3. User Rights Implementation
Right to access: Users can download their data (Django: data export endpoint)
Right to erasure ("right to be forgotten"): Delete all user data on request
Right to portability: Export data in machine-readable format (JSON, CSV)
Right to rectification: Users can correct their data
4. Data Minimization
Only collect data you actually need. Don't ask for phone number if you won't call them.
5. Privacy by Design
Security built in from day 1, not added later. Default settings should be privacy-protective.
6. Breach Notification
Report breaches to supervisory authority within 72 hours. Notify users if high risk.
Python Implementation Checklist
| Requirement | Django Solution | FastAPI Solution |
|---|---|---|
| Consent management | django-cookie-consent | Custom cookie banner + DB |
| Data export | django-gdpr-assist | Custom endpoint (Pydantic to JSON) |
| Data deletion | Soft delete + anonymization | Soft delete + anonymization |
| Audit trails | django-simple-history | Custom logging middleware |
| Data minimization | Model field choices (don't collect) | Pydantic optional fields |
Questions for Agencies
- "Have you built GDPR-compliant apps for EU clients?" (Want: specific examples)
- "How do you implement right to erasure in Python?" (Should explain anonymization vs deletion)
- "What's your process for consent management?" (Want: granular, auditable)
- "Where will data be stored?" (EU servers or Privacy Shield alternative)
- "How do you handle data transfers outside EU?" (Standard contractual clauses)
- "Show me a DPA you've signed before" (Should have template ready)
PCI-DSS for Payment Processing Python Apps
When You Need PCI Compliance
PCI-DSS = Payment Card Industry Data Security Standard
Required if you: Store, process, or transmit credit card data
| Level | Transaction Volume/Year | Validation | Typical for |
|---|---|---|---|
| Level 1 | >6 million | Annual on-site audit | Large merchants, processors |
| Level 2 | 1-6 million | Annual self-assessment | Mid-size businesses |
| Level 3 | 20K-1M (e-commerce) | Annual self-assessment | Small e-commerce |
| Level 4 | <20K | Annual self-assessment | Very small merchants |
The Smart Approach: Don't Touch Card Data
Use tokenization services: Stripe, Braintree, Adyen - they handle PCI compliance
Your Python app never sees raw card numbers
→ Stripe.js collects card data on client-side
→ Returns token to your server
→ Your Django/FastAPI backend only handles tokens
→ You're PCI compliant by not being in scope
Reality: Full PCI compliance costs $50K-200K/year. Unless you're a payment processor, use Stripe and avoid it entirely. Ask agencies if they've integrated Stripe/Braintree, not if they're "PCI compliant."
Security Vetting Checklist for Any Python Agency
Beyond Certifications: Practical Security Assessment
Code Security
- Static analysis tools: Bandit (Python security linter), pylint-secure-coding
- Dependency scanning: Safety, Snyk, GitHub Dependabot
- Secret scanning: GitGuardian, TruffleHog (no API keys in repos)
- Code review: Every PR reviewed by senior developer
- Security testing: OWASP Top 10 checks before production
Infrastructure Security
- Network isolation: Private subnets for databases, public for load balancers only
- Secrets management: Vault, AWS Secrets Manager, not environment variables
- Container security: Non-root user, minimal base images, vulnerability scanning
- Access controls: MFA required, role-based access, audit logs
- Backup encryption: Automated backups encrypted at rest
Django-Specific Security
- Settings: DEBUG=False in production, SECRET_KEY rotated, ALLOWED_HOSTS configured
- Middleware: SecurityMiddleware, XFrameOptionsMiddleware enabled
- HTTPS: SECURE_SSL_REDIRECT=True, HSTS headers
- CSRF: csrf_exempt not used, tokens properly validated
- SQL injection: Use ORM (not raw SQL), parameterized queries if needed
- XSS protection: Template auto-escaping, mark_safe only when necessary
FastAPI-Specific Security
- Authentication: OAuth2, JWT with proper expiration
- Input validation: Pydantic models with strict types
- Rate limiting: Slowapi or custom middleware
- CORS: Explicit allowed origins, not wildcard "*"
- SQL injection: Use SQLAlchemy ORM, parameterized queries
Penetration Testing Requirements
When to require pen testing:
- Healthcare apps: Annually minimum, before launch
- Financial services: Quarterly for critical systems
- SaaS with enterprise clients: Annually
- Public-facing APIs: Before launch + after major changes
What to ask agencies:
- "When was your last penetration test?" (Want: <12 months)
- "Can you share the executive summary?" (Should show remediation)
- "What was the most critical finding and how was it fixed?" (Tests honesty)
- "Do you do automated vulnerability scanning?" (Should be continuous)
- "How do you handle security patches?" (Want: <24 hours for critical)
ISO 27001: The Gold Standard
ISO 27001 = International Information Security Management System standard
What it covers: 114 controls across 14 domains (access control, cryptography, physical security, incident management, etc.)
When to require it:
- Enterprise sales (Fortune 500 clients)
- Government contracts
- Global operations (more recognized than SOC2 outside US)
- High-security environments
Verification: Request certificate + audit report (typically 3-year cycle)
| Certification | Best For | Typical Cost | Audit Cycle |
|---|---|---|---|
| SOC2 Type II | US SaaS companies | $25-80K/year | Annual |
| ISO 27001 | Global, enterprise | $30-100K initially | 3 years + annual surveillance |
| ISO 9001 | Quality management | $20-60K | 3 years |
| HIPAA | US healthcare | $15-50K (BAA + training) | Annual risk assessment |
Contract Clauses for Security & Compliance
Must-Have Security Contract Terms
1. Data Ownership & Access
"Client owns all data, code, and intellectual property. Agency access terminates within 24 hours of contract end. All credentials revoked and logged."
2. Security Standards
"Agency will maintain SOC2 Type II (or equivalent) certification throughout engagement. Any lapse requires immediate notification."
3. Breach Notification
"Agency must notify Client of any security incident within 24 hours of discovery. Client has right to engage third-party forensics at Agency's expense if breach caused by Agency negligence."
4. Audit Rights
"Client may audit Agency's security practices with 30 days notice, up to once per year. Agency will provide documentation within 5 business days."
5. Subcontractor Disclosure
"Agency must disclose all subcontractors and obtain Client approval. Subcontractors must meet same security standards."
6. Data Location
"All data stored in [US/EU] region only. No data transfers outside [region] without explicit written consent."
7. Liability Cap
"For data breaches caused by Agency negligence, liability cap is waived. Standard cap applies to other issues."
HIPAA-Specific BAA Terms
- Permitted uses of PHI (limited to contract performance)
- Safeguards Agency will implement (encryption, access controls)
- Reporting procedures (breach within 60 days)
- Termination for cause (if Agency breaches HIPAA)
- Return or destruction of PHI upon termination
- Subcontractor agreements (BAA required for all subs)
Red Flags: When to Walk Away
Immediate Disqualifiers:
- Won't sign BAA/DPA before starting: Non-negotiable for regulated industries
- Can't provide recent pen test report: Either haven't done it or hiding results
- Vague about data location: "Cloud-based" isn't specific enough
- Offshore team without compliance docs: Cross-border compliance is complex
- No incident response plan: Means they've never thought about breaches
- Shared credentials across clients: Basic security failure
- No security training for developers: Weak security culture
- Can't explain OWASP Top 10: Don't understand web security basics
- Pushback on audit rights: What are they hiding?
- Claims "100% secure": Either lying or ignorant—both bad
Cost Reality Check
Compliance adds 15-30% to development cost:
| Project Complexity | Base Cost | + HIPAA/SOC2 | What You Get |
|---|---|---|---|
| MVP (3 months) | $75K | $90-100K | BAA, encryption, audit logs, MFA |
| Full product (6 months) | $200K | $240-280K | Above + pen testing, compliance docs |
| Enterprise (12 months) | $500K | $600-700K | Above + SOC2 audit support, ongoing |
Worth it? One data breach costs average $4.45M (IBM 2023). Healthcare breaches average $10.93M. Compliance is cheap insurance.
Find Compliant Python Development Agencies
Compare 30 Python agencies with verified security certifications, compliance experience, and transparent pricing.
View Comparison Table →