Related product
CompliQuiz
Once you know which frameworks apply, train your team with interactive compliance quizzes.
Try CompliQuiz →Free Tool · Cybersecurity
Compliance Framework Finder
Answer eight questions about your business and instantly see which compliance frameworks likely apply to you, from SOC 2 and PCI DSS to GDPR and FedRAMP. If you want hands-on compliance training after identifying your frameworks, this pairs well with CompliQuiz.
Free Tool 08
Compliance Framework Finder
Tell us about your business and we will show you which compliance frameworks are required, recommended, or worth watching, with a brief explanation for each.
Everything runs in your browser. No data is sent anywhere. For hands-on compliance training, try CompliQuiz.
Guidance, not legal advice
This tool provides a starting point for understanding which compliance frameworks may be relevant to your organization. It uses simplified heuristics based on common applicability criteria. Every business is different, engage qualified legal or compliance counsel before committing to a specific framework or making compliance claims. The results here do not constitute legal, regulatory, or professional advice.
Related product
FinSec Scorecard
Assess your organization's security posture across the frameworks you need to comply with.
Try FinSec Scorecard →Frequently asked questions
Which compliance framework do I actually need?
It depends on three things: your industry, the data you handle, and where your customers are. A B2B SaaS selling to enterprises almost always needs SOC 2. Anyone touching card payments needs PCI DSS. Healthcare in the US means HIPAA. EU users mean GDPR. This tool asks eight questions and maps your answers to the frameworks that apply.
Do I need SOC 2 as a startup?
Not by law, SOC 2 is voluntary. You need it when enterprise buyers start asking for it in security questionnaires. That usually happens around your first real enterprise deal or when ACVs move above ~$25k. Start with a Type 1 report (point-in-time), then a Type 2 (six to twelve months) once you're past the first audit cycle.
When do I need PCI DSS?
The moment you store, process, or transmit cardholder data. If you use Stripe Checkout or a hosted payment iframe, you're typically in scope for SAQ A (the lightest tier). If card data ever touches your servers, you're in a much heavier tier. The scope question matters more than the volume question, offload processing to a provider and your PCI burden drops dramatically.
Does GDPR apply to US companies?
Yes, if you have users in the EU or UK, or if you monitor EU residents' behavior (analytics, ad targeting). Location of your company doesn't matter, location of the data subject does. Minimum you need: a lawful basis for processing, a privacy notice, a way to handle data subject requests, and a Data Processing Agreement with every sub-processor.
What's the difference between SOC 2 and ISO 27001?
SOC 2 is a US-led attestation focused on service organization controls against five trust principles. ISO 27001 is an international certification for an Information Security Management System (ISMS). US buyers usually ask for SOC 2; European and APAC buyers often prefer ISO 27001. Many companies eventually do both because 70, 80% of the controls overlap.
How do I train my team on compliance once I know which framework applies?
Identify the framework first, then drill the controls into muscle memory. CompliQuiz is a question-based compliance training tool covering SOC 2, PCI DSS, HIPAA, GDPR, ISO 27001, and more, useful for onboarding new engineers and keeping the existing team audit-ready without sitting through another PDF.