GDPR
Also known as: General Data Protection Regulation · EU GDPR
The General Data Protection Regulation (GDPR) is the European Union's data-protection law. The architectural levers it imposes are consent capture, data minimisation, the right to erasure, breach notification within 72 hours, and Data Protection Impact Assessments for high-risk processing. For TantraDev's clients serving EU users, GDPR shapes data residency, processor-controller contracts (DPAs), and the audit-logging granularity around personal data.
Concepts that travel with this one.
Architecture rarely lives in isolation — these are the terms that come up in the same conversation.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) is stored, transmitted, and accessed in the United States. The Privacy Rule defines what counts as PHI; the Security Rule mandates administrative, physical, and technical safeguards. TantraDev's HealthTech work treats HIPAA as architecture input from sprint one — encryption posture, audit logging, BAA scope, and minimum-necessary access all shape the design.
DPDP Act
The Digital Personal Data Protection Act, 2023 (DPDP) is India's national data-protection law. It introduces consent-based processing of personal data, the role of Data Fiduciary, breach notification to the Data Protection Board, and cross-border transfer restrictions to a notified list of countries. TantraDev builds DPDP-aligned consent capture and audit logging into Indian-data products by default — the law's compliance window is narrowing.
SOC 2
Service Organisation Control 2 (SOC 2) is an AICPA audit framework covering five Trust Service Criteria — Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. A SOC 2 Type 1 report attests that controls are designed correctly at a point in time; Type 2 attests they have operated effectively over a 6–12 month window. TantraDev is on track for Type 1 in Q3 2026.
Building a system where GDPR is the load-bearing decision?
30 minutes on the phone, one page in your inbox — what to build, what to skip, what it will cost. You keep the audit even if we are not the right fit.