2025.1

Niche Studio provides web development and hosting services to clients across various industries. Some client projects may require compliance with specific regulatory frameworks beyond Niche Studio’s standard security practices.

This policy outlines the additional security requirements and procedures that apply when working on client projects that involve regulated data or specific compliance requirements.

Scope¶

This policy applies to:

• Client projects involving healthcare data (HIPAA)
• Client projects involving EU personal data (GDPR)
• Client projects with specific industry compliance requirements
• Any project where the client has additional security requirements beyond Niche Studio’s standard practices

Policy Statements¶

Niche Studio policy requires that:

(a) Project Assessment: All new client projects must be assessed for additional compliance requirements during the initial project scoping phase.

(b) Compliance Documentation: Additional compliance requirements must be documented in the project contract and project management system.

(c) Team Training: Project team members must receive appropriate training for any additional compliance requirements before beginning work on the project.

(d) Separate Environments: Client projects with additional compliance requirements must use separate, dedicated environments that meet the specific compliance standards.

(e) Vendor Compliance: All third-party services used for compliant client projects must meet the applicable compliance standards and have appropriate agreements in place.

(f) Regular Review: Compliance requirements for client projects must be reviewed and validated throughout the project lifecycle.

Compliance Frameworks¶

HIPAA (Healthcare Projects)¶

When working on projects involving healthcare data:

• We act primarily as a processor for client projects
• All team members must complete HIPAA awareness training
• Projects must use HIPAA-compliant hosting and services
• Business Associate Agreements (BAAs) must be executed with all vendors
• Development must follow HIPAA-specific security practices
• Regular security assessments must be conducted

Reference Documents:

• HIPAA Business Associate Agreement Template
• HIPAA Development Best Practices (see SDLC policy below)
• HIPAA Training Requirements (see Training policy below)

GDPR (EU Data Projects)¶

When working on projects involving EU personal data:

• We act primarily as a processor for client projects
• We maintain Article 30(2) records of processing activities
• Data Processing Agreements (DPAs) must be executed with clients
• Data protection impact assessments must be conducted
• Privacy by design principles must be implemented
• Data subject rights must be supported
• Cross-border data transfers must be properly documented
• Data Protection Impact Assessment (DPIA) templates are available for projects handling sensitive data

Reference Documents:

• GDPR Data Processing Agreement Template
• Privacy Notices and Consent Management (see Privacy policy below)

PCI DSS (Payment Processing Projects)¶

When working on projects involving payment card data:

Stripe Checkout (Hosted Payment Pages) - SAQ A: - Use Stripe Checkout for hosted payment pages - No cardholder data touches Niche Studio systems - Minimal PCI DSS compliance requirements - Annual self-assessment questionnaire completion required - Reference: PCI SSC SAQ A (v4.0) and PCI DSS 4.0.1 updates

Stripe Elements (Embedded Payment Forms) - SAQ A-EP: - Use Stripe Elements for embedded payment forms - No cardholder data may be stored, processed, or transmitted by Niche Studio - PCI DSS SAQ A-EP compliance must be maintained with required script integrity controls - Quarterly ASV scans required for payment sites - Page integrity monitoring and change control procedures required - Regular vulnerability scans and compliance assessments must be conducted - All staff must complete PCI DSS awareness training - Reference: PCI SSC SAQ A-EP (v4.0) and PCI DSS 4.0.1 updates - Script integrity controls (PCI DSS 6.4.3, 11.6.1): SRI, CSP, quarterly script reviews, tamper detection - See detailed SDLC PCI section for implementation guidance

PayPal/eWAY Integration: - Hosted payment widgets = SAQ A compliance (similar to Stripe Checkout) - On-site payment widgets = SAQ A-EP compliance (similar to Stripe Elements)

Reference Documents:

• PCI DSS SAQ A-EP Compliance with Stripe Elements (see SDLC policy below)
• PCI SSC SAQ A-EP definition and qualification requirements
• Stripe integration security guidance and roles & responsibilities

Industry-Specific Requirements¶

Additional compliance requirements may apply based on client industry:

• Financial Services: PCI DSS SAQ A or SAQ A-EP compliance for payment processing (depending on Stripe implementation)
• Government: Specific government security requirements
• Education: FERPA compliance for educational data
• Other: Client-specific compliance requirements as documented

Implementation¶

Project Initiation¶

1. Compliance Assessment: Identify all applicable compliance requirements during project scoping
2. Documentation: Document requirements in project contract and internal systems
3. Team Assignment: Assign team members with appropriate compliance training
4. Environment Setup: Configure separate, compliant environments as needed

Project Execution¶

1. Regular Reviews: Conduct regular compliance reviews throughout the project
2. Documentation Updates: Maintain compliance documentation as requirements change
3. Training Updates: Ensure team members stay current with compliance requirements
4. Vendor Management: Monitor vendor compliance throughout the project

Project Completion¶

1. Final Review: Conduct final compliance review before project delivery
2. Documentation Handover: Provide client with all compliance documentation
3. Knowledge Transfer: Document lessons learned for future similar projects
4. Archive: Securely archive all compliance-related project materials

Responsibilities¶

• Project Manager: Ensure compliance requirements are identified and documented
• Technical Lead: Implement technical controls to meet compliance requirements
• Security Officer: Review and approve compliance implementations
• All Team Members: Follow compliance procedures and report any issues

Training Requirements¶

• HIPAA Projects: All team members must complete HIPAA awareness training
• GDPR Projects: All team members must complete GDPR awareness training
• Other Compliance: Training as required by specific compliance frameworks
• Annual Refresher: Annual refresher training for all compliance frameworks

Monitoring and Compliance¶

• Regular compliance assessments during project execution
• Quarterly review of compliance procedures and documentation
• Annual review of training materials and requirements
• Continuous improvement based on lessons learned from projects