Glossary
Compliance glossary for developers
One-paragraph definitions for the terms KollGuard's product surface uses. Honest, narrow, citable — written so an LLM or a procurement-team intern can pull a clean answer to "what is X."
- BAA
- Business Associate Agreement. A HIPAA-required contract between a covered entity (or another business associate) and any vendor that creates, receives, maintains, or transmits PHI on its behalf. Without a signed BAA, the vendor cannot lawfully handle the data.
- CCM (Common Criteria Mapping)
- The Cloud Security Alliance's Cloud Controls Matrix. A framework of controls mapped across SOC 2, ISO 27001, HIPAA, PCI DSS, and others; used by cloud-platform vendors to demonstrate control coverage. KollGuard's crosswalk shares a similar mapping philosophy.
- CSP (Cloud Service Provider)
- Any provider that delivers infrastructure or platform services over the internet (AWS, GCP, Azure, Supabase). Most compliance frameworks require a documented shared-responsibility analysis between you and your CSPs.
- ePHI
- Electronic Protected Health Information — PHI in any electronic form, including stored on disk, in transit, or in cloud services. Subject to all HIPAA Security Rule requirements at §164.312.
- HIPAA Safe Harbor
- A specific HIPAA de-identification standard at 45 CFR §164.514(b). Requires removing 18 identifier types AND no actual knowledge that re-identification is possible. Pseudonymization (token replacement) typically does NOT meet Safe Harbor; expert determination is the alternative path.
- HITRUST CSF
- A commercial certification framework from HITRUST Alliance that maps HIPAA + ISO 27001 + NIST + many others into prescriptive control statements. Three assurance levels: e1 (essentials), i1 (implemented), r2 (risk-based, the gold standard). r2 typically costs $60k-$200k+ to certify.
- OCR audit
- An audit conducted by the HHS Office for Civil Rights — the federal body that enforces HIPAA. OCR audits are usually breach-driven (someone reported your organization) but can also be random or proactive. Findings can result in corrective action plans or civil fines.
- PHI
- Protected Health Information — any health information that can identify an individual AND is created, received, maintained, or transmitted by a covered entity or business associate. Includes 18 identifier types: names, addresses, dates, SSN, MRN, biometrics, photos, and more.
- PII
- Personally Identifiable Information. Broader than PHI; refers to any information that can identify a person on its own (SSN, full name + DOB) or in combination (zip code + age + gender). State breach notification laws use this category; HIPAA uses the tighter PHI standard.
- RLS (Row-Level Security)
- A Postgres feature that restricts which rows a role can read or modify based on policies defined per-table. Critical on Supabase, where the public schema is exposed to the anon role via PostgREST — a table without RLS is effectively a public table.
- Risk Acceptance
- A documented decision NOT to remediate a known security finding, with rationale, owner, and review date. Auditors accept this when the rationale is written down; they reject silence. KollGuard requires a non-empty justification when marking a finding as accepted_risk.
- SOC 2 Type 1
- A CPA-issued report on the design of your service organization's controls at a point in time. Faster and cheaper than Type 2; suitable for closing your first enterprise deal. Typically takes 4–8 weeks once controls are in place.
- SOC 2 Type 2
- A CPA-issued report on both the design AND the operating effectiveness of your controls over a window (typically 3, 6, or 12 months). Required by most enterprise procurement teams. Total elapsed time 6–12 months including the observation window.
- Trust Services Criteria (TSC)
- The five SOC 2 categories: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. Each has named criteria (CC1–CC9, A1, PI1, C1, P1–P8) that the auditor tests against.
- Vault
- A secrets-management capability (HashiCorp Vault, Supabase Vault) that encrypts sensitive values at rest with a master key and exposes them via authenticated APIs. Required for SOC 2 CC6.1 and HIPAA §164.312 — secrets in .env files do not satisfy either.
Missing a term? Email support@kollitech.com. We add to this glossary based on real customer questions.