Skip to main content

Projects and Compliance Frameworks

RiskFlow helps organizations stay compliant with industry standards by organizing work into projects under various compliance frameworks.

Each organization can manage its own set of projects based on the frameworks made available to them. Operators and administrators can use this guide to understand the project structure, lifecycle, and available modules.

What Are Compliance Frameworks?

Compliance frameworks are standardized sets of controls and processes an organization must follow to remain legally and operationally compliant.

Currently supported frameworks:

  • HIPAA (Health Insurance Portability and Accountability Act)
  • Others (e.g., GDPR, SOC 2) to be supported in the future

Project Modules in HIPAA

The HIPAA framework in RiskFlow is broken down into the following modules:

1. Security Risk Assessment (SRA)

  • Automatically assesses Google Workspace configuration using Google Admin SDK and Policy APIs.
  • Compares current settings with HIPAA best practices.
  • Generates a risk score and actionable insights.

2. Business Associate Agreements (BAA)

  • Legal contracts that define responsibilities between covered entities and vendors.
  • Supports document upload, digital signing, and tracking.
  • Involves both organization users and external vendors.

3. Policies and Procedures (PnP)

  • Internal document compliance tracking.
  • Admins create folders, upload policies, and assign signers within their team.
  • Tracks document completion and signature status.

Project Lifecycle

  1. Created by Org Admins
  2. Configured with specific settings
  3. Assigned to users or vendors
  4. Tracked for compliance progress
  5. Exported or reviewed during audits

Notes for Operators

  • Only Organization Admins can create or delete projects.
  • Permissions to view/edit project modules depend on the user’s role:
    • Compliance Analyst: Limited to BAA or PnP
    • Security Analyst: Access to SRA only
    • Org Auditor: Read-only access across modules
  • Vendor participation is limited to signing BAAs via magic links.

Coming Soon

  • GDPR
  • SOC 2
  • Custom Framework Builder (planned)

Continue reading: