Compliance Architecture and Controls Questions

Focuses on translating legal and regulatory obligations into technical architecture and operational controls. Candidates should demonstrate how to map requirements such as data handling rules, consent models, retention and deletion mechanisms, data subject rights workflows, breach notification processes, and processor agreement obligations into concrete design decisions and controls. Expected topics include data residency and sovereignty decisions, encryption and key management, access control and privileged access management, audit logging and tamper resistant audit trails, retention and immutability policies, backups and recovery, segmentation and isolation, change management and configuration baselining, and third party and vendor risk controls. Candidates should be able to explain trade offs between engineering feasibility and regulatory obligations, provide examples of systems or features designed or modified to meet compliance needs, describe interactions with legal, privacy, and compliance teams to interpret rules, and explain how testing, monitoring, incident response, and documentation support audit readiness and continuous compliance.