- product-portfolio
- ecosystem-catalog
- deep-dives
- core
Audit, Compliance, Privacy & Governance - Analysis¶
Planning-layer analysis for category 6. It groups the 50 candidate services into capabilities, recommends what becomes a standalone service versus a module, and captures domain, interface, and non-functional notes. For the plain item list see the browse page.
Scope & Bounded Context¶
- Primary bounded context: Audit & Compliance
- Group: core
- Default wave / cycle: Phase 1 · Core Platform Wave
- Items: 50 candidates
This category is anchored to the ConnectSoft DDD baseline in the SaaS framework DDD blueprint and the service classification model.
Classification Breakdown¶
| Classification | Count |
|---|---|
| Microservice | 1 |
| Module-in-service | 38 |
| Portal/UI Module | 4 |
| Vertical Solution Pack | 3 |
| Workflow Template | 4 |
Anti-fragmentation stance
Per ADR-0011, the 38 module candidates below are delivered inside the Audit & Compliance bounded-context service, not as separate microservices. Only the 1 platform/service candidates justify an independent runtime.
Standalone Service / Platform Candidates¶
| ID | Service | Tier | Status |
|---|---|---|---|
| CS-SVC-0284 | Compliance Policy Engine | 1 | Planned |
Portal / UI Modules¶
- Audit Timeline UI (
CS-SVC-0255) - Compliance Center (
CS-SVC-0263) - Privacy Preference Center (
CS-SVC-0280) - Governance Reporting Portal (
CS-SVC-0300)
Domain, Interfaces & Data Ownership¶
- Aggregates are owned by the Audit & Compliance context; cross-context reads go through published contracts, never shared databases.
- Integration is event-first (outbox + integration events) per the event-driven mindset.
- APIs are contract-first and versioned through the API & Integration context.
Non-Functional Posture¶
- Multi-tenancy & edition-awareness: required for all serious candidates.
- Security: High baseline; secrets via the platform secret store; least privilege.
- Compliance: critical - audit + evidence by default.
- Observability: OpenTelemetry traces, metrics, and structured logs.
MVP vs Future¶
- MVP (Tier 0-1): Audit Trail Service, Immutable Audit Log Service, Audit Query API, Audit Export Service, Audit Timeline UI, Admin Action Audit Service, Auth Event Audit Service, Data Access Audit Service
- Future (Tier 4-5): none
Open Questions¶
- Which module candidates, if any, develop independent scaling or ownership needs that would justify promotion to a standalone service?
- Where do this category's contracts overlap with adjacent contexts, and who owns them?