Compliance Best Practices

If you work in Health or Finance, "It works" isn't enough. It must be compliant.

HIPAA (Health, US)

• Google AI Studio: NOT HIPAA compliant.
• Vertex AI: IS HIPAA compliant (if you sign a BAA - Business Associate Agreement).
• Requirement: You must ensure no PII is logged in non-compliant ways.

GDPR (Data, EU)

• Right to try: Users have a right to ask "What reasoning did the AI use?" (Explainability).
• Right to be forgotten: If a user deletes their account, can you ensure their data wasn't baked into a Fine-Tuned model? (Reason #500 not to fine-tune on PII).

SOC2

Enterprise requirement. Requires you to have audit logs of who changed a prompt and when. This is why Git-based prompt management is essential.

Summary

Compliance is a constraint. If you need it, move from AI Studio to Vertex AI immediately.

Module 10 Complete! Your systems are safe and legal. In Module 11, the rubber meets the road: Deployment and Production.