InterviewStack.io LogoInterviewStack.io

Compliance Architecture and Controls Questions

Focuses on translating legal and regulatory obligations into technical architecture and operational controls. Candidates should demonstrate how to map requirements such as data handling rules, consent models, retention and deletion mechanisms, data subject rights workflows, breach notification processes, and processor agreement obligations into concrete design decisions and controls. Expected topics include data residency and sovereignty decisions, encryption and key management, access control and privileged access management, audit logging and tamper resistant audit trails, retention and immutability policies, backups and recovery, segmentation and isolation, change management and configuration baselining, and third party and vendor risk controls. Candidates should be able to explain trade offs between engineering feasibility and regulatory obligations, provide examples of systems or features designed or modified to meet compliance needs, describe interactions with legal, privacy, and compliance teams to interpret rules, and explain how testing, monitoring, incident response, and documentation support audit readiness and continuous compliance.

MediumTechnical
35 practiced
Design a key management model that supports tenant-owned keys (BYOK) and tenant-isolated master keys in a multi-tenant SaaS. Describe key lifecycle management (generation/import, rotation, revocation), envelope encryption patterns, KMS vs HSM choices, access control restrictions, and how you would handle data re-encryption, backup key management, and customer key revocation scenarios.
HardTechnical
22 practiced
You receive an external audit report identifying several high-severity control failures (improper change management, missing privileged access logs, incomplete processor agreements). Draft a remediation plan: list technical fixes, interim compensating controls, timelines, resource assignments, regression testing, communication with regulators/customers, and how you would ensure recurrence prevention and collect post-remediation evidence for auditors.
EasyTechnical
23 practiced
Explain the purpose of Privileged Access Management (PAM) and identify five concrete technical and operational controls a Security Architect should deploy to manage and monitor privileged accounts across cloud and on-prem environments. Explain briefly how each control supports compliance obligations such as separation of duties and auditability.
HardTechnical
20 practiced
Your platform stores petabytes of tenant data encrypted with envelope encryption. A large customer requests a master-key rotation and full re-encryption of their data within 24 hours. Describe a scalable design to meet this request with minimal downtime and cost. Discuss eager versus lazy re-encryption, re-encryption proxies, indirection layers, metadata strategies, backup consistency during re-encryption, and how to verify and roll back if an error occurs.
HardTechnical
22 practiced
You must architect backup storage for 1PB of regulated data with jurisdiction-specific retention policies (1 year, 7 years, indefinite under litigation). Propose a tiered storage and indexing architecture that meets retention and legal-hold needs while optimizing cost and enabling efficient e-discovery and auditability. Discuss immutability, metadata indexing, and migration strategy.

Unlock Full Question Bank

Get access to hundreds of Compliance Architecture and Controls interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.