Webhooks cross system boundaries. They carry event payloads from your infrastructure to your customers' endpoints — and in regulated industries, every byte that leaves your system may need to be auditable, encrypted, and access-controlled before it reaches a destination.
The compliance challenge isn't that webhooks are fundamentally insecure. It's that most webhook implementations are built for developer convenience first, with compliance layered on afterward. Building it correctly from the start requires knowing which controls each framework actually demands.
The Compliance Surface of a Webhook System
A webhook delivery system has more compliance surface than most teams anticipate:
- ›Transit encryption — TLS 1.2 minimum, 1.3 preferred; no self-signed certificates
- ›Payload confidentiality — PHI or cardholder data should not appear in event bodies or delivery logs
- ›Authentication — HMAC signatures prove origin; per-destination secrets prevent shared-key leakage
- ›Audit trails — every delivery attempt logged with timestamp, outcome, and actor
- ›Access control — who can configure destinations, view payloads, and trigger replays
- ›Data retention — how long event data is stored and when it is purged
These constraints interact. You want comprehensive audit logs, but you don't want to log raw payloads containing PHI. You want to replay failed events, but some regulations restrict retention periods. Intentional design — not bolt-on controls — is what makes the difference.
SOC2 Type II: What Auditors Actually Look For
SOC2 doesn't specify technical controls — it evaluates whether your controls achieve the Trust Service Criteria. For webhook infrastructure, auditors sample evidence of:
Logical access controls. Is destination configuration restricted? Who can add, modify, or delete delivery endpoints? Are delivery logs restricted to authorized personnel?
Audit log completeness. Every delivery attempt with timestamp, destination ID, HTTP status, and outcome. Every replay — who triggered it, when, which event ID. Every configuration change to destinations or signing secrets.
Encryption in transit. Evidence that deliveries only target HTTPS endpoints. TLS enforcement at the delivery layer, not just documented as a recommendation.
Incident response evidence. Dead-letter queue visibility and alert thresholds for delivery failure rates, with evidence of response.
The delivery log is the key audit artifact. Auditors sample it and verify it's complete, retained for the required duration, and that access is controlled. Gaps or mutability are findings.
HIPAA: PHI in Webhook Payloads
HIPAA creates the most complex constraints because healthcare events — appointment bookings, lab results, prescription status changes — frequently contain Protected Health Information.
The core rule: do not include raw PHI in webhook payloads. Payloads should contain event identifiers and foreign keys. Consumers fetch the PHI via a separate authenticated API call after receiving the event.
Wrong:
{
"event": "appointment.scheduled",
"patient_name": "Jane Smith",
"dob": "1985-03-12",
"diagnosis_code": "J30.1"
}Right:
{
"event": "appointment.scheduled",
"appointment_id": "appt_01J2KX8MABCDEF",
"patient_id": "pat_9f2a3b",
"timestamp": "2026-04-27T14:32:00Z"
}The consumer calls GET /appointments/appt_01J2KX8MABCDEF with their credentials to fetch clinical details. The webhook payload contains no PHI, so it falls outside HIPAA's data handling requirements at the delivery layer.
| Requirement | Engineering Control |
|---|---|
| Business Associate Agreement | BAA with your webhook delivery vendor |
| Minimum necessary disclosure | Send event IDs, not PHI |
| Audit controls | Full delivery log with timestamps and actor |
| Integrity controls | HMAC signature on every delivery |
| Transmission security | TLS 1.2+, self-signed certs rejected |
| Access control | Per-destination secrets, not a shared key |
If integration requirements force PHI into payloads, encrypt at the application layer before the delivery system sees it. The delivery layer handles an opaque blob; only the consumer can decrypt it. This limits PHI scope to the consumer endpoint, not the delivery infrastructure. Whichever approach you take, confirm your webhook delivery vendor will sign a BAA before routing PHI-adjacent events through them.
PCI-DSS: Cardholder Data and TLS Enforcement
PCI-DSS applies when webhook payloads reference cardholder data: PANs, CVVs, expiration dates, or cardholder names combined with payment identifiers.
Cardholder data should never appear in a webhook payload. Use a PSP-issued token (e.g., a pm_ payment method ID) and let consumers call the PSP API to retrieve payment details directly.
Beyond payload hygiene, PCI-DSS 4.0 has network-level requirements:
TLS version enforcement. TLS 1.0 and 1.1 are explicitly prohibited; TLS 1.2 is the minimum. Your delivery layer must reject connections to destinations that negotiate a lower version. Verify a destination's TLS posture before adding it:
# Confirm deprecated TLS is rejected at the destination
openssl s_client -connect api.example.com:443 -tls1_1 2>&1 | grep "no protocols available"
# Confirm TLS 1.2 is accepted
openssl s_client -connect api.example.com:443 -tls1_2 2>&1 | grep "Cipher is"Cipher suite restrictions. RC4, DES, and 3DES are prohibited. In Go, setting tls.Config.MinVersion = tls.VersionTLS12 excludes most weak suites, but audit the default cipher list explicitly for PCI scope.
Vendor AOC. If you use a managed webhook delivery provider, verify they maintain an Attestation of Compliance. Without it, their infrastructure does not reduce your PCI scope.
Building a Compliant Audit Log
The delivery audit log is the foundation of compliance for all three frameworks. It must be append-only, complete, and retained for the required duration:
CREATE TABLE delivery_attempts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
event_id UUID NOT NULL REFERENCES events(id),
destination_id UUID NOT NULL REFERENCES destinations(id),
account_id UUID NOT NULL REFERENCES accounts(id),
attempt_number INT NOT NULL,
attempted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
outcome TEXT NOT NULL,
response_status INT,
response_time_ms INT,
-- Compliance-specific fields
initiated_by TEXT NOT NULL, -- 'system' or 'user:<id>' for manual replays
tls_version TEXT, -- '1.2' or '1.3'
dest_url_hash TEXT, -- SHA-256(destination_url)
CONSTRAINT valid_outcome CHECK (outcome IN (
'success', 'timeout', 'http_4xx', 'http_5xx', 'network_error', 'cancelled'
))
);
CREATE INDEX delivery_attempts_account_time
ON delivery_attempts (account_id, attempted_at DESC);initiated_by distinguishes automatic delivery from manual replay. SOC2 auditors require replays to be attributable to a specific person — store user:<user_id> for any delivery triggered via the management API.
dest_url_hash logs a SHA-256 of the destination URL rather than the raw URL. This proves delivery was made to a specific endpoint without embedding plaintext infrastructure topology in every audit row.
Do not allow application code to update or delete rows. Use a separate archival process for retention-limit purges, controlled outside the application database user's permissions.
Access Control for Destination Configuration
In regulated environments, the ability to add, modify, or delete webhook destinations is a privileged operation. An attacker who can change a destination URL can redirect your entire event stream to an endpoint they control.
Controls that satisfy all three frameworks:
- ›Separate API keys for read vs. write. Consumers that query delivery logs should not hold keys that can modify destinations or rotate secrets.
- ›Configuration change audit log. Every add, modify, or delete of a destination logged with actor ID, timestamp, and before/after values — separate from the delivery log.
- ›Secret rotation cadence. Signing secrets should rotate on a defined schedule; quarterly is common for SOC2. The procedure must be documented and auditable.
- ›Destination allowlisting. In HIPAA and PCI environments, restrict delivery to an approved list of domains to prevent a compromised key from redirecting events to arbitrary endpoints.
GetHook logs every management operation against the API key that performed it, giving you the configuration change audit trail that SOC2 requires without custom implementation.
Quick Reference: Requirements by Framework
| Control | SOC2 Type II | HIPAA | PCI-DSS 4.0 |
|---|---|---|---|
| TLS in transit | Required | Required | TLS 1.2+ mandatory |
| PHI/CHD in payloads | Scope-dependent | Avoid or encrypt | Prohibited |
| Delivery audit log | Required | Required | Required |
| Configuration change log | Required | Required | Required |
| Access control | Required | Required | Required |
| Audit log retention | Policy-defined | 6 years | 1 year minimum |
| Vendor BAA / AOC | Not required | BAA required | AOC required |
| Vulnerability management | Evidence required | Addressable | Quarterly scans required |
The retention column drives a common cross-framework conflict. HIPAA requires 6-year audit log retention; PCI-DSS requires 12 months with 3 months immediately available. If your product operates under both, build to the stricter requirement and let the shorter frameworks benefit automatically.
Regulated-industry webhook delivery uses the same reliability patterns as any other delivery system — durable queuing, exponential backoff, HMAC signatures. What changes is the strictness of the controls: TLS version enforcement, payload hygiene (no PHI or cardholder data in event bodies), an immutable delivery audit log, and access controls on destination configuration.
Most of the compliance work happens at design time — in payload schema decisions and audit log design — not at runtime. Get those decisions right early and the ongoing operational burden is low.
If you want delivery audit logs, per-destination signing secrets, and TLS enforcement already built in, start with GetHook →