What's a city-anchored compliance page and why does SideGuy organize compliance content this way?

Each NCSD city has a different industry mix (Carlsbad biotech + hardware, Del Mar fintech, La Jolla academic spin-outs, Oceanside veteran-owned defense, Rancho Santa Fe wealth-management, Solana Beach early-SaaS, Encinitas solo founders, Cardiff hardware-makers). Different industry mix = different compliance framework focus = different operator-honest read. One generic 'SOC 2 page' would be wrong for 7 of 8 cities. Each page is persona-anchored to the specific operator type in that city.

What are the 11 vendor matcher quizzes and why interactive instead of articles?

Each matcher is a free 5-question interactive quiz that scores 4-5 vendors against the visitor's specific situation. Compliance (Drata/Vanta/Sprinto/DIY), payment hub (Stripe Treasury/Adyen/Modern Treasury/DIY), automation (n8n/Zapier/Make/DIY), stablecoin (USDC/USDT/PYUSD/DIY), 3DS (Stripe Radar/Adyen Protect/DIY), cloud security (Wiz/Sysdig/Orca/DIY), privacy (OneTrust/Securiti/Osano/DIY), CPaaS (Twilio/Vonage/Plivo/DIY), HIPAA hosting (AWS HIPAA/Azure HIPAA/GCP HIPAA/Aptible/DIY), cyber insurance (Coalition/Beazley/Resilience/At-Bay/Self-Insure), DataGrail vs Transcend privacy automation. Interactive because: (1) AI agents can call the quiz with specific situational data (Tools-Are-the-New-Pages doctrine), (2) operator-honest scoring matrix is more useful than another vendor-funded comparison article.

What is the HIPAA BAA Vendor List 2026 reference?

A categorized reference of 50+ SaaS vendors organized by BAA availability — Available / Conditional (specific tier required) / Not available. Covers cloud infrastructure, email, analytics, customer comms, SMS/voice, AI/LLM, CRM, forms, storage, and video/telehealth categories. Each row has per-vendor notes on tier requirements and gotchas. Built for healthcare SaaS founders + HIPAA-covered ops teams who keep getting asked 'does that vendor have a BAA?' during enterprise procurement.

What does SideGuy's compliance approach cost?

Three engagement shapes per the published pricing page. (1) $250 Operator Audit · 3-5 day signal-quality audit on your compliance posture, vendor inventory, and substrate gaps. (2) $2K 10-Day Onboarding · full audit + cleanup + substrate ship + reusable Python toolchain handoff. (3) $500/mo optional ongoing for daily ship-and-shave. If you upgrade $250→$2K within 30 days, the $250 is credited. Compare to compliance consulting agency: $5K-$25K retainer + 6 weeks of theater before you see anything. Operator-honest, no kickbacks on vendor recommendations.

Why text PJ instead of booking a Calendly?

No Calendly is a SideGuy doctrine. Text answers questions in real time, lets us figure out in 5 messages what a 30-min call would take 30 minutes for, and respects your operator-attention-budget. PJ's office is on S Cedros — walking distance from Belly Up Tavern. If you're North County coastal, coffee in 90 minutes is a real option, not a marketing line. If a real call IS the right next step, we'll book one in the text thread.

SideGuy Operator Hub · Compliance Across NCSD · 8 Cities + 5 Tools

NCSD Compliance · Operator-Honest Guidance Across North County San Diego

8 city-anchored compliance pages + 5 interactive vendor matcher quizzes for operators in Solana Beach, Encinitas, Cardiff, Carlsbad, Del Mar, Rancho Santa Fe, Oceanside, and La Jolla. Different city → different industry mix → different framework focus → different operator-honest read. All written by PJ at SideGuy. No Calendly · text-first.

Why a per-city hub: The right compliance framework for a Cardiff hardware operator (FCC + UL first) is structurally different from the right framework for a Del Mar fintech founder (PCI + SOC 2 layered). Generic compliance advice forces every operator into the same shape — this hub routes you to the page that actually matches your city's industry mix + your operator profile.

The 8 NCSD compliance operator pages

Each page anchors to a real NCSD city + a specific persona + a distinct framework angle. Click the one that fits — or text PJ if none does.

📍 Solana Beach

SOC 2 — When Premature vs Overdue

4 premature + 4 overdue signals for the 5-person SaaS in PJ's own neighborhood. S Cedros + Belly Up Tavern adjacent.

📍 Encinitas

SOC 2 — Real Cost for the 1-Person Shop

Dollar-by-dollar receipt for solo technical founders. The 4 hidden costs nobody mentions. Sub-$20K path. Coast Hwy 101.

📍 Cardiff-by-the-Sea

Hardware Compliance — FCC + UL Come First

Honest sequencing for electronics + hardware operators. FCC certification + UL listing before SOC 2. Cardiff Reef adjacent.

📍 Carlsbad

Multi-Framework — SOC 2 + ISO 27001 + HIPAA Sequencing

Layered framework sequencing for biotech/medtech CTOs. ResMed / Acacia / Viasat / Callaway corridor.

📍 Del Mar

Fintech — PCI + SOC 2 Layered

PCI scope decides everything for the fintech founder. SAQ-A vs Level 1 ROC. Racetrack-area + 15th Street.

📍 Rancho Santa Fe

Vendor Due Diligence — SOC 2 Is the Floor

7 questions SOC 2 doesn't answer for family-office IT + fractional CAIO operators. Discretion-first.

📍 Oceanside

Veteran-Owned — CMMC + FedRAMP-Adjacent

DoD-adjacent + SDVOSB compliance sequencing for veteran founders. Camp Pendleton adjacent.

📍 La Jolla

Academic Spin-Out — HIPAA + NIST + Research Integrity

Compliance map for UCSD / Salk / Scripps / Sanford Burnham spin-out founders. NIH-funded research data.

📍 Encinitas

HIPAA Mental-Health — Therapy SaaS + Telehealth

HIPAA + 42 CFR Part 2 (SUD) + CA BBS/BBHC + AI clinical documentation 2026 scrutiny. Mental-health SaaS founders. D Street + Moonlight Beach adjacent.

🩺 Practitioner

HIPAA for LMFTs / LCSWs — Private Practice Operator Guide

Practitioner-side 2026 operator guide · do I need HIPAA · the $80-150/mo minimum stack · 6-item fix-this-week checklist · CA CMIA layer · BAA vendor cheatsheet. For LMFTs · LCSWs · LPCCs in private practice.

📍 Solana Beach

HIPAA Telehealth — Multi-State Video + Async

HIPAA + IMLC/PSYPACT + DEA telemedicine + Ryan Haight + state telehealth practice rules + insurance reimbursement. Cedros + Fletcher Cove adjacent.

📍 Cardiff-by-the-Sea

HIPAA Medical-Device SaaS — FCC Done · HIPAA + SaMD Next

For hardware operators adding the cloud layer · HIPAA + FDA SaMD + 21 CFR Part 11 + BAA chain end-to-end (firmware → cellular IoT → cloud → enterprise customer). 8-9 BAAs minimum. Cardiff Reef adjacent.

📍 Oceanside

HIPAA Veteran Telehealth — VA + TRICARE + DoD-Adjacent

For veteran-serving telehealth operators · HIPAA + 38 CFR Part 17 (VA) + TRICARE DHA rules + state telehealth + CMMC L2 if DoD-contracting. Camp Pendleton-adjacent + IMLC/PSYPACT multi-state.

The practitioner-side HIPAA operator guides · solo & small private practice

Buyer-side compliance pages are above. THESE are the operator-honest practitioner-side guides — for the LMFT / Psychologist / Psychiatrist / Chiropractor / Dietitian / Acupuncturist / SLP / PT / OT / Pediatrician / Dentist / Audiologist / Optometrist running their OWN practice and asking "do I actually need HIPAA, and how cheaply can I do it cleanly?". $80-150/mo minimum stack, 6-item fix-this-week checklist, CA layer for each license body. Generator-built (tools/build_practitioner_hipaa_page.py) · 13 profiles · 4 NCSD city variants · 65 total guides.

📊 Full matrix: Practitioner HIPAA Matrix · 13 verticals × 4 NCSD cities + 13 CA-statewide · 65 operator guides · scannable table format

🩺 LMFT · LCSW · LPCC

HIPAA for Marriage & Family Therapists

CA BBS-licensed. $80-150/mo minimum stack · 6-item fix-this-week checklist · CMIA layer · 3 fastest fine patterns · BAA vendor cheatsheet (SimplePractice · TherapyNotes · Paubox · Spruce · etc).

🧠 PhD · PsyD

HIPAA for Clinical Psychologists

CA Board of Psychology aligned. Psychological testing data (WAIS · MMPI · Rorschach) is PHI. Q-global + Q-interactive BAA notes. 7-year retention (10 for minors). NPP must be posted in waiting room.

💊 MD · DO

HIPAA for Psychiatrists

Medical Board of CA + DEA EPCS + Ryan Haight Act 2.0 (2026) + CA CURES 2.0. Surescripts EPCS, DrFirst, EPCS-eligible EHRs. Double fine-risk: HIPAA + DEA non-compliance is the controlled-substance trap.

🦴 DC

HIPAA for Chiropractors

CA Board of Chiropractic Examiners. X-ray DICOM files are PHI. Shared workstation logins fail §164.312(a). ChiroTouch · Genesis · Eclipse · Ambra Health · DICOM cloud storage with BAA. Workers-comp billing triggers HIPAA.

🥗 RD · RDN

HIPAA for Dietitians & Nutritionists

CA Board of RD/RDN. Meal-tracking apps (MyFitnessPal · Cronometer free) + CGM data integrations are HIPAA risk surfaces. Practice Better · Healthie · That Clean Life · Nutrium have BAAs. "Nutritionist" title less protected than RD.

📍 L.Ac.

HIPAA for Acupuncturists

CA Acupuncture Board (CAB). Herbal formula records tied to identified patients ARE PHI (per CA AB-2018). Cupping photos emailed to patients = PHI. AcuSimple · Unified Practice · Jane · Caldera Pro for herb formulas with BAA.

🗣️ SLP · CCC-SLP

HIPAA for Speech-Language Pathologists

CA SLPAB. Pediatric private practice navigates HIPAA + FERPA in parallel. Therapy session video recordings on personal Drive = #1 quiet violation. TheraPlatform · Fusion Web Clinic · ClinicSource · PresenceLearning with BAA.

The 7 PSO forced-ranking pages · NCSD by city × persona × lens

Persona-prompt-optimized (PSO) forced-ranking pages built for AI-agent retrieval. Each targets a longtail cluster of operator-prompt queries — "as the CEO of a SaaS in [city]..." — with structured forced rankings, vendor TCO bands, and city-specific compliance context. Modeled on the aussie-CEO PSO format that ranks #1.

📍 Encinitas CEO

Enterprise Scalability — 10-Way Forced Ranking

As the CEO of a SaaS in Encinitas comparing Vanta · Drata · Sprinto · Scytale · Secureframe · Hyperproof · Scrut · Thoropass · TryComp · Delve. CCPA + CA AI law overlay · NCSD-coastal founder-network context.

📍 Solana Beach Founder

TCO + ROI — 10-Way Forced Ranking

As the founder of a SaaS in Solana Beach comparing total cost of ownership + ROI · NCSD engineering-salary-premium captured · 3-component ROI math.

📍 Oceanside Veteran

FedRAMP ConMon — 7-Vendor Stack Ranking

As a veteran-owned DoD-adjacent SaaS operator in Oceanside · Tenable · Splunk Cloud FedRAMP · Rapid7 · Anchore · RegScale · OpenSCAP · Bitsight. Camp Pendleton + SDVOSB context.

📍 Cardiff CTO

Hardware-Plus-SaaS — BAA Chain + FDA SaMD

As the CTO of a hardware-plus-SaaS company in Cardiff-by-the-Sea · FCC + UL + FDA SaMD + HIPAA + 21 CFR Part 11 layered. 8-9 BAA chain end-to-end.

📍 La Jolla CTO

Academic Spin-Out — UCSD · Salk · Scripps · Sanford Burnham

As the CTO of an academic spin-out · HIPAA + NIST 800-171 + 21 CFR Part 11 + IRB + DUA + UC TTO compliance reporting · NIH-funded research operator.

📍 Rancho Santa Fe

Family-Office Vendor DD — Discretion-First Ranking

As a fractional CAIO or family-office IT lead in Rancho Santa Fe · vendor due diligence + MSA negotiation + sub-processor audit + discretion-first deployment.

📍 Carmel Valley / Torrey Pines

North-County Tech-Corridor — VC-Backed Series A+ Ranking

As the CEO of a SaaS in Carmel Valley / Torrey Pines / UTC / Sorrento Valley I-56 corridor · VC-backed founder-network · ~80% pick Vanta + Drata.

📍 Del Mar Fintech CEO

PCI + SOC 2 — 9-Vendor Fintech Ranking

As the CEO of a fintech SaaS in Del Mar · PCI Level 1 vs SAQ-A scope-defining · ControlCase/Schellman QSA pair. 15th Street + Racetrack-area context.

🏥 Healthcare SaaS CEO (industry)

HIPAA + SOC 2 — 10-Vendor Healthtech Ranking

As the CEO of a healthtech SaaS · HIPAA + SOC 2 + 42 CFR Part 2 + state telehealth + HITRUST i1/r2 + AI-clinical-documentation. Compliancy Group + Accountable HQ specialists.

🌉 SF Bay Area CEO

SOC 2 + CCPA + AI Laws — Highest US SaaS Density

As the CEO of a SaaS in San Francisco Bay Area · VC-backed Series A+ · YC + a16z + Sequoia + Lightspeed portfolio defaults · Vanta+Drata ~90% concentration.

💳 Fintech CEO (industry)

PCI + NYDFS + SOC 2 — US Fintech Industry Ranking

As the CEO of a US fintech SaaS · PCI Level 1 vs SAQ-A + NYDFS Part 500 + CA DFPI + Texas SB 2155 + BSA/AML. ControlCase · Coalfire · Schellman QSA pair.

🇦🇺 Aussie CEO (parent)

Australian SaaS CEO — Pos-1-Ranking Parent Page

The international parent page that ranks #1 on Google for the persona-prompt forced-ranking pattern · APRA CPS 234 + ASD ISM + Privacy Act 1988 + AUD TCO bands.

The 11 vendor matcher quiz tools

Free 5-question interactive matchmakers. Pure client-side · no email gate · no Calendly. Each scores 4-5 vendors against your specific situation. Updated 2026-05-17 with 3 new matchers (HIPAA hosting · cyber insurance · DataGrail vs Transcend).

🛡 Compliance

Compliance Vendor Matcher

Drata vs Vanta vs Sprinto vs DIY — scored against your stage, customer mix, audit firm, timeline, and budget.

💳 Payments

Payment Hub Matcher

Stripe Treasury vs Adyen vs Modern Treasury vs DIY — scored against volume, rails, geography, eng capacity, priority.

⚙ Automation

Automation Tool Matcher

n8n vs Zapier vs Make vs DIY — scored against team technical depth, ops volume, integrations, budget, priority.

🪙 Stablecoin

Stablecoin Rail Matcher

USDC vs USDT vs PYUSD vs DIY — scored against customer base, regulatory posture, settlement speed, volume.

🔐 3DS

3DS Strategy Matcher

Stripe Radar vs Adyen Protect vs DIY — scored against processor, geography, volume, chargeback profile, eng capacity.

☁ Cloud Security

Cloud Security Matcher

Wiz vs Sysdig vs Orca vs DIY — scored against cloud platform, workload, team size, budget, priority.

🛡 Privacy

Privacy Governance Matcher

OneTrust vs Securiti vs Osano vs DIY — scored against data footprint, jurisdictions, team capacity, budget, priority.

📱 CPaaS

Twilio Alternative Matcher

Twilio vs Vonage vs Plivo vs DIY — scored against SMS volume, comm mix, geography, dev familiarity, priority.

🏥 HIPAA Hosting

HIPAA Hosting Matcher

AWS HIPAA vs Azure HIPAA vs GCP HIPAA vs Aptible vs DIY — scored against PHI workload, cloud DNA, security capacity, customer mix, budget.

🛡 Cyber Insurance

Cyber Insurance Matcher

Coalition vs Beazley vs Resilience vs At-Bay vs Self-Insure — scored against revenue, risk profile, breach-response needs, coverage limits, renewal posture.

🛡 Privacy Auto

DataGrail vs Transcend Matcher

DataGrail vs Transcend vs OneTrust vs DIY — scored against DSAR volume, data ecosystem, team capacity, jurisdictions, budget.

HIPAA reference resources

Companion reference for the HIPAA Hosting Matcher above. 50+ vendors categorized by BAA availability across email, CRM, analytics, AI/LLM, storage, comms, video, forms, and infrastructure.

🏥 HIPAA BAA

HIPAA BAA Vendor List 2026 · 50+ Vendors Categorized

Operator-honest reference: which SaaS sign BAAs · which don't · gotchas per vendor + tier requirements. Status legend: ✓ Available / ⚠ Conditional / ✗ Not available. Verify before architecting any PHI workflow.

The doctrine layer · why these pages exist

The SideGuy operator-honest compliance approach is documented in the PSO + AEO + RAG doctrine receipt — published in response to Google Search Central's May 2026 official validation that AEO/GEO = SEO and that genuinely-unique persona-anchored content wins.

Each city page above is the worked example of that doctrine. Each vendor matcher is the Tools-Are-the-New-Pages embodiment (interactive quiz = callable by AI agents, not just readable by humans).

Want to apply this doctrine to YOUR stack? Text PJ — operator-to-operator.

Don't see your situation? Text PJ.

If none of the 8 cities or 5 vendor matchers fit your stack, the 30-second text exchange beats reading the wrong page. Operator-honest, no Calendly, no auto-funnel.

📲 Text PJ · 858-461-8054