ComplianceDirectory
Back to Blog
SOC 2

SOC 2 Trust Service Criteria Explained: Security, Availability, Confidentiality, Processing Integrity, and Privacy

Deep dive into the five SOC 2 trust service criteria and how to choose which ones apply to your organization.

December 26, 20250 min read

SOC 2 Trust Service Criteria Explained

The SOC 2 framework is built around five Trust Service Criteria (TSC). Understanding each criterion is essential for determining which ones apply to your organization and how to implement appropriate controls.

Security (Required)

Security is the only mandatory criterion for SOC 2. It focuses on protecting information and systems from unauthorized access, unauthorized disclosure, and damage.

Key Security Controls

  • Access Management: Implement role-based access control (RBAC), multi-factor authentication (MFA), and regular access reviews
  • Network Security: Deploy firewalls, intrusion detection/prevention systems, and network segmentation
  • Encryption: Use TLS 1.2+ for data in transit and AES-256 for data at rest
  • Security Monitoring: Implement SIEM, log aggregation, and alerting systems
  • Incident Response: Develop and test incident response procedures
  • Vulnerability Management: Conduct regular vulnerability scans and penetration tests

Common Security Control Questions

  • Do you require MFA for all production system access?
  • How often do you conduct penetration testing?
  • What is your process for revoking access when employees leave?

Availability

The Availability criterion addresses whether systems are available for operation and use as committed or agreed. This is particularly important for SaaS companies with uptime SLAs.

Key Availability Controls

  • Disaster Recovery: Maintain documented disaster recovery plans with RTO/RPO objectives
  • Business Continuity: Develop business continuity procedures for critical functions
  • Capacity Planning: Monitor system capacity and plan for growth
  • Performance Monitoring: Track system performance metrics and set alerts
  • Redundancy: Implement redundant systems for critical components
  • Backup Procedures: Maintain regular backups with tested restoration procedures

Availability Metrics to Track

  • System uptime percentage
  • Mean time to recovery (MTTR)
  • Mean time between failures (MTBF)
  • Backup success rate

Processing Integrity

Processing Integrity ensures that system processing is complete, valid, accurate, timely, and authorized. This criterion is relevant for companies handling financial transactions or data processing services.

Key Processing Integrity Controls

  • Input Validation: Validate all data inputs for completeness and accuracy
  • Error Handling: Implement robust error detection and correction procedures
  • Processing Verification: Verify that processing completes successfully
  • Output Review: Review outputs for accuracy before delivery
  • Change Management: Control changes to processing systems through formal change management

When Processing Integrity Matters

  • Payment processing systems
  • Healthcare claims processing
  • Financial reporting systems
  • Data transformation services

Confidentiality

Confidentiality protects information designated as confidential from unauthorized access or disclosure. This applies to customer data, intellectual property, and sensitive business information.

Key Confidentiality Controls

  • Data Classification: Classify data based on sensitivity levels
  • Access Controls: Restrict access to confidential data based on need-to-know
  • Encryption: Encrypt confidential data at rest and in transit
  • Secure Disposal: Implement secure data destruction procedures
  • NDA Management: Maintain confidentiality agreements with employees and vendors
  • Data Loss Prevention: Deploy DLP tools to prevent unauthorized data exfiltration

Confidential Data Examples

  • Customer personally identifiable information (PII)
  • Trade secrets and proprietary algorithms
  • Financial statements and projections
  • Merger and acquisition plans

Privacy

The Privacy criterion addresses personal information collection, use, retention, disclosure, and disposal in conformity with privacy principles. This is essential for companies subject to GDPR, CCPA, or similar regulations.

Privacy Principles (Generally Accepted Privacy Principles - GAPP)

  1. Management: Define and document privacy policies and procedures
  2. Notice: Inform individuals about data collection and use practices
  3. Choice and Consent: Obtain consent for data collection and use
  4. Collection: Collect only data necessary for stated purposes
  5. Use and Retention: Use data only for stated purposes and retain only as long as necessary
  6. Access: Allow individuals to access and correct their personal data
  7. Disclosure to Third Parties: Ensure third parties protect disclosed data
  8. Security: Protect personal data with appropriate security measures
  9. Quality: Maintain accurate and complete personal data
  10. Monitoring and Enforcement: Monitor compliance and address violations

Key Privacy Controls

  • Privacy policy publication
  • Consent management systems
  • Data subject rights procedures
  • Privacy impact assessments
  • Data retention and deletion procedures
  • Cross-border transfer safeguards

Choosing Your Trust Service Criteria

Security Only (Most Common)

Most SaaS companies start with Security only. This is sufficient for many customers and provides a strong foundation.

Best for: Early-stage companies, general B2B SaaS, companies without specific regulatory requirements

Security + Availability

Add Availability if you have uptime SLAs or serve customers who depend on continuous service availability.

Best for: Mission-critical applications, infrastructure services, companies with 99.9%+ uptime commitments

Security + Confidentiality

Add Confidentiality if you handle sensitive customer data such as intellectual property, financial information, or proprietary business data.

Best for: Data processors, companies handling trade secrets, financial services

Security + Privacy

Add Privacy if you process significant amounts of personal data or are subject to GDPR, CCPA, or other privacy regulations.

Best for: Consumer-facing applications, healthcare companies, companies with EU customers

Multiple Criteria

You can combine multiple criteria based on your business needs. Each additional criterion increases audit scope and cost but may be necessary for your market.

Implementation Tips

  1. Start with Security: Master the Security criterion before adding others
  2. Document your rationale: Explain why you selected or excluded each criterion
  3. Map controls to criteria: Clearly show how each control addresses specific criteria
  4. Consider customer requirements: Ask enterprise customers what they require
  5. Plan for expansion: Design controls that can support additional criteria later

Conclusion

The Trust Service Criteria provide a flexible framework for demonstrating your security and compliance posture. Start with Security, then add criteria based on customer requirements and business needs. Each criterion you add strengthens your compliance posture but also increases audit complexity.

For official SOC 2 Trust Service Criteria documentation, visit the AICPA website.