SOC 2 Trust Services Criteria

When pursuing SOC 2 compliance, understanding the Trust Services Criteria (TSC) is key to shaping your SOC 2 audit scope and selecting the right SOC 2 controls.

The Trust Services Criteria define the principles that your organization must address to build trust with customers and demonstrate a strong security posture. While Security is required for every SOC 2 report, the other criteria—Availability, Processing Integrity, Confidentiality, and Privacy—are selected based on your services and customer expectations.

In this guide, we’ll walk through each of the SOC 2 Trust Services Criteria, what they cover, and how to choose the right ones for your SOC 2 audits.

1. Security

Security is the only Trust Services Principle required in every SOC 2 report. It focuses on whether your systems are protected against unauthorized access, both physical and logical.

Key focus areas include:

• Access controls (authentication, authorization)

• Network security (firewalls, segmentation)

• Endpoint protection

• Security monitoring and incident response

Meeting the Security criterion demonstrates that you have a strong foundation of data protection, threat defense, and risk management in place, essential to maintaining SOC 2 compliant status.

2. Availability

The Availability criterion ensures that your systems are operational and accessible as expected by your customers. It verifies that you have controls in place to support:

• System monitoring

• Performance tuning

• Disaster recovery

• Incident response

• Capacity planning

Availability is particularly important for cloud services and APIs where uptime and system reliability are business-critical. Aligning your SOC 2 audit scope with this criterion helps demonstrate a mature security posture and strong risk mitigation capabilities.

3. Processing Integrity

Processing Integrity addresses whether your systems process data completely, accurately, and in a timely manner as intended.

This criterion is essential for services involving:

• Transactions

• Financial reports

• Data pipelines

• Customer reporting

Controls under this criterion typically cover:

• Input validation

• Processing accuracy

• Output verification

• Error handling

Demonstrating Processing Integrity helps customers trust that the data they rely on from your service is consistent and reliable.

4. Confidentiality

The Confidentiality criterion ensures that sensitive information is protected from unauthorized disclosure.

Confidential data may include:

• Customer contracts

• Intellectual property

• Personally identifiable information (PII)

• Proprietary datasets

Common SOC 2 controls for Confidentiality include:

• Data classification policies

• Encryption (at rest and in transit)

• Secure data disposal

• Enforced access controls

This criterion is particularly important for organizations handling regulated data, including GDPR and HIPAA-protected data.

5. Privacy

The Privacy criterion focuses on how your organization collects, uses, retains, discloses, and disposes of personal information.

Privacy controls help ensure compliance with:

• Regulatory requirements (e.g., GDPR, CCPA)

• Published privacy policies

• Customer expectations

Typical Privacy controls include:

• Data subject rights management

• Consent tracking

• Privacy notices and disclosures

• Personal data retention policies

If your service involves processing personal data—including AI-driven applications—aligning with this criterion builds trust and legal defensibility.

Choosing the Right Criteria for Your SOC 2 Scope

When planning your SOC 2 audits, remember:

• Security is always required.

• Availability, Processing Integrity, Confidentiality, and Privacy are optional. You select the ones most relevant to your services, customer commitments, and risk assessment.

Selecting the right combination ensures your SOC 2 compliance program aligns with both operational effectiveness and evolving customer expectations.

Building Trust Through the Trust Services Criteria

Mastering the Trust Services Principles is key to building a robust SOC 2 compliance program.

By selecting the right criteria, strengthening your control environment, and maintaining a proactive risk management approach, your organization can build trust with customers, reduce the risk of data breaches, and stand out in competitive markets.

As you prepare for your SOC 2 audits, consider how each Trust Services Criterion maps to your services, customer needs, and long-term compliance goals.