SOC 2 Trust Services Criteria: Complete Guide

When you work on SOC 2 compliance, you need to understand the Trust Services Criteria (TSC). These criteria help shape your SOC 2 audit scope and help you pick the right SOC 2 controls.

The Trust Services Criteria define the rules your company must follow to build trust with customers and show strong security. While Security is needed for every SOC 2 report, the other criteria—Availability, Processing Integrity, Confidentiality, and Privacy—depend on your services and what customers expect.

This guide explains each of the SOC 2 Trust Services Criteria, what they cover, and how to choose the right ones for your SOC 2 audits. If you're new to SOC 2, start with our SOC 2 Overview to understand the basics. Understanding these Trust Services Principles is key to building a strong SOC 2 compliance program.

1. Security (Required for All SOC 2 Reports)

Security is the only Trust Services Principle you must include in every SOC 2 report. This criterion checks if your systems stay protected from people who shouldn't have access, both in person and through computers.

Key Security Focus Areas

Access Controls: Your company needs strong user login systems and clear rules about who can see what data. This includes:

• User login checks (proving who you are)

• Permission systems (deciding what you can do)

• Regular reviews of who has access

Network Security: You must protect your computer networks with:

• Firewalls that block bad traffic

• Network separation to keep systems apart

• Regular security checks

Endpoint Protection: All devices that connect to your systems need protection from threats like viruses and hackers.

Security Monitoring and Incident Response. You need systems that watch for problems and clear plans for when security issues happen. This helps reduce the risk of data breach events.

Meeting the Security criterion shows you have strong data protection and threat defense. This is essential for keeping your SOC 2 compliant status. For detailed guidance on implementing these security measures, check our guide on Key SOC 2 Controls to Know.

2. Availability (Optional)

The Availability criterion makes sure your systems work and stay accessible when customers need them. It checks that you have controls to support:

Core Availability Controls

System Monitoring: You need tools that watch your systems all the time and alert you when problems happen.

Performance Tuning: Your systems must run fast enough to meet customer needs during busy times.

Disaster Recovery: You need backup plans to get your systems working again after major problems like power outages or data centers going down.

Incident Response: You must have clear steps to fix problems quickly when they happen.

Capacity Planning: You need to plan ahead so your systems can handle more users and data over time.

Availability matters most for cloud services and APIs, where uptime is critical for business. Adding this to your SOC 2 audit scope shows you have mature security systems and strong risk control. Learn more about preparing for these requirements in our Understanding SOC 2 Compliance Requirements guide.

3. Processing Integrity (Optional)

Processing Integrity checks if your systems handle data completely, correctly, and on time as planned.

When Processing Integrity Matters

This criterion is key for services that involve:

• Money transactions

• Financial reports

• Data processing pipelines

• Customer reporting

Core Processing Controls

Input Validation: You must check that data coming into your systems is correct and complete.

Processing Accuracy: Your systems need to handle data the right way every time.

Output Verification: You must check that the results from your systems are correct before sending them to customers.

Error Handling: You need clear ways to catch and fix mistakes when they happen.

Showing Processing Integrity helps customers trust that the data they get from your service is reliable and correct.

4. Confidentiality (Optional)

The Confidentiality criterion makes sure sensitive information stays protected from people who shouldn't see it.

Types of Confidential Data

Private data might include:

• Customer contracts

• Company secrets

• Personally identifiable information (PII)

• Private company data sets

Common Confidentiality Controls

Data Classification Policies: You need clear rules about what data is sensitive and how to handle it.

Encryption (at Rest and in Transit) You must scramble sensitive data so only the right people can read it, both when stored and when moving between systems.

Secure Data Disposal. You need safe ways to delete data when you don't need it anymore.

Enforce Access Controls: You must have strong rules about who can see confidential data.

This criterion matters most for companies handling regulated data, including GDPR and HIPAA-protected personal data.

5. Privacy (Optional)

The Privacy criterion focuses on how your company collects, uses, keeps, shares, and gets rid of personal data.

Privacy Compliance Areas

Privacy controls help ensure you follow:

• Legal rules (like GDPR and CCPA)

• Your published privacy policies

• Customer expectations

Typical Privacy Controls

Data Subject Rights Management: You must help people control their personal data, including letting them see, change, or delete it.

Consent Tracking: You need systems to track when people agree to let you use their data.

Privacy Notices and Disclosures: You must tell people clearly how you use their data.

Personal Data Retention Policies: You need rules about how long you keep personal data and when to delete it.

If your service handles personal data—including AI-powered apps—following this criterion builds trust and legal protection.

Choosing the Right Criteria for Your SOC 2 Scope

When planning your SOC 2 audits, remember:

• Security is always required for every SOC 2 report

• Availability, Processing Integrity, Confidentiality, and Privacy are optional

• You pick the ones that fit your services, customer promises, and risk needs

Choosing the right mix ensures your SOC 2 compliance program works well and meets changing customer expectations. The American Institute of Certified Public Accountants (AICPA) created these standards to help certified public accountants (AICPA) review your control environment.

To better understand how these criteria work together, explore our comprehensive Understanding SOC 2 Common Criteria resource.

Building Trust Through Trust Services Criteria

Learning the Trust Services Principles is key to building a strong SOC 2 compliance program.

When you pick the right criteria, make your control environment stronger, and keep a forward-thinking risk management approach, your company can:

• Build trust with customers

• Reduce the risk of data breaches

• Stand out in competitive markets

• Meet the expectations of security managers

As you prepare for your SOC 2 audits, think about how each Trust Services Criterion connects to your services, customer needs, and long-term compliance goals. For step-by-step preparation guidance, visit our Preparing for Your First SOC 2 Audit guide. Remember that maintaining SOC 2 compliance is an ongoing process that requires continuous monitoring and regular updates to your security tools and procedures.

For organizations looking to streamline their compliance efforts, explore our insights on Manual vs Automated SOC 2 Compliance to understand how automation can help maintain these standards efficiently.

The Institute of Certified Public Accountants designed these criteria to work together as a complete framework for protecting systems and data over any period of time. Whether you're protecting a single computer system or multiple data centers, these principles help create a comprehensive approach to security, availability, processing integrity, and beyond.