Confidentiality is one of the five Trust Service Criteria defined by the AICPA for SOC 2® compliance, alongside Security, Availability, Processing Integrity, and Privacy. Each criterion focuses on a different dimension of how systems and data are protected. Confidentiality focuses on protecting sensitive information, especially data that’s non-public, proprietary, or governed by legal or contractual obligations. In SOC 2® context, this means establishing controls to prevent unauthorized access, use, or disclosure of such data, whether it’s source code, internal business plans, customer-specific configurations, or contract terms.
This trust principle is especially important for businesses in SaaS, fintech, healthcare, and professional services, any environment where your system holds information that could harm your company or clients if mishandled.
Why Confidentiality Matters in SOC 2®
While security gets the spotlight, confidentiality is often what customers really care about, especially if you’re storing proprietary algorithms, internal documentation, customer contracts, or strategic data. In SOC 2®, the Confidentiality criterion exists to make sure sensitive information is only accessible to the right people and only used in appropriate ways.
This criterion is especially relevant for companies handling:
Intellectual property (e.g., source code, research)
B2B data platforms manage customer datasets
Regulated industries like healthcare or finance
SaaS tools with customizable workflows that store client-sensitive configurations
If your business involves storing or processing non-public data, confidentiality is more than a nice-to-have, it’s a differentiator.
What Does Confidentiality Cover in SOC 2®?
According to the AICPA, Trust Services Criteria, Confidentiality includes one category (C1) with four core criteria and supporting Points of Focus. These guide organizations in how to identify, manage, and protect confidential information:
C1.1 – Identify and Classify Confidential Information
Organizations must define what qualifies as confidential information and classify it appropriately. This could include customer PII, financial records, business plans, or custom system configurations. The classification should be embedded into systems and workflows so that sensitive data can be consistently flagged and managed.
C1.2 – Protect Confidential Information from Unauthorized Access
Controls must be in place to prevent unauthorized access, use, or disclosure. This includes both technical (e.g., encryption, access control lists) and organizational safeguards (e.g., role-based permissions, NDA enforcement, training).
C1.3 – Manage Third-Party Access
If third parties (vendors, contractors, partners) have access to confidential data, that access must be governed by appropriate agreements and oversight. This might include DPA clauses, SOC reports from the vendor, or regular access reviews.
C1.4 – Retention and Disposal of Confidential Information
Organizations should implement policies to securely retain confidential data only for as long as needed, and dispose of it when it’s no longer required. This includes digital deletion protocols, device decommissioning procedures, and audit trails.
Tip: Confidentiality overlaps with other TSCs. For example, the Common Criteria handle general access control (CC6), while Confidentiality narrows in on specific data types and how they’re protected within business boundaries.
When Should You Include Confidentiality in Your SOC 2® Audit?
You should include Confidentiality in your audit if:
You store customer data that is contractually marked as confidential
You work in an industry subject to data protection laws (e.g., GDPR, HIPAA)
You handle internal documentation, pricing, roadmaps, or product IP
Your clients ask about how their sensitive configurations or integrations are protected
Adding the Confidentiality criterion shows that you treat sensitive data with the seriousness it deserves, not just in theory, but in day-to-day operations.
Common Controls and Best Practices
To meet the Confidentiality requirement, consider implementing:
Data classification policies and training
Encryption in transit and at rest
Access control frameworks (e.g., RBAC)
Contractual NDAs and data protection agreements
Third-party vendor reviews and SOC 2 sub-certification
Secure disposal practices and end-of-life checklists
These practices help you demonstrate that data isn’t just locked away, it’s actively governed.
Final Thoughts
Confidentiality is not just about compliance, it’s about business integrity. Customers trust you with their sensitive data. Including this criterion in your SOC 2 report shows them you’re worthy of that trust.
It’s also a powerful competitive edge. In a world where privacy concerns are rising, companies that demonstrate clear, documented, and audited safeguards for confidential information stand out.
