If your customers have started asking about SOC 2®, you’ve likely come across a somewhat abstract-sounding phrase: Trust Service Criteria. These five principles are at the heart of SOC 2®, and if you’re a startup or growing company aiming for compliance, you’ll need to understand what they mean, how they apply, and when to include them in your audit.
Let’s break down each criterion clearly and explain how it fits into your compliance journey.
What Are the Trust Service Criteria?
The Trust Service Criteria (TSC) are a framework developed by the AICPA to evaluate how effectively a service organization protects and manages customer data. SOC 2® reports are built around these five criteria:
Security
Availability
Processing Integrity
Confidentiality
Privacy
Every SOC 2® audit must include Security. The other four are optional, but choosing the right ones helps you tailor your audit to your actual risk profile and customer needs.
Let’s walk through each one in plain English.
Security – The Mandatory Foundation
Security is the only required Trust Service Criterion in every SOC 2® report, and for good reason. It addresses how well your systems protect against unauthorized access, breaches, and other risks that could compromise the confidentiality, integrity, or availability of data.
In practical terms, this includes everything from setting up firewalls and using multi-factor authentication to having a formal incident response plan in place. It’s also about having a culture of risk awareness: Are you proactively identifying vulnerabilities? Are your employees trained to spot phishing attacks? Security is the backbone of any SOC 2® program, and a strong posture here creates a ripple effect across the other criteria.
When to include it: Always. This is the baseline for SOC 2® compliance and cannot be excluded from your audit.
Availability – Keeping Your Promises
Availability refers to whether your systems are up and running as expected, and whether they can recover quickly if something goes wrong. This isn’t just about having good uptime; it’s about making sure you’ve planned for the worst.
To meet this criterion, companies often put disaster recovery and business continuity plans in place, invest in infrastructure monitoring, and track system performance. If you’ve ever signed an SLA that promises 99.9% uptime, this is the criterion that backs up that promise. It’s especially critical for SaaS providers where outages can directly impact customers’ operations and your credibility.
When to include it: If your business model includes availability guarantees (like SLAs), or if service uptime is a key value proposition to customers, this criterion is a must.
Processing Integrity – Accuracy from Start to Finish
Processing Integrity focuses on the accuracy, completeness, and timeliness of data processing. It ensures that systems do what they’re supposed to do, without errors or delays that could harm users or corrupt information.
This is particularly relevant for organizations that process transactions, whether financial, customer, or operational. Imagine a payroll app that miscalculates salaries due to a silent error. Or a healthcare system that delays the processing of critical patient data. Processing Integrity aims to prevent these scenarios by promoting validation checks, monitoring mechanisms, and robust error-handling protocols.
When to include it: If your product processes critical business or personal data, such as transactions, invoices, or health records, and users depend on that data being accurate and timely, consider including this criterion.
Confidentiality – Guarding Sensitive Business Information
Confidentiality is about restricting access to information that is not meant to be shared, whether that’s internal documentation, customer contracts, intellectual property, or financial reports.
To meet this standard, organizations need more than just encrypted storage. They must have clear policies on data classification, access management, and retention periods. Confidentiality also implies internal discipline: who can view what, under what circumstances, and how that access is audited. This is often the second-most common criterion after Security in SOC 2® reports, especially for companies handling proprietary or B2B data.
When to include it: If your systems store or process sensitive information that belongs to customers, partners, or employees, especially under NDAs, this criterion helps build trust and credibility.
Privacy – Respecting Personal Data
Privacy, while often confused with Confidentiality, is its own domain. This criterion focuses specifically on the collection, use, retention, disclosure, and disposal of personal information, with emphasis on adhering to your public privacy policy and applicable laws like GDPR or CCPA.
It requires clear consent mechanisms, transparency with users, and the ability to handle requests like “delete my data” or “show me what you know about me.” As consumers and regulators alike demand greater accountability, Privacy has become a growing priority in SOC 2® audits, particularly for companies that handle large volumes of personally identifiable information (PII).
When to include it: If your platform collects personal data, especially from end users or consumers, and operates in jurisdictions with strong data protection laws (EU, California), this criterion supports both compliance and transparency.
Choosing the Right Scope for Your SOC 2® Audit
The good news? You don’t need to include all five criteria to be SOC 2® compliant. In fact, most early-stage companies start with Security + Availability or Security + Confidentiality, depending on their customers and services.
Your chosen criteria should reflect:
What kind of data do you handle
What your customers expect
What you can realistically control and document
Over time, you can expand your audit scope as your business matures.
If you’re working toward SOC 2 and wondering how to get started or which criteria to include, start by mapping your customer data flows and identifying the “crown jewels” you need to protect.
And remember: compliance isn’t just about passing an audit, it’s about building a system you can trust.
