Skip to main content

SOC2®

logo

Summary

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used by the organization to process users' data, as well as the confidentiality and privacy of the information processed by these systems. The version used in this section is 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (last revisions made in March 2020).

Definitions

DefinitionRequirements
CC2_3. Communication and information
318. Notify third parties of changes
CC5_1. Control activities
062. Define standard configurations
CC5_2. Control activities
062. Define standard configurations
CC6_1. Logical and physical access controls
228. Authenticate using standard protocols
231. Implement a biometric verification component
264. Request authentication
CC6_2. Logical and physical access controls
034. Manage user accounts
095. Define users with privileges
114. Deny access with inactive credentials
122. Validate credential ownership
CC6_3. Logical and physical access controls
186. Use the principle of least privilege
341. Use the principle of deny by default
CC6_4. Logical and physical access controls
231. Implement a biometric verification component
CC6_5. Logical and physical access controls
144. Remove inactive accounts periodically
CC6_6. Logical and physical access controls
115. Filter malicious emails
253. Restrict network access
257. Access based on user credentials
CC6_7. Logical and physical access controls
181. Transmit data using secure protocols
CC6_8. Logical and physical access controls
115. Filter malicious emails
155. Application free of malicious code
C1_1. Additional criteria for confidentiality
185. Encrypt sensitive information
300. Mask sensitive data
375. Remove sensitive data from client-side applications
C1_2. Additional criteria for confidentiality
183. Delete sensitive data securely
210. Delete information from mobile devices
P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)
186. Use the principle of least privilege
P2_1. Additional criteria for privacy (related to choice and consent)
310. Request user consent
P3_1. Additional criteria for privacy (related to collection)
360. Remove unnecessary sensitive information
P3_2. Additional criteria for privacy (related to collection)
310. Request user consent
P4_1. Additional criteria for privacy (related to use, retention, and disposal)
189. Specify the purpose of data collection
310. Request user consent
314. Provide processing confirmation
315. Provide processed data information
P4_2. Additional criteria for privacy (related to use, retention, and disposal)
229. Request access credentials
300. Mask sensitive data
P4_3. Additional criteria for privacy (related to use, retention, and disposal)
183. Delete sensitive data securely
317. Allow erasure requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
P5_2. Additional criteria for privacy (related to access)
316. Allow rectification requests
P6_1. Additional criteria for privacy (related to disclosure and notification)
189. Specify the purpose of data collection
310. Request user consent
P6_2. Additional criteria for privacy (related to disclosure and notification)
079. Record exact occurrence time of events
311. Demonstrate user consent
P6_3. Additional criteria for privacy (related to disclosure and notification)
079. Record exact occurrence time of events
P6_5. Additional criteria for privacy (related to disclosure and notification)
318. Notify third parties of changes
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on