Skip to main content

SOC2®

logo

Summary

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used by the organization to process users' data, as well as the confidentiality and privacy of the information processed by these systems. The version used in this section is 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (last revisions made in March 2020).

Definitions

DefinitionRequirements
C1_1. Additional criteria for confidentiality185. Encrypt sensitive information
300. Mask sensitive data
375. Remove sensitive data from client-side applications
C1_2. Additional criteria for confidentiality183. Delete sensitive data securely
210. Delete information from mobile devices
CC2_3. Communication and information318. Notify third parties of changes
CC5_1. Control activities062. Define standard configurations
CC5_2. Control activities062. Define standard configurations
CC6_1. Logical and physical access controls228. Authenticate using standard protocols
231. Implement a biometric verification component
264. Request authentication
CC6_2. Logical and physical access controls034. Manage user accounts
095. Define users with privileges
114. Deny access with inactive credentials
122. Validate credential ownership
CC6_3. Logical and physical access controls186. Use the principle of least privilege
341. Use the principle of deny by default
CC6_4. Logical and physical access controls231. Implement a biometric verification component
CC6_5. Logical and physical access controls144. Remove inactive accounts periodically
CC6_6. Logical and physical access controls115. Filter malicious emails
253. Restrict network access
257. Access based on user credentials
CC6_7. Logical and physical access controls181. Transmit data using secure protocols
CC6_8. Logical and physical access controls115. Filter malicious emails
155. Application free of malicious code
P1_1. Additional criteria for privacy (related to notice and communication of objectives related to privacy)186. Use the principle of least privilege
P2_1. Additional criteria for privacy (related to choice and consent)310. Request user consent
P3_1. Additional criteria for privacy (related to collection)360. Remove unnecessary sensitive information
P3_2. Additional criteria for privacy (related to collection)310. Request user consent
P4_1. Additional criteria for privacy (related to use, retention, and disposal)189. Specify the purpose of data collection
310. Request user consent
314. Provide processing confirmation
315. Provide processed data information
P4_2. Additional criteria for privacy (related to use, retention, and disposal)229. Request access credentials
300. Mask sensitive data
P4_3. Additional criteria for privacy (related to use, retention, and disposal)183. Delete sensitive data securely
317. Allow erasure requests
318. Notify third parties of changes
360. Remove unnecessary sensitive information
P5_2. Additional criteria for privacy (related to access)316. Allow rectification requests
P6_1. Additional criteria for privacy (related to disclosure and notification)189. Specify the purpose of data collection
310. Request user consent
P6_2. Additional criteria for privacy (related to disclosure and notification)079. Record exact occurrence time of events
311. Demonstrate user consent
P6_3. Additional criteria for privacy (related to disclosure and notification)079. Record exact occurrence time of events
P6_5. Additional criteria for privacy (related to disclosure and notification)318. Notify third parties of changes