SOC 2's Trust Service Criteria

March 10, 2020

Once you’ve committed to a SOC 2 report, you’re ready to choose your Trust Service Criteria (TSC) categories.

Start by looking at the five categories from your customers’ perspectives:

  • What questions do they ask you?
  • Are they concerned about uptime and availability?
  • Or do they tend to ask more about data protection?

At a minimum, your SOC 2 report must include the Security category, which is called the “Common Criteria” because it provides a foundation for the other four categories. The other four categories—availability, processing integrity, confidentiality, and privacy— specify new commitments.

Often, companies will focus on Security the first year and add additional categories over time as their business matures.

Overview of the Trust Service Criteria (TSC) categories

The Trust Service Criteria consist of 5 categories:

  • Security (also known as Common Criteria)
  • Availability
  • Confidentiality
  • Processing integrity
  • Privacy

The latest set of Trust Service Criteria, TSP 100 – 2017, includes 33 main requirements (“Trust Service Criteria and Points of Focus”) for the Security category and 28 optional requirements across the other four criteria.

Let’s take a high-level look at each category:

All SOC 2 reports include the Security category

Your systems and the data you store are protected against unauthorized access and unauthorized disclosure.
Your information and systems are available for operation and use.
Confidential information is protected.
Processing integrity
System processing is complete, valid, accurate, timely, and authorized. Customer data remains correct throughout the course of data processing.
Personal information is collected, used, retained, disclosed, and disposed of in accordance with pre-stated policies.

Although the Confidentiality category applies to any sensitive information, the Privacy category applies only to personal information.

Each requirement should be broken down into 1-5 sub-requirements that describe operational best practices.

Note: In a previous iteration of SOC 2 (for reporting before December 15, 2018), the TSCs were called Trust Service Principles. The acronym TSP is still used in some of AICPA’s formal documentation.

“Vanta's expert team helped analyze our compliance requirements and shared what was needed to complete a SAQ-D. Because of this, we accelerated our timelines, saved hundreds of hours and thousands of dollars in costs.”

Klas Hesselman
Co-founder  |  Flow Networks

Determine the right categories for your business


Security refers to the protection of:

  • information during its collection, creation, use, processing, transmission, and/or storage
  • systems that process, transmit or transfer, and store information.

Security controls are often designed to prevent and detect system failure, incorrect processing, theft, or other unauthorized data removal.

Should I include Security in my report?

Yes! The Security category is mandatory for all SOC 2 reports.


Availability refers to whether your customers can access your products and services, and availability controls often concern system uptime, monitoring, and maintenance.

Should I include Availability in my report?

You may want to include Availability if your customers often ask you for:

  • A status page
  • Uptime guarantees
  • Service Level Agreements (SLAs) for planned and unplanned downtime


Confidentiality addresses your company's ability to protect information that’s designated as confidential from its initial collection through its disposal.

Information is “confidential” if you’re required to limit its access, use, and retention or to restrict its disclosure to defined parties. This is distinct from “private information,” which concerns only identifying information.

Should I include Confidentiality in my report?

You may want to include it if your customers:

  • Often ask you to sign NDAs?
  • Request that you delete data when contracts end?
  • Store sensitive financial or R&D information in your product?

Processing Integrity

Processing integrity addresses whether your systems maintain data integrity. This means few-to-no errors, delays, omissions, and/or unauthorized or accidental data manipulation.

Should I include Processing integrity in my report?

You may want to include it if your customers:

  • Rely on your data processing to run parts of their businesses (e.g. you offer a payment processor or a data pipeline tool)


Privacy applies only to personal information, such as an individual’s full name or social security number.

The Privacy criteria examines your company’s rules and practices around:

  • Notice and communication of objectives: provide privacy notices to users, customers, and anyone whose data you collect
  • Choice and consent: communicate choices about the collection, use, retention, disclosure, and disposal of personal information
  • Collection: collect only personal information that aligns with the privacy policy
  • Use, retention, and disposal: sets limits for the use, retention, and disposal of personal information
  • Access: provide users, customers, or anyone whose data you collect with access to their personal information for review, correction, and updates
  • Disclosure and notification: disclose personal information only with the consent of the user, customer, or person whose data you collect, and provide breach notification to all affected parties
  • Quality: collect and maintain accurate, up-to-date, complete, and relevant personal information
  • Monitoring and enforcement: monitor compliance to privacy policies, including a processes to address privacy-related inquiries, complaints, and disputes

Should I include Privacy in my report? You may want to include it if your customers:

  • Store information in your product that can identify and is sensitive to individuals, like social security numbers, health information, or financial status

You may also find that GDPR compliance is a sufficient substitute for the Privacy criteria.

Examples of how businesses decide to add criteria

Ultimately, which categories to include is your business decision. Let’s walk through a few examples to understand how others have made the decision:

A small startup makes a recruiting tool that has access to recruiters’ email accounts and chooses to add Confidentiality to their report. Providing a SOC 2 report with Confidentiality demonstrates the company is serious about protecting the access they have to the emails their users send and receive.

A company that provides a CI/CD tool, building and deploying code for its customers, adds Availability to their audit. The company demonstrates it understands that if its service is unavailable, its customers may be unable to build and deploy changes to their services.

The company behind a finance app that transfers money on behalf of its customers adds checks (“controls”) for Processing Integrity. Their customers have additional insurance that the company’s systems for transaction processing is accurate.


We hope this gives you a better picture of how the TSC categories interact with SOC 2 reports, but if you’re still feeling overwhelmed, don’t worry—Vanta will help you select just the right TSC categories for your report.

We’ve worked with hundreds of companies and we understand how these commitments vary with business objectives and time. We can save your team time and ensure that your SOC 2 report helps you to build those essential, trusting relationships with your customers.

Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.