.svg)
If you’re preparing for a SOC 2 audit, understanding the Trust Services Criteria (TSC) is foundational. These five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy, define the scope of your compliance and determine what controls your auditors will evaluate. But which ones should you include, and why? Here’s a comprehensive guide.
What Are Trust Services Criteria?
Trust Services Criteria are the backbone of any SOC 2 examination. Developed by the AICPA, they provide a structured way to assess the design and effectiveness of controls across five categories:
- Security: Protection against unauthorized access
- Availability: System uptime and continuity
- Confidentiality: Protection of sensitive data
- Processing Integrity: Accuracy and completeness of data processing
- Privacy: Proper handling of personal data
These are not one-size-fits-all. Your selection of TSCs should reflect your service commitments and contractual obligations—not just your tech stack or industry.
1. Security: The Foundational TSC
The Security category includes all nine Common Criteria (CC) and is mandatory in every SOC 2 report:
- CC1: Control Environment
- CC2: Information & Communications
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical & Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
This sets the baseline for access control, incident response, and change management. For many SaaS companies, it’s the only category needed for initial audits.
Relevant Truvo article: SOC 2 / ISO 27001 Frequently Asked Questions
2. Availability: Cloud-Readiness Meets Business Continuity
Availability includes three additional criteria beyond Security, covering:
- Backups and data redundancy
- Disaster recovery planning and testing
- Multi-region deployments and replication
Include this category if you’ve made SLAs or public guarantees around uptime. Cloud-native features often make it easier to support. You’ll typically implement 8–10 controls here.
3. Confidentiality: Protecting Sensitive Information
Confidentiality includes two criteria focused on secure handling of proprietary or sensitive data. It becomes essential when you:
- Promise data deletion timelines (e.g., 30 days post-contract)
- Store customer data in staging or non-prod environments
- Work with regulated data like trade secrets or IP
Related content: Unpacking SOC 2: What Are CSOCs and Why Does Their Inclusion in an Audit Matter?
4. Processing Integrity: Accuracy in Mission-Critical Systems
With five criteria, this category ensures that data processing is complete, valid, accurate, timely, and authorized. Include it if your product processes or generates data your customers rely on:
- Billing engines
- Payroll platforms
- Financial or analytics tools
Controls must be tailored to application logic and data flows.
5. Privacy: Handling Personal Data with Care
Privacy covers eight criteria and applies mainly to data controllers who interact directly with end users and PII. Include it if you:
- Collect PII directly
- Offer opt-in/out mechanisms
- Handle SARs (Subject Access Requests)
If you’re just processing data on behalf of another party, Confidentiality may be enough.
Real-World Commitment Examples
| Commitment | TSC Required |
|---|---|
| “99.9% uptime SLA” | Availability |
| “Delete customer data within 30 days” | Confidentiality |
| “Accurate billing statements” | Processing Integrity |
| “GDPR-compliant privacy notice” | Privacy |
Typical SOC 2 Scopes by Business Type
| Business Type | Common TSCs |
|---|---|
| B2B SaaS (early stage) | Security only |
| FinTech platforms | Security + Availability + Confidentiality |
| Payroll/HR Tech | Security + Processing Integrity + Confidentiality |
| AdTech collecting PII | Security + Privacy + Confidentiality |
Best Practices for Scoping and Controls
- Start with Security: It’s required and foundational.
- Let your MSA be your guide: Scope based on commitments.
- Don’t over-include: More TSCs = more audit work.
- Review scope annually: As your business grows, so should your controls.
How to Automate the Trust Services Criteria
Understanding these criteria is the first step, but the key to scaling your compliance and saving countless engineering hours is automation. Manually collecting evidence for hundreds of controls across these five criteria is time-consuming and unsustainable.
Modern GRC platforms are designed to solve this exact problem. To learn exactly how tools like Drata and Vanta connect to your cloud environment to provide continuous monitoring and evidence collection, see our complete guide.
Read Now: The Ultimate Guide to SOC 2 Automation for SaaS Companies
How Truvo Cyber Can Help
At Truvo, we specialize in managed SOC 2 compliance for cloud-native startups and scaling companies. Our services include:
- Determining which TSCs you need based on commitments
- Designing audit-ready controls
- Managing your GRC platform (Scrut Automation, Drata, Vanta, Secureframe)
Whether you’re getting started or expanding your audit scope, we simplify your journey. Contact us today to get started.
Schedule a free GRC consultation to explore how Truvo can help you achieve SOC2 audit-readiness and modernize your GRC program, without slowing down innovation.
Ready to Build Your SOC 2 Roadmap?
Our free, no-obligation assessment will give you a clear, actionable plan to achieve compliance.