Actionable insights on SOC 2, ISO 27001, GRC, and DevSecOps

SOC 2 Trust Services Criteria: Comprehensive Guide

Written by Truvo Cyber | Oct 21, 2025 12:06:43 PM

If you’re preparing for a SOC 2 audit, understanding the Trust Services Criteria (TSC) is foundational. These five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy, define the scope of your compliance and determine what controls your auditors will evaluate. But which ones should you include, and why? Here’s a comprehensive guide.

What Are Trust Services Criteria?

Trust Services Criteria are the backbone of any SOC 2 examination. Developed by the AICPA, they provide a structured way to assess the design and effectiveness of controls across five categories:

  • Security: Protection against unauthorized access
  • Availability: System uptime and continuity
  • Confidentiality: Protection of sensitive data
  • Processing Integrity: Accuracy and completeness of data processing
  • Privacy: Proper handling of personal data

These are not one-size-fits-all. Your selection of TSCs should reflect your service commitments and contractual obligations—not just your tech stack or industry.

1. Security: The Foundational TSC

The Security category includes all nine Common Criteria (CC) and is mandatory in every SOC 2 report:

  • CC1: Control Environment
  • CC2: Information & Communications
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical & Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

This sets the baseline for access control, incident response, and change management. For many SaaS companies, it’s the only category needed for initial audits.

Relevant Truvo article: SOC 2 / ISO 27001 Frequently Asked Questions

2. Availability: Cloud-Readiness Meets Business Continuity

Availability includes three additional criteria beyond Security, covering:

  • Backups and data redundancy
  • Disaster recovery planning and testing
  • Multi-region deployments and replication

Include this category if you’ve made SLAs or public guarantees around uptime. Cloud-native features often make it easier to support. You’ll typically implement 8–10 controls here.

3. Confidentiality: Protecting Sensitive Information

Confidentiality includes two criteria focused on secure handling of proprietary or sensitive data. It becomes essential when you:

  • Promise data deletion timelines (e.g., 30 days post-contract)
  • Store customer data in staging or non-prod environments
  • Work with regulated data like trade secrets or IP

Related content: Unpacking SOC 2: What Are CSOCs and Why Does Their Inclusion in an Audit Matter?

4. Processing Integrity: Accuracy in Mission-Critical Systems

With five criteria, this category ensures that data processing is complete, valid, accurate, timely, and authorized. Include it if your product processes or generates data your customers rely on:

  • Billing engines
  • Payroll platforms
  • Financial or analytics tools

Controls must be tailored to application logic and data flows.

5. Privacy: Handling Personal Data with Care

Privacy covers eight criteria and applies mainly to data controllers who interact directly with end users and PII. Include it if you:

  • Collect PII directly
  • Offer opt-in/out mechanisms
  • Handle SARs (Subject Access Requests)

If you’re just processing data on behalf of another party, Confidentiality may be enough.

Real-World Commitment Examples

Commitment TSC Required
“99.9% uptime SLA” Availability
“Delete customer data within 30 days” Confidentiality
“Accurate billing statements” Processing Integrity
“GDPR-compliant privacy notice” Privacy

Typical SOC 2 Scopes by Business Type

Business Type Common TSCs
B2B SaaS (early stage) Security only
FinTech platforms Security + Availability + Confidentiality
Payroll/HR Tech Security + Processing Integrity + Confidentiality
AdTech collecting PII Security + Privacy + Confidentiality

Best Practices for Scoping and Controls

  • Start with Security: It’s required and foundational.
  • Let your MSA be your guide: Scope based on commitments.
  • Don’t over-include: More TSCs = more audit work.
  • Review scope annually: As your business grows, so should your controls.

How to Automate the Trust Services Criteria

Understanding these criteria is the first step, but the key to scaling your compliance and saving countless engineering hours is automation. Manually collecting evidence for hundreds of controls across these five criteria is time-consuming and unsustainable.

Modern GRC platforms are designed to solve this exact problem. To learn exactly how tools like Drata and Vanta connect to your cloud environment to provide continuous monitoring and evidence collection, see our complete guide.

Read Now: The Ultimate Guide to SOC 2 Automation for SaaS Companies

How Truvo Cyber Can Help

At Truvo, we specialize in managed SOC 2 compliance for cloud-native startups and scaling companies. Our services include:

  • Determining which TSCs you need based on commitments
  • Designing audit-ready controls
  • Managing your GRC platform (Scrut Automation, Drata, Vanta, Secureframe)

Whether you’re getting started or expanding your audit scope, we simplify your journey. Contact us today to get started.

Schedule a free GRC consultation to explore how Truvo can help you achieve SOC2 audit-readiness and modernize your GRC program, without slowing down innovation.
View full post