Quick Reference
Security (Common Criteria)Required
The Security criterion (also called Common Criteria or CC) evaluates whether the system is protected against unauthorized access, both physical and logical. It is the only TSC required in all SOC2 engagements.
- Logical access controls (who can access what systems)
- Multi-factor authentication enforcement
- Encryption at rest and in transit
- Firewall and network segmentation
- Incident detection and response procedures
- + 5 more
Always — it is mandatory for all SOC2 engagements.
Baseline. All additional TSC costs are added on top of Security.
Availability
The Availability criterion evaluates whether the system is available for operation and use as committed or agreed in your customer contracts or SLA. It focuses on uptime, disaster recovery, and business continuity.
- System uptime monitoring and SLA compliance
- Disaster recovery planning and testing
- Business continuity documentation and drills
- Capacity planning and performance monitoring
- Redundancy and failover mechanisms
- + 2 more
You provide SLA uptime guarantees (99.9%+), your customers explicitly ask about availability controls, or you serve healthcare, financial services, or other industries where system downtime has critical consequences.
Your product doesn't have material uptime commitments, or your customers haven't asked about availability specifically.
Adds ~15-20% to total audit cost.
Processing Integrity
Processing Integrity evaluates whether system processing is complete, valid, accurate, timely, and authorized. This matters when the accuracy of data transformation or transaction processing is a core service commitment.
- Data validation and input checks
- Error handling and exception processing
- Transaction completeness verification
- Output accuracy and reconciliation procedures
- Change management for processing logic
- + 1 more
You are a payment processor, data transformation platform, financial reporting system, or any service where incorrect data processing could harm your customers financially or operationally.
You are a pure SaaS application where storage and access are the primary concerns, not data transformation accuracy.
Adds ~10-15% to total audit cost.
Confidentiality
The Confidentiality criterion evaluates whether information designated as confidential is protected according to your commitments. This is distinct from Privacy — Confidentiality covers business-sensitive data (trade secrets, financial data, proprietary information), not just personal data.
- Data classification policies (what is 'confidential')
- Access restrictions on confidential datasets
- NDA management and enforcement
- Encryption of confidential data at rest and in transit
- Secure disposal of confidential information
- + 1 more
You handle trade secrets, legal privileged information, financial data, or business-sensitive customer data where confidentiality is a contractual commitment. Common in legal tech, HR software, financial platforms, and professional services software.
Your customers primarily care about personal data privacy (add Privacy TSC instead) or basic security controls rather than confidential business data protection specifically.
Adds ~10-15% to total audit cost.
Privacy
The Privacy criterion evaluates whether personal information is collected, used, retained, disclosed, and disposed of according to your stated privacy commitments and applicable regulations (CCPA, GDPR, COPPA, etc.).
- Notice and consent for personal data collection
- Data subject rights (access, deletion, portability)
- Retention and disposal policies for personal data
- Breach notification procedures
- Third-party data sharing controls
- + 3 more
You handle significant volumes of consumer PII, your customers are subject to CCPA or GDPR and need to verify their vendors' privacy controls, or your customers specifically ask about Privacy TSC in RFPs.
You handle only business data (not consumer PII), or your privacy requirements are adequately covered by your Security controls.
Adds ~15-25% to total audit cost. Most complex TSC to satisfy due to regulatory overlay.
Frequently Asked Questions
Which Trust Services Criteria do I actually need?
Start with Security (always required). Ask your top enterprise prospects what they look for in a SOC2 report — many will have a standard checklist. Common combinations: (1) Security only — most seed/Series A SaaS; (2) Security + Availability — companies with SLA commitments; (3) Security + Confidentiality — legal tech, HR software, professional services; (4) Security + Availability + Confidentiality — financial SaaS; (5) All 5 TSC — enterprise platforms with broad compliance requirements. Only add what your buyers actually require.
Can I add more Trust Services Criteria after my initial audit?
Yes. You can expand scope in a subsequent Type 2 audit. However, this effectively means starting a new observation period for the new criteria. Plan your TSC selection carefully upfront — mid-engagement scope expansion adds cost and time.
What is the difference between Confidentiality and Privacy TSC?
Confidentiality covers designated confidential information — trade secrets, proprietary business data, financial information, and data you've contractually committed to keep confidential. Privacy covers personal information about individuals and is tied to applicable privacy laws (CCPA, GDPR) and your privacy notice. A legal technology platform would likely add Confidentiality. A consumer app collecting personal information would add Privacy.
How do Trust Services Criteria relate to HIPAA and PCI-DSS?
TSC and HIPAA/PCI are complementary, not interchangeable. If you handle PHI, you likely need SOC2 Security + Privacy TSC (which covers healthcare data handling controls) AND a HIPAA BAA. If you handle payment card data, you need SOC2 Security (and possibly Processing Integrity) AND a separate PCI-DSS assessment. Many auditors offer combined assessments that reduce duplicated evidence collection.