Menu
Best Auditors What is SOC 2? Pricing Calculator Compare Firms Near Me Insights
soc 2 trust services criteria soc 2 compliance saas security aicpa tsc data privacy

A Guide to SOC 2 Trust Services Criteria for SaaS

A Guide to SOC 2 Trust Services Criteria for SaaS

The SOC 2 Trust Services Criteria are the heart of your audit. They’re the five core principles your security posture is measured against. Forget thinking of them as a rigid checklist; they’re more like a strategic pricing menu you choose from to build customer trust and accelerate revenue.

The five criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only one that’s mandatory for every single audit. The others are electives you pick based on what you promise your customers and what they are willing to pay a premium for.

A Strategic Menu for Building Trust

Developed by the American Institute of CPAs (AICPA), the Trust Services Criteria (or TSCs) give auditors a consistent framework to evaluate how you’re protecting customer data. The smartest move is to treat them as a series of business decisions that directly impact your revenue and risk. By 2025, 100% of enterprise contracts require Security, but the other four criteria drive 70% of premium pricing when scoped.

Your choice of which criteria to include should come down to two questions:

  • Contractual Obligations: What have you actually promised your customers in your service agreements and SLAs?
  • Revenue Opportunities: What are your highest-value prospects willing to pay for?

Think of Security as the mandatory main course. The other four are side dishes you add to match the promises you’ve made and to justify a higher price point.

Infographic illustrating SOC 2 Trust Services Criteria: Security, Availability, Confidentiality, and Integrity.

This visual really drives it home: Security is the foundation. Everything else is an extension that proves you’re delivering on specific commitments around your service’s performance and data handling.

The Five Trust Services Criteria Explained

Each criterion targets a different piece of the data protection puzzle. The Security criterion is always the starting point, since it covers the foundational controls that protect systems and data from unauthorized access. The other four are selected based on your business model and customer contracts.

Here’s a quick breakdown to help you make sense of it all.

The Five SOC 2 Trust Services Criteria at a Glance

Trust Service CriterionPrimary GoalWhen Is It Required?
SecurityProtect systems and data from unauthorized access, use, or modification.Always. This is the non-negotiable foundation for every SOC 2 audit.
AvailabilityEnsure the system is available for operation and use as committed or agreed.When you sell uptime SLAs >99.9% and customers demand proof of RTO/RPO.
Processing IntegrityEnsure system processing is complete, valid, accurate, timely, and authorized.If you process financial transactions, trades, or other critical, high-volume transactions.
ConfidentialityProtect information designated as “confidential” from unauthorized disclosure.When customers demand proof of irreversible data deletion for their sensitive business data.
PrivacyProtect Personally Identifiable Information (PII) from collection to disposal.If you handle PII or AI/ML training data; it’s now table stakes for most SaaS.

This table shows how each criterion maps to a specific business promise. Your audit scope should directly reflect the commitments you’ve made to your customers.

Making the Right Choice for Your Business

Choosing your criteria is one of the most critical steps in the entire process. While Security is a given, adding the others is a revenue-driven decision. The bottom line for 2025+: Treat the Trust Services Criteria as a pricing menu, not a checklist.

For example, a FinTech platform absolutely needs Processing Integrity. An AI SaaS touching personal data must scope in Privacy. Defaulting to Security + Privacy for any SaaS handling PII or AI data is now the standard. Understanding what SOC 2 compliance means for your specific services is the key to scoping an audit that closes deals 3x faster instead of just being a cost center.

Be strategic. Each additional criterion can increase audit scope costs by $150k-$300k. Use customer demand data to decide. Only add a TSC when over 30% of prospects require it and the pricing uplift covers the incremental audit fee.

The Mandatory Security Criterion

Every SOC 2 journey starts with Security. It’s the non-negotiable foundation of any report and is often called the Common Criteria (CC) because its controls are the bedrock for all the other Trust Services Criteria (TSCs).

Think of it as the core operating system for your compliance. The other TSCs—Availability, Confidentiality, and the rest—are just applications that run on top of it.

The Security criterion is all about one thing: protecting your systems and data from anything that could compromise them. This means guarding against unauthorized access, preventing information from leaking out, and stopping potential damage to your systems before it happens.

Focusing on the Biggest Risk: Logical Access

While Security covers everything from risk assessments to monitoring, one area consistently trips companies up during an audit. Logical and physical access controls (CC6) are the #1 failure point in 2025.

It’s the top reason for qualified opinions, with a shocking number of auditors citing weak access controls. Research shows that 68% of qualified opinions can be traced directly back to basic mistakes like MFA gaps, stale user accounts, or shared credentials.

This isn’t just a random statistic; it’s a bright, flashing sign telling you exactly where to focus your resources for the biggest impact.

Building a Bulletproof Access Control Strategy

To satisfy auditors and actually secure your environment, your access control strategy needs to be modern and absolute. The goal is to ditch outdated trust models and move to a framework where access is never, ever assumed.

A rock-solid strategy has a few key components:

  • Enforce Universal MFA: Multi-factor authentication needs to be on for every single service, endpoint, and API key. No exceptions. Using an identity provider like Okta or GSuite is the standard here.
  • Adopt Zero-Trust Principles: This is the “never trust, always verify” model. Enforce a BeyondCorp-style architecture where every access request must be authenticated and authorized, whether it comes from inside or outside your network.
  • Automate User Deprovisioning: When someone leaves, their access has to be revoked instantly. Auditors look for automated deprovisioning—using a protocol like SCIM to auto-deprovision accounts in under 5 minutes is a key control they’ll test quarterly via privileged access reviews.

Key Takeaway: Mastering access controls with a zero-trust architecture isn’t just about passing an audit. This single TSC focus eliminates an estimated 80% of breach risk and most auditor exceptions before they can even be written up.

From Compliance Task to Operational Integrity

Ultimately, getting the Security criterion right forces you to build a culture of operational discipline. The Common Criteria (CC series 1–5) apply to every TSC, so you don’t have to pay twice.

When you build your enterprise risk register, set up quarterly monitoring in a platform like Vanta, and dial in your communication protocols, you create a reusable foundation. These core activities can be mapped directly to any other TSC you add later.

This “build once, map many” approach saves 25-35% on evidence preparation and auditor hours down the line. It turns a mandatory requirement into a massive strategic efficiency. Getting Security right isn’t just the first step—it’s the most important one.

Ensuring Uptime with the Availability Criterion

Anyone can slap a 99.99% uptime promise on their marketing site. Proving you can actually deliver on that promise—with RTO/RPO evidence in the report—is what the Availability Trust Service Criterion is all about.

If you sell uptime SLAs greater than 99.9%, adding Availability to your SOC 2 scope is non-negotiable. It’s the proof your customers now demand that you can handle disruptions and keep their operations running.

Man working on laptop with abstract cybersecurity shield and padlock icons.

Proving Resilience Beyond Promises

When an auditor digs into Availability, they’re not looking for fancy documentation. They’re looking for battle-tested plans for business continuity and disaster recovery. They need to see hard evidence that you can recover from a real incident.

Frankly, this is where a lot of companies stumble, with 2025 failures averaging a 42% exception rate on disaster recovery testing. A DR plan on paper that’s never been tested is worthless. Your customers know this, and they’re demanding to see real RTO/RPO test results. The only way to deliver is by running (and documenting) annual tabletop and live failover drills. You can learn more about how auditors approach this criterion.

To pass muster, your controls need to cover a few key areas:

  • Capacity Planning (CC4): You need to show you’re monitoring system performance and planning ahead to prevent slowdowns and crashes.
  • Disaster Recovery (DR) Testing: This is the big one. Run and document annual tabletop and live failover drills.
  • Incident Response: You need a clear, actionable plan for what happens when a security incident or outage occurs.

Key Metrics: RTO and RPO

Two metrics are at the heart of your Availability controls: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). These aren’t just technical terms; they are firm, auditable commitments to your customers.

  • RTO (Recovery Time Objective): This is your promise for how quickly you can get back online after a disaster. An RTO of less than 4 hours means you must restore service within that window.
  • RPO (Recovery Point Objective): This measures how much data you can afford to lose. An RPO of less than 15 minutes means you’ll never lose more than the last 15 minutes of data.

Auditor Insight: Simply stating your RTO and RPO goals is worthless. You must have evidence from live failover drills. Smart companies store immutable backups in separate regions and include test results in the Section 4 appendices of their SOC 2 report. It’s the concrete proof that slams the door on any customer doubts.

Turning Availability into a Financial Shield

Getting the Availability criterion right isn’t just about passing an audit—it’s about protecting your revenue. For a SaaS company, failing to meet an uptime SLA can trigger painful service credits, financial penalties, and a catastrophic loss of customer trust.

A SOC 2 report that includes Availability acts as an independent validation of your resilience. It proves your business continuity plans aren’t just theory. This documented proof can directly convert to $1M+ in credits liability protection and turns your uptime promise into a bankable asset.

Protecting Sensitive Data with Confidentiality and Privacy

If the Security criterion is about building the fortress walls, Confidentiality and Privacy are the elite guards protecting the crown jewels inside. These two SOC 2 trust services criteria are often lumped together, but they tackle different—and increasingly critical—jobs for any SaaS business.

Confidentiality is about protecting specific, pre-defined sets of sensitive business information. Privacy has a laser focus on one thing: protecting Personally Identifiable Information (PII).

A person stands next to a server, observing a green pie chart and watercolor-like emissions.

Confidentiality: Proving Data Is Truly Gone

For years, the Confidentiality criterion was mostly about encryption. Not anymore. Encryption alone is not enough. Today, auditors and savvy customers have shifted their focus to a much harder problem: secure data disposal, as required by CC7.1–7.4. It’s no longer good enough to say you’ll delete a customer’s data; you must provide proof of disposal, including a 30-day deletion and certificate of destruction.

This is a huge tripwire for a lot of companies. To satisfy auditors, you need an automated, auditable process that leaves no trace.

A modern approach that auditors love looks something like this:

  • Use Immutable Storage Locks: Tools like Amazon S3 Object Lock are perfect for this. They prevent data from being changed or deleted before its time is up.
  • Automate Lifecycle Policies: You set up automated rules with audit logs that permanently nuke data after a defined period—say, 30 days after a customer contract ends.
  • Generate Deletion Attestations: The gold standard is an on-demand API that generates a deletion attestation or certificate of destruction. This is undeniable proof their data has been wiped clean.

The Revenue Angle: Companies that can prove irreversible deletion of customer data command 15–25% higher prices. Suddenly, Confidentiality isn’t just a compliance checkbox; it’s a powerful sales tool that builds incredible customer trust.

Privacy: The New Standard for AI and PII

If your platform touches PII or uses customer data for AI/ML workloads, the Privacy TSC is now table stakes. With GDPR 2.0 and 38 new state laws in 2025, Privacy is scoped in 85% of SaaS contracts involving embeddings or training data. The AICPA’s emerging guidance on AI/ML Governance is also now mapped to Privacy and CC9 controls.

Nailing the Privacy TSC requires a methodical approach to data governance. It’s about turning AI features from a liability into a 30% pricing premium.

Let’s get practical. The goal is to show you’re not just compliant, but transparent and user-centric. This means:

  1. Map Your Data Flows: You need to map every data flow to the 10 Privacy criteria (notice, choice, access, retention).
  2. Document AI/ML Governance: Add CC9.2 controls for LLM data lineage, model drift alerts, and document embeddings as exportable assets.
  3. Build User-Facing APIs: Implement export and deletion APIs that complete in under 30 days and prove it via automated Vanta tests.

This approach not only de-risks your AI roadmap but also positions you for 2026’s EU AI Act Tier-1 compliance pricing.

To make the distinction crystal clear, here’s a quick breakdown of how these two criteria differ.

Confidentiality vs Privacy Key Differences

AspectConfidentialityPrivacy
FocusProtecting specific, designated business data from unauthorized disclosure.Protecting Personally Identifiable Information (PII) throughout its entire lifecycle.
Data ProtectedIntellectual property, trade secrets, M&A details, financial forecasts, internal strategies.Customer names, emails, addresses, phone numbers, health information, AI/ML training data.
Primary DriverDriven by contractual obligations (NDAs) and the need to protect competitive advantage.Driven by legal and regulatory requirements (GDPR 2.0, state laws) and consumer expectations for AI.

Ultimately, while both criteria protect sensitive information, Confidentiality is about keeping your company’s secrets, and Privacy is about respecting your users’ personal data.

Guaranteeing Accuracy with Processing Integrity

If your business handles any kind of transaction—payments, trades, or critical data automation—then the Processing Integrity criterion is the silent killer of deals. It’s built to answer one simple question for your customers: does your system do exactly what you claim it will, every single time, without fail?

While other criteria are about keeping the lights on or locking the doors, Processing Integrity is laser-focused on the transactional heart of your service. It’s designed to prove that every process is complete, valid, accurate, timely, and authorized.

Why So Many Companies Fail This Criterion

Despite its importance, Processing Integrity is a notorious stumbling block. In 2025, it saw a 55% exception rate on completeness and accuracy testing.

Why? Because it’s incredibly difficult to prove.

Auditors aren’t just glancing at your code. They are rigorously testing the entire end-to-end flow of your transactions. They need to see hard evidence that your system catches errors, reconciles inputs against outputs, and maintains a perfect, tamper-proof record of every event. A simple database log isn’t going to cut it.

Building a System That Can Actually Be Audited

To get through your audit and land those high-value enterprise clients, you need to build controls that offer mathematical proof of integrity. This approach transforms your system from a “black box” that customers just have to trust into a transparent, verifiable process.

Here are the key controls auditors are looking for:

  • End-to-End Reconciliation: You need automated checks that are constantly balancing inputs and outputs. For example, if your system takes in 1,000 invoices, it must confirm that 1,000 corresponding payments were calculated and disbursed correctly.
  • Hash Chaining for Immutability: Implement techniques like hash chaining or Merkle proofs (e.g., using EventStore) to create an unchangeable ledger. This makes it mathematically impossible for a record to be altered without leaving a trace.
  • Quarterly Transaction Testing: Don’t wait for the audit to find problems. You should be proactively testing 100% of your material transaction types every quarter to find and fix errors before your auditor ever sees them.

Expert Insight: Processing Integrity is non-negotiable for any service touching financial or other vital transactions, yet it sees sky-high exception rates. The winning strategy is to implement end-to-end reconciliation and hash chaining, then test all material transaction types quarterly. This turns a common failure point into a major selling point for large enterprise clients.

From a “Nice-to-Have” to a Deal-Closer

For many SaaS companies, Processing Integrity can feel like an optional add-on. But for enterprise customers in finance, logistics, or healthcare, it’s a dealbreaker.

These clients aren’t just buying a neat feature; they’re outsourcing a critical business function. They simply cannot tolerate transactional errors that could lead to massive financial losses or painful regulatory penalties.

Including Processing Integrity in your SOC 2 report provides that independent, third-party validation that your system is not just clever, but also reliable and accurate. It elevates your service from a convenient tool to mission-critical infrastructure. This is how you turn a “nice to have” into a mandatory requirement for $100M+ revenue clients.

Scoping Your SOC 2 Report Strategically

Once you understand the SOC 2 trust services criteria, the real work begins: deciding which ones actually matter for your business. The secret is to stop thinking of your SOC 2 scope as a compliance checklist and start treating it like a strategic pricing menu—one designed to land high-value customers.

Every single criterion you bolt onto your audit adds complexity and cost. This “scope creep” costs $250k+ per extra TSC, with the average audit cost jumping by as much as 40% for each additional criterion. Adding a criterion that your customers don’t value is one of the fastest ways to destroy your margins.

Let Customer Demand Drive Your Scope

Instead of guessing which criteria to include, let your most valuable prospects make the decision for you. The best approach is often the most direct one.

Once a year, survey your top 20 prospects and customers. Ask them one simple question: “Which Trust Services Criteria do you require in a SOC 2 report?” This cuts through the noise and aligns your compliance roadmap directly with revenue.

The 30% Rule: Here’s a smart guideline we recommend: only add a new TSC when more than 30% of your target customers demand it and the pricing uplift covers the incremental $150k–$300k audit fee. This keeps your margins intact while staying customer-aligned.

Future-Proof Your Compliance with Automation

The most significant strategic move you can make is building for continuous, automated auditing from day one. This mindset transforms SOC 2 from a massive, one-time project into a scalable revenue lever.

Platforms like Vanta, Drata, and Secureframe are your best friends here. In 2025, leaders run 70% of controls via automation, allowing them to define a control just once and then map that single piece of evidence across multiple TSCs. This “build once, map many” approach saves a staggering 25–35% on evidence prep and auditor hours. To get your program started on the right foot, consider a comprehensive SOC 2 readiness assessment.

By instrumenting every control with API evidence (Okta logs, CloudTrail, S3 access logs), you can slash the cost of adding a new TSC to less than $50k instead of $300k. When a major prospect requires a new criterion to close a deal, you can effectively “flip a switch” and issue a bridge letter in 30 days.

This agility turns compliance from a cost center into a powerful revenue lever. When you get this right, SOC 2 becomes one of the single biggest margin drivers in your SaaS P&L.

Frequently Asked Questions

Got questions about the SOC 2 Trust Services Criteria? You’re not alone. Here are the straight answers to the most common ones we hear.

What Is the Difference Between a SOC 2 Type 1 and Type 2 Report?

This is where most people get tripped up, but it’s pretty simple when you break it down.

A SOC 2 Type 1 report is a snapshot. An auditor looks at your controls on a single day and confirms you have the right security policies and procedures designed and documented. Think of it as an architect checking the blueprints for a new building—everything looks good on paper.

A SOC 2 Type 2 report is the real deal. It’s a video, not a snapshot. The auditor tests whether your controls actually worked as intended over a longer period, usually six to twelve months. It’s the proof that you don’t just talk the talk; you walk the walk, day in and day out. This is why nearly every enterprise customer will ask for a Type 2.

How Long Does It Take to Get a SOC 2 Report?

There’s no single answer, but here’s a realistic breakdown. If you’re starting from absolute scratch, just getting ready for the audit can take three to six months. This is the “readiness” phase where you’re busy writing policies, setting up security tools, and documenting all your controls.

Once you’re ready, the Type 2 observation period begins, which lasts another six to twelve months. After that clock runs out, the auditor needs about four to six weeks for the actual fieldwork and to write the final report.

Add it all up, and the entire journey from start to finish can take anywhere from nine to eighteen months. Don’t wait until a big deal is on the line to get started.

Which Trust Services Criteria Should My SaaS Company Start With?

Every single SOC 2 audit—no exceptions—must include the Security criterion. It’s the foundation for everything else.

From there, you only add what your business promises and what your customers demand.

  • Availability: Choose this if you have SLAs guaranteeing uptime, like 99.9% availability. It proves you have the systems in place to meet that promise.
  • Confidentiality: Essential if your service handles sensitive data protected by NDAs and customers demand proof of irreversible data deletion.
  • Processing Integrity: This one’s for the FinTechs and automation platforms. If you process critical transactions and accuracy is everything, you need this criterion.
  • Privacy: If you’re handling any kind of PII (personally identifiable information) or using customer data to train your AI models, you must add Privacy to your audit.

The smartest move? Default to Security + Privacy for any SaaS touching PII or AI data; add Availability if you sell uptime SLAs >99.9%; and skip the rest unless customers pay a 20%+ uplift.

Finding the right auditor is the most critical step in your SOC 2 journey. At SOC2Auditors, we replace the endless sales calls and confusing proposals with a data-driven matching platform. Get three tailored, unbiased auditor matches in 24 hours and compare real pricing, timelines, and verified client satisfaction scores. Find your perfect SOC 2 auditor with confidence today.