SOC 2 Trust Services Criteria: The Complete 2026 Reference (Security, Availability, Confidentiality, Processing Integrity, Privacy)

✨ What Are the Trust Services Criteria?

The AICPA's 2017 Trust Services Criteria (TSC 2017, the current version) is the framework auditors use to evaluate a service organization's controls. Five criteria total:

Each TSC contains specific criteria the auditor will probe. Security alone has 9 Common Criteria (CC1-CC9) with ~64 control points. The four optional TSCs add their own criteria on top.

✨ Security (Common Criteria, CC1-CC9)

The mandatory backbone of every SOC 2 audit.

CC6 is where most audit time goes. It covers MFA, SSO, RBAC, encryption, DLP, network segmentation, endpoint protection, physical access — basically every meaningful technical control. Two specific sub-criteria deserve attention:

• CC6.6 — data classification and protection at boundaries. DLP coverage at the SaaS / cloud / endpoint / AI surface.
• CC6.7 — restricted access to information including encryption at rest and in transit + DLP redaction + secret management.

Strac uniquely covers CC6.6 / CC6.7 because Strac DLP ships with Strac Comply as one platform — the data-protection evidence comes from the same product securing the data. For the full controls reference, see SOC 2 controls.

✨ Availability

Optional. Covers system uptime, disaster recovery, business continuity.

Common evidence:

• Uptime monitoring data and SLA tracking
• Auto-scaling configurations
• Multi-region or multi-AZ failover architecture
• DR plan with annual exercise
• RTO / RPO documentation per critical system
• Post-incident reviews after any availability incident

When to include Availability: customers whose business depends on your uptime (financial services, healthcare, real-time systems). Skip if you're an early-stage SaaS where customers don't yet ask about availability formally.

✨ Confidentiality

Optional. Covers protection of confidential information — NDAs, contracts, intellectual property, proprietary data.

Common evidence:

• Data classification labels applied to confidential datasets
• Encryption of confidential data at rest and in transit
• DLP policies preventing exfiltration of confidential content
• Confidentiality clauses in contracts and NDAs
• Secure disposal of confidential data per retention policy

When to include Confidentiality: B2B vendors handling customer IP, M&A diligence rooms, legal services, professional services with confidential client work.

Confidentiality overlaps heavily with the data-protection sub-criteria under Security (CC6.6, CC6.7). Strac\'s DLP product covers both with one set of policies.

✨ Processing Integrity

Optional. Covers system processing accuracy, completeness, timeliness, validity, authorization.

Common evidence:

• Input validation in code (with samples)
• Output verification (totals, reconciliation reports)
• Error handling and retry logic
• Audit logs of authorized changes to data
• Database integrity checks

When to include Processing Integrity: payment processors, financial systems, billing platforms, anywhere "incorrect output" is a business risk worth attesting against.

✨ Privacy

Optional. Covers personal information collection, use, retention, and disclosure. The most policy-heavy of the optional TSCs.

Common evidence:

• Public privacy notice (kept current and version-controlled)
• Consent management for data collection
• Data Subject Access Request (DSAR) process with tracking
• Retention schedules implemented in systems
• Third-party data sharing inventory and DPAs
• Privacy training records

When to include Privacy: consumer-data businesses, GDPR / CCPA-exposed orgs that want one report covering compliance with both. Privacy adds 18 control points and significant policy documentation.

Privacy and the broader GDPR / CCPA frameworks overlap. Strac Comply maps the same Privacy evidence to GDPR Articles 5 / 25 / 30 / 32 and CCPA simultaneously.

✨ How to Choose Which TSCs to Include

A practical decision matrix:

You can always add TSCs in later years. The Security-only first audit is a strong starting point; you scope up as customer demand and regulatory exposure grow.

✨ How Strac Comply Maps Evidence to Every TSC

Strac Comply is the AI-native compliance automation platform built for security-led teams. The platform watches your live systems and continuously maps evidence to each criterion under every TSC you've scoped.

Per TSC coverage:

• Security (CC1-CC9): full continuous evidence collection. DLP evidence built in for CC6.6 / CC6.7 via the Strac DLP product. MCP DLP audit logs for AI-agent controls (CC6.1, CC7.2).
• Availability (A1): uptime monitoring ingestion, multi-region config evidence, DR exercise tracking.
• Confidentiality (C1): data classification + DLP coverage (same Strac DLP product), NDA and contract management, disposal evidence.
• Processing Integrity (PI1): code review evidence, audit log integration, integrity check ingestion.
• Privacy (P1-P8): privacy notice version control, DSAR workflow with SLA tracking, consent management integration, retention enforcement.

The unique angle: Strac Comply ships with Strac DLP and Strac DSPM as part of the same platform. No separate DLP integration for CC6.6 / CC6.7 / C1.1. One vendor, one bill, full coverage.

Start at comply.strac.io →

🌶️ Spicy FAQs for SOC 2 Trust Services Criteria

Do I need all 5 TSCs?

No. Only Security is mandatory. The other four (Availability, Confidentiality, Processing Integrity, Privacy) are optional. You include them based on what your customers and regulators expect.

What's the difference between TSC and Common Criteria?

TSC is the umbrella for all five criteria. Common Criteria (CC1-CC9) is specifically the Security TSC, organized into 9 categories. The optional TSCs (A, C, PI, P) have their own criteria letter codes.

Which TSC has the most controls?

Within Security (CC1-CC9), CC6 (Logical and Physical Access Controls) has the most controls — 8 control points covering access, MFA, encryption, DLP, network, and endpoint. Of the optional TSCs, Privacy has the most criteria (18 control points).

Can I add TSCs to a future audit?

Yes. Most companies start with Security only and add Confidentiality, Availability, or Privacy in later audits as customer demand grows. Each addition expands audit scope and cost.

How do Privacy TSC controls overlap with GDPR / CCPA?

The Privacy TSC is principles-based and aligned with OECD privacy principles. GDPR and CCPA are specific legal frameworks. The controls largely overlap — data subject rights, retention, consent — but the legal obligations under GDPR / CCPA are broader. Strac Comply maps Privacy TSC evidence to GDPR Articles and CCPA sections simultaneously.

How do Confidentiality and Security overlap?

Heavily. Both cover data protection. Security (CC6.6 / CC6.7) covers data protection broadly; Confidentiality (C1.1 / C1.2) covers "confidential information" specifically (NDAs, contracts, IP). The same DLP and encryption controls satisfy both. Strac\'s DLP product is the evidence source for both.

What if a customer asks for a specific TSC we don't have?

You have three options: (1) explain that your current report covers Security and the customer accepts it as sufficient, (2) commit to adding the TSC at the next audit cycle, (3) explore a Type 1 audit covering the additional TSC quickly. The right answer depends on the customer's ACV and your audit timeline.

Is there a "lite" version of the TSCs?

No formal lite version, but SOC 3 is the public-facing summary report based on the same TSCs. SOC 3 is shorter, can be made public, but provides less detail. Most companies do SOC 2 Type 2 for the actual audit and optionally produce a SOC 3 summary for marketing.

How does Strac Comply differ from Drata, Secureframe, or Sprinto on TSC coverage?

The unique angle: Strac Comply ships with Strac DLP and Strac DSPM as part of the same platform. For criteria around data classification, encryption, and DLP — CC6.6, CC6.7, C1.1, C1.2, and parts of P3 / P4 — Strac generates the evidence directly. Other platforms require you to integrate a separate DLP and consolidate evidence into the compliance platform manually.

What about EU AI Act, ISO 42001, NIST AI RMF — do they map to TSCs?

Yes, partially. AI-specific controls under EU AI Act Article 12 (logging), Article 13 (transparency), Article 14 (human oversight) map to Security TSC criteria CC6.1 (access), CC6.6 (data), CC7.2 (monitoring). ISO 42001 Annex A controls similarly map. Strac Comply\'s mappings cover this cross-framework projection automatically.

The Bottom Line

The Trust Services Criteria define what auditors actually evaluate. Security is mandatory; the other four are optional and chosen based on business context. Strac Comply covers every criterion automatically and uniquely brings the data-protection evidence in-house with the Strac DLP product.

Start your SOC 2 with Strac Comply →