SOC 2 Trust Services Categories: Do You Need Privacy or Just Confidentiality?

“Do we need Privacy or just Confidentiality?” For organizations looking at a SOC 2 Report for compliance reporting, it’s one of the most common questions when companies are scoping their SOC 2 audits. Both categories sound like they protect sensitive information, so what’s the difference?

If you think about the classic security triad (confidentiality, integrity, availability), privacy isn’t even there. It’s confidentiality that’s fundamental to information security. In my view, privacy actually falls within the bounds of confidentiality conceptually. But the AICPA Trust Services Categories treat Privacy and Confidentiality as separate to reflect the business and legal realities outside of the CIA security triad technical concepts.

Choosing the wrong category can either leave gaps in your compliance or likely leave you with unnecessary compliance overhead. Deciding if you need one or both is a choice you will make in the readiness / applicability decisions when engaging with an independent auditor. The decision is yours, but will be driven by your data types, and applicable customer commitments and of course… your legal obligations.

SOC 2 reports are built around five Trust Services Categories defined in TSP Section 100 of the AICPA Trust Services Criteria (yes, that criteria is different than category, which makes this all the more confusing at times). These are five broad Trust Service Categories where you can scope your SOC 2 compliance report around. Security, Availability, Processing Integrity, Confidentiality, and Privacy.

For a deeper dive into the other five categories and more about SOC 2 compliance reporting, check out our complete SOC 2 guide. The AICPA also has comprehensive details on their SOC suite of services page.

For folks looking to obtain a SOC 2 Report, the confidentiality category covers how you protect business secrets, your own or your clients’, from unauthorized access or disclosure. The criteria focus on how sensitive information is secured throughout its lifecycle. You are showing the information designated as confidential is protected, as agreed.

What counts as “confidential” often depends on your services and contracts. Many times it’s spelled out directly in your service commitments or customer agreements. In a SOC 2 examination, confidentiality isn’t limited to two points. It includes the common criteria (governance, risk assessment, access controls, monitoring, change management, etc.) plus the Confidentiality-specific criteria, which address how you identify, protect, and eventually dispose of confidential information.

Auditors evaluate whether your controls reasonably support:

• C1.1 — identifying and classifying confidential information
• C1.2 — protecting it throughout its lifecycle

Before you meet with auditors, ask yourself: How does our company manage the lifecycle of confidential data?

Confidentiality – What it protects:

• Trade secrets and proprietary algorithms
• Customer business data you process on their behalf
• Financial records, pricing strategies, and competitive intelligence
• Intellectual property and development roadmaps
• Any information marked “confidential” in your contracts

Confidentiality – Why it’s simpler:

• Built around contractual obligations, not individual rights
• No consent forms or privacy notices required
• Focused on business-to-business data protection
• Straightforward lifecycle management (collect, protect, dispose)

Go for Confidentiality when:

• (IMPORTANT) You handle business data for clients but don’t collect client consumer personal information directly.
• Your contracts specify confidentiality requirements
• You’re protecting proprietary information or trade secrets
• The data doesn’t trigger privacy regulations like GDPR or CCPA

If you are preparing for a SOC 2 examination, and you choose confidentiality, you should be able to answer questions over:

1. How do we define confidential information?
2. Is confidential data defined in contracts or service commitments?
3. Are employees trained on what data is considered confidential?
4. How is confidential data received (APIs, uploads, integrations, email, support tickets)?
5. Where is confidential data stored (databases, file storage, backups, logs)?
6. Who can access confidential data, and why?
7. How do subprocessors/contractors/vendors access or transmit confidential data?
8. How is confidential data protected while in use, in transit, and at rest?
9. How long is confidential data retained, and how is it securely disposed of?

These above questions are not a checklist. They are ways auditors evaluate whether your controls align with your confidentiality commitments. A SOC 2 is meant to be a tailored report. While, looking at these above questions, you can determine if you have a control that can be written to address the above questions or if there may be a potential gap. Use the guide below to align with the confidentiality commitments tested in a SOC 2 examination.

Privacy may be a Trust Services Category you may want to include in your report when you’re handling personal information about identifiable individuals. Not just confidential data as described above. Privacy is about transparency, individual rights, and lawful processing. A SOC 2 examination that includes the privacy category covers, specific processes, over the in-scope system that address:

• What you tell customers about your privacy practices
• How you keep personal data safe
• How customers know when and how their data is used
• How customers can view or update their personal data
• How customers can raise privacy concerns or complaints

Privacy is generally more complex than confidentiality as the recommended guidance and criteria include components seen in other frameworks. Practically speaking, the privacy category is more consumer and employee-centric, while confidentiality is more B2B focused.

Frankly speaking, if you only handle business data and no regulated personal information, Confidentiality alone is often sufficient. Scoping Privacy when it doesn’t apply often creates unnecessary complexity without added assurance value. This is a discussion you should have with your independent auditor if you are considering including it in your SOC 2 examination.

At the time of this writing, current SOC 2 guidance notes that privacy has to be considered where relevant for common criteria (CC1.1-CC5.1) items as well as specific criteria as it relates to privacy.

A data controller decides why personal data is collected and how it’s used, while a data processor just handles the data on the controller’s behalf. Controllers make the decisions, what data to collect, how long to keep it, and who it’s shared with. Data Controllers have broader privacy obligations.

Processors don’t make those calls, they follow instructions provided by data controllers. For example, a SaaS company using customer data to run its product is usually the controller, while a cloud host or payroll provider processing that data for the SaaS company is acting as a processor.