neart.ai
EcosystemStoryHow We BuildPricingBlog
Try Inspected →
neart.ai
EcosystemStoryHow We BuildBlog

Ní neart go cur le chéile

A SaltCore Group Limited company

© 2026 neart.ai · SaltCore Group Limited. All rights reserved.

Compliance & Security

What Are the Five SOC 2 Trust Services Criteria?

5 February 20254 min read

## The short answer


SOC 2 is built on five **Trust Services Criteria (TSC)**: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only **Security** (often called the "Common Criteria") is mandatory in every SOC 2 report. The other four are optional and included only when they are relevant to what you promise your customers. Most early-stage reports cover Security alone, or Security plus Availability and Confidentiality.


Understanding the five criteria helps you scope an audit sensibly — adding criteria you do not need only increases cost and the volume of evidence you must produce.


## 1. Security (the Common Criteria)


Security is the foundation and is always in scope. It asks whether your systems are protected against unauthorised access — both physical and logical. It covers the bread-and-butter of an information security programme:


- Access controls and authentication

- Network and infrastructure protection (firewalls, segmentation)

- Change management

- Vulnerability management and monitoring

- Incident response


If you only ever pursue one criterion, this is it. Many buyers are satisfied by a SOC 2 report covering Security alone.


## 2. Availability


Availability addresses whether your system is available for operation and use as committed — typically as set out in a service-level agreement. It does not demand a specific uptime figure; it asks whether you manage availability responsibly:


- Capacity planning and monitoring

- Backup and recovery procedures

- Disaster recovery and business continuity testing


Include this criterion if your customers depend on your service being up and you make uptime commitments.


## 3. Processing Integrity


Processing Integrity asks whether system processing is complete, valid, accurate, timely, and authorised. It is most relevant when your platform performs calculations, transactions, or data transformations where correctness is part of the promise — payments, payroll, analytics, or financial reporting tools, for example.


Key concerns include:


- Input validation and error handling

- Quality assurance over processing

- Monitoring for processing errors and anomalies


A simple content app rarely needs this; a billing engine almost certainly should consider it.


## 4. Confidentiality


Confidentiality concerns information designated as confidential and whether it is protected throughout its lifecycle. Note that this is broader than personal data — it includes things like business plans, intellectual property, and contract terms. Controls typically include:


- Encryption in transit and at rest

- Access restrictions based on need-to-know

- Secure disposal of confidential information


Include this when you handle customer data your clients consider sensitive but which is not necessarily "personal" in the privacy sense.


## 5. Privacy


Privacy addresses the collection, use, retention, disclosure, and disposal of **personal information** in line with your privacy notice and relevant principles. It is the most involved of the optional criteria because it overlaps with data-protection obligations. It covers:


- Notice and consent

- Choice over how personal data is used

- Data subject access and correction

- Retention and secure disposal


Because many organisations handle privacy obligations through their data-protection programme, the Privacy criterion is added selectively.


## How to choose your scope


A practical way to decide which criteria to include:


1. Start with Security — it is non-negotiable.

2. Add Availability if you make uptime commitments.

3. Add Confidentiality if you hold sensitive client information.

4. Add Processing Integrity if correct processing is core to your value.

5. Add Privacy if you process meaningful volumes of personal data and want to evidence that directly.


Resist the urge to include all five "to look thorough". Each criterion adds controls, evidence, and audit time. Buyers respect a tightly scoped, honest report more than a sprawling one padded with criteria that do not apply.


## Common scoping mistakes


- **Over-scoping** to impress, then struggling to produce evidence for criteria you do not really operate against.

- **Confusing Confidentiality with Privacy** — the former covers any confidential data, the latter specifically personal data.

- **Assuming Availability requires a magic uptime number** — it does not; it requires responsible management of availability commitments.


## Where tooling helps


Whichever criteria you select, you will need continuous evidence: access reviews, encryption status, monitoring alerts, backup logs. Enterprise-grade compliance tooling — the kind neart.ai builds — can map collected evidence to specific Trust Services Criteria, so adding a criterion later becomes a matter of switching on relevant evidence rather than starting fresh.


## Takeaway


SOC 2 is not a fixed checklist — it is a menu with one mandatory dish. Always cover Security, then add Availability, Confidentiality, Processing Integrity, or Privacy only when they genuinely reflect what you promise customers. Scope honestly and your report will be both cheaper to achieve and more credible to read.

Related posts

Compliance & Security

Does GDPR Apply to My Small Business? A Plain-English Test

Compliance & Security

The Six GDPR Lawful Bases: How to Choose the Right One

Compliance & Security

How to Handle a Data Subject Access Request, Step by Step