Why don’t we cover all the TSCs?

The main goal of complying with the SOC 2 framework is to assure your customers that their data is secure with you. This is done by meeting the various requirements and security principles as per the SOC 2 guidelines. 

There are five Trust Service Criteria (TSCs) or Trust Principles of SOC 2:

• Security: The security principle ensures that a system is protected against unauthorized access, both physical and logical. It includes measures like firewalls, encryption, and multi-factor authentication to prevent unauthorized access to systems and data.
• Confidentiality: Prevent sensitive information from being disclosed without permission. This means business secrets, financial data, and personally identifiable information. Techniques involved in encryption, access controls, and data masking.
• Availability: This TSC ensures that your systems are up and running when you need them. It involves maintaining and monitoring system performance, as well as implementing backup and disaster recovery procedures to ensure uptime and accessibility.
• Processing Integrity: Data should be handled correctly without errors or tampering, through careful validation and error-checking processes to maintain its accuracy and integrity.
• Privacy: How personal information is collected, used, and shared? Privacy works with ensuring it’s done in line with privacy policies and laws. It’s about securing consent, anonymizing data when needed, and responsibly managing information.

However, the Security principle is the only TSC that is mandatory to fulfill a SOC 2 audit. The other trust principles can be implemented by an organization depending on the specific business requirements. 

At Sprinto, we recommend focusing on the three core TSCs of SOC 2—Security, Confidentiality, and Availability—by default. That’s why our standard contract covers these key areas. 

If any company considers going beyond this to include Processing, Integrity, and Privacy, keep in mind that this will require additional implementation efforts, and it will also drive up audit costs. Plus, it’s worth noting that it’s quite rare for SaaS companies to pursue all five TSCs. For context, even AWS’s SOC 2 report doesn’t cover every single TSC.