SOC Reports for Privacy Compliance for Cloud

Privacy Compliance for Cloud

Privacy has grabbed the attention of Boards of Directors as regions look to implement privacy regulation and compliance standards similar to GDPR. Privacy is the new buzzword and the potential impact is very real. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica. In view of the recent incidents privacy laws are changing and going forward they may become more stringent. It may be prudent for organizations to be more proactive and adopt measures for Privacy Governance.


To demonstrate the privacy-related controls, Organizations can include the privacy criteria as part of the scope of their SOC 2 report. Additionally, controls for any other specific laws too can be included as Additional Subject Matter. The AICPA Privacy Criteria broad requirements are described in the following paragraphs. Many of these requirements match to the legislation like EU-GDPR. In the wake of such new privacy mandates organizations are encouraged not only include the privacy criteria in their SOC 2 report but also to demand including them in their vendors SOC 2 report.


When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organiza tion’s privacy notice or in its privacy policy that are relevant to the system being described.

When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information permitted by user entity agreements.


System requirements are the specifications about how the system should function to do the following:

  • Meet the service organization’s service commitments to user entities and others (such as user entities’ customers).
  • Meet the service organization’s commitments to vendors and business partners.
  • Comply with relevant laws and regulations and guidelines of industry groups, such as business or trade associations.
  • Achieve other objectives of the service organization that are relevant to the trust services categories addressed by the description.

Requirements are often specified in the service organization’s system policies and procedures, system design documentation, contracts with customers, and government regulations.

The following are examples of system requirements:

01 Workforce member fingerprinting and background checks established in government banking regulations.

02 System edits that restrict the values accepted for system input, which are defined in application design documents.

03 Maximum acceptable intervals between the periodic review of a workforce member logical access as documented in the security policy manual.

04 Data definition and tagging standards, including any associated metadata requirements, established by industry groups or other bodies, such as the Simple Object Access Protocol (SOAP).

05 Business processing rules and standards established by regulators, for example, security requirements under the Health Insurance Portability and Accountability Act (HIPAA).


Disclosures about the data component include types of data used by the system, transaction streams, files, databases, tables, and output used or processed by the system. When the description addresses the confidentiality or privacy categories, other matters that may be considered for disclosure about the data component include the following.

  • The principal types of data created, collected, processed, transmitted, used, or stored by the service organization and the methods used to collect, retain, disclose, dispose of, or anonymize the data.
  • Personal information that warrants security, data protection, or breach disclosures based on laws or commitments (for example, personally identifiable information, protected health information, and payment card data).
  • Third-party entity information (for example, information subject to confidentiality requirements in contracts) that warrants security, data protection, or breach disclosures based on laws or commitments.

AICPA Trust Services Criteria (TSC) for Privacy

With about 50 points of focus, the TSC organizes the privacy criteria as follows: