SOC 2 Type II Privacy Trust Services Criteria

Overview

SOC 2 (System and Organization Controls 2) is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organization's controls relevant to the Trust Services Criteria (TSC). The Privacy category is one of five TSC categories (Security, Availability, Processing Integrity, Confidentiality, and Privacy) and specifically addresses how the organization collects, uses, retains, discloses, and disposes of personal information in conformity with commitments in its privacy notice and with criteria set forth by the AICPA.

A SOC 2 Type II report covers a specified examination period (typically 6-12 months) during which the auditor (a licensed CPA firm) tests whether controls were not only designed appropriately (Type I) but also operated effectively throughout the period. For the Privacy TSC, this means demonstrating sustained compliance with criteria P1.0 through P8.1 as defined in TSP Section 100 (2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy).

Sentinel Compliance Group undergoes annual SOC 2 Type II examinations including the Privacy TSC to provide contractual assurance to enterprise clients in financial services, healthcare technology, and SaaS sectors.

Privacy Trust Services Criteria (P1.0 — P8.1)

P1.0 — Notice

Criterion: The entity provides notice to data subjects about its privacy practices.

P1.1: The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity's privacy practices, including changes in the use of personal information.

Required Controls: