soc2-compliance
SOC 2 Compliance Coding Guidelines
1. Overview
SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA for service organizations that store, process, or transmit customer data. It evaluates controls based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type I assesses control design at a single point in time; Type II evaluates operating effectiveness over a 3-to-12-month observation period and is the standard customers demand. Audits typically cost $20K-$100K+ depending on scope and complexity. The core principle for developers: "Say something, do something, prove you always do what you say." Every control you implement must be documented, consistently enforced, and produce evidence that auditors can verify.
2. The 5 Trust Services Criteria
| Criterion | Required? | What Developers Must Do |
|---|---|---|
| Security (CC1-CC9) | REQUIRED for all SOC 2 | Implement access controls, encrypt data, monitor systems, follow change management, build incident response capabilities |
| Availability | Optional | Build uptime monitoring, disaster recovery, backup automation, health checks, capacity planning |
| Processing Integrity | Optional | Validate all inputs, handle errors completely, ensure transaction atomicity, reconcile data between systems |
| Confidentiality | Optional | Classify data, encrypt at rest and in transit, enforce retention policies, implement secure deletion |
| Privacy | Optional | Implement consent management, data minimization, disclosure controls, subject access/correction endpoints |
Security is always in scope. The other four are selected based on what your service does. A SaaS platform handling customer data typically includes Security + Availability + Confidentiality at minimum.