How It WorksPricingBlogStart Free Trial
All answers

What are Trust Services Criteria and which ones should I pick?

March 6, 20262 min readSOC 2 Basics for Founders

What Are Trust Services Criteria?

Trust Services Criteria (TSC) are the five categories the AICPA uses to evaluate your controls during a SOC 2 audit. Security is required for every SOC 2 engagement. The other four are optional and should be added only when your customers or contracts require them.

The Five Criteria Explained

CriterionWhat It CoversWhen to Include
Security (CC)Protection against unauthorized access, system boundaries, risk managementAlways — required for every SOC 2
Availability (A)System uptime, disaster recovery, performance monitoringWhen you have SLA commitments
Processing Integrity (PI)Data processing accuracy and completenessWhen you process financial or transactional data
Confidentiality (C)Protection of confidential data (not personal data)When you handle trade secrets or NDA-covered data
Privacy (P)Collection, use, retention, and disposal of personal informationWhen you process PII under privacy commitments

Which Should You Pick for Your First Audit?

Start with Security only. Here is why:

  1. Security covers 80% of what enterprise buyers evaluate in vendor reviews
  2. Every additional criterion adds 15–30% more evidence collection work
  3. Most buyers accept a Security-only report for initial vendor approval
  4. You can add criteria in your next audit cycle once you know what customers actually request

When to Add More Criteria

Add Availability if you have contractual SLAs (99.9% uptime guarantees). Add Processing Integrity if you handle financial transactions or billing data. Add Confidentiality if your contracts include data classification requirements. Add Privacy only if you process consumer personal data under explicit privacy commitments — most B2B SaaS companies do not need it.

A Common Mistake

Some consultants recommend adding all five criteria to your first audit. This increases scope, cost, and timeline without matching what buyers actually require. Ask your top three enterprise prospects which criteria they need. The answer is almost always just Security.

Screenata helps you scope your SOC 2 audit correctly and generates evidence mapped to the specific Trust Services Criteria you select.

Related Questions

SOC 2 Basics for Founders

How do I explain SOC 2 to my CEO or board?

Frame SOC 2 as a sales enablement investment, not a compliance burden. Enterprise buyers require it before signing contracts. The cost is $5,000–$25,000 all-in for Type I, and it removes the biggest friction point in enterprise sales cycles.

SOC 2 Basics for Founders

How do I know if my startup actually needs SOC 2?

Your startup needs SOC 2 when enterprise prospects require it during vendor review. If you sell to companies with 200+ employees, operate in regulated industries, or handle sensitive customer data, SOC 2 will come up. If you only sell to SMBs, you likely do not need it yet.

SOC 2 Basics for Founders

How do I run a SOC 2 readiness assessment myself?

Run a DIY readiness assessment by walking through each Trust Services Criterion, documenting your existing controls, identifying gaps, and prioritizing remediation. Use the AICPA's published criteria as your checklist and focus on the Security category first.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.