Skip to main contentChat with us

SOC 2 · Trust Services Criteria · Confidentiality

SOC 2 Confidentiality Criteria
Protect Confidential Data

Demonstrate your commitment to protecting confidential information from unauthorized disclosure. Confidentiality criteria prove you have controls to protect sensitive data — critical for companies handling proprietary information, trade secrets, or customer confidential data.

Confidentiality is an optional Trust Services Criteria (the C1.x series) — only Security (CC1–CC9) is mandatory in every SOC 2 report.

Get a SOC 2 Scoping CallExplore the SOC 2 Hub
AES-256Encryption at rest standard
250+SOC 2 attestations
100+SOC 1 reports

AICPA Trust Services Criteria · SSAE 18 attestation · Last reviewed June 2026

Direct Answer

Is the Confidentiality criterion mandatory?

The SOC 2 Confidentiality criterion (the C1.x Trust Services Criteria) requires that information designated as confidential is protected from unauthorized collection, use, disclosure, and disposal — from the moment it is obtained through to secure destruction. Defined by the AICPA (aicpa-cima.com), it is an optional add-on category, scoped in alongside the mandatory Security criteria by organizations that handle trade secrets or other confidential business data. It protects confidential business information, which is distinct from the Privacy criteria that govern personal data.

The Criterion

What is the SOC 2 Confidentiality criteria?

Confidentiality criteria demonstrate that your organization protects confidential information from unauthorized disclosure. Unlike Security criteria (which is mandatory), Confidentiality is optional — but it's critical for companies handling sensitive proprietary data.

If your customers share confidential information with you (trade secrets, proprietary algorithms, financial data, strategic plans), you should include Confidentiality in your SOC 2 report.

Optional but Critical for Confidential Data Handlers

Companies handling trade secrets, proprietary data, or confidential customer information need this

Proves Data Classification & Protection

Validates systematic approach to identifying and protecting confidential data

Covers Encryption & Access Controls

Demonstrates encryption at rest/in transit and strict access controls

Required by Enterprise Customers with Proprietary Data

Companies sharing trade secrets often require Confidentiality in SOC 2 reports

Confidentiality vs Privacy vs Security

Confidentiality

Protects confidential business data (trade secrets, proprietary info)

Privacy

Protects personal data (PII, GDPR, data subject rights)

Security

Protects all data from unauthorized access (mandatory for SOC 2)

The Controls

8 Key Confidentiality Controls

Implement these controls to demonstrate confidential data protection and meet SOC 2 Confidentiality criteria requirements.

Data Classification

Systematic classification of data based on sensitivity and confidentiality requirements.

Key Implementation Points

  • Data classification policy documented
  • Classification levels defined (Public, Internal, Confidential, Restricted)
  • Data labeling and tagging procedures
  • Classification review and updates
  • Employee training on data classification

Encryption at Rest

Encryption of confidential data stored in databases, file systems, and backups.

Key Implementation Points

  • AES-256 encryption for databases
  • Encrypted file storage for confidential documents
  • Encrypted backups with separate keys
  • Full disk encryption for servers
  • Key rotation procedures documented

Encryption in Transit

Protection of confidential data during transmission over networks.

Key Implementation Points

  • TLS 1.2+ for all external communications
  • VPN for remote access to confidential systems
  • Encrypted API communications
  • Certificate management and renewal
  • Prohibition of unencrypted protocols (FTP, HTTP)

Access Controls for Confidential Data

Strict access controls ensuring only authorized personnel can access confidential data.

Key Implementation Points

  • Role-based access control (RBAC) for confidential data
  • Principle of least privilege enforced
  • Access request and approval workflows
  • Quarterly access reviews for confidential systems
  • Access revocation upon termination

Non-Disclosure Agreements (NDAs)

Legal agreements to protect confidential information from unauthorized disclosure.

Key Implementation Points

  • NDAs signed by all employees
  • Vendor NDAs for third-party access
  • Customer NDAs for mutual confidentiality
  • NDA tracking and renewal processes
  • Confidentiality clauses in employment contracts

Confidential Data Handling Procedures

Documented procedures for handling, storing, and disposing of confidential data.

Key Implementation Points

  • Confidential data handling policy
  • Secure storage requirements (encrypted, access-controlled)
  • Secure disposal procedures (shredding, wiping)
  • Transmission guidelines (encrypted channels only)
  • Incident response for confidentiality breaches

Data Loss Prevention (DLP)

Technologies and processes to prevent unauthorized disclosure of confidential data.

Key Implementation Points

  • DLP tools for email and file sharing
  • USB/removable media restrictions
  • Cloud storage monitoring and controls
  • Screen sharing and screenshot restrictions
  • DLP policy violations monitoring

Confidentiality Awareness Training

Regular training to ensure employees understand confidentiality requirements.

Key Implementation Points

  • Annual confidentiality training for all employees
  • Onboarding training on data classification
  • Phishing simulations for confidential data protection
  • Confidentiality policy acknowledgment
  • Training completion tracking and reporting

From the Audit Floor

Common Confidentiality Mistakes

The patterns we see derail Confidentiality evidence — and how to keep your report clean the first time.

No Data Classification Policy

Without data classification, employees don't know what data is confidential and how to protect it.

Fix: Implement data classification policy with clear levels (Public, Internal, Confidential, Restricted) and labeling procedures.

Unencrypted Confidential Data

Storing confidential data without encryption exposes it to unauthorized access.

Fix: Implement AES-256 encryption for databases, file storage, and backups containing confidential data.

Missing NDAs

Employees and vendors without NDAs have no legal obligation to protect confidential information.

Fix: Require NDAs for all employees, contractors, and vendors with access to confidential data.

Overly Broad Access to Confidential Data

Granting wide access to confidential data violates the principle of least privilege.

Fix: Implement RBAC with strict access controls and quarterly access reviews for confidential systems.

No DLP Controls

Without DLP, confidential data can be easily exfiltrated via email, USB, or cloud storage.

Fix: Implement DLP tools for email/file sharing, USB restrictions, and cloud storage monitoring.

Insecure Data Disposal

Improper disposal of confidential data (e.g., deleting files without wiping) can lead to data leakage.

Fix: Implement secure disposal procedures (shredding for physical, wiping for digital) with documented evidence.

Frequently Asked Questions

Common questions on the SOC 2 Confidentiality criterion, data classification, and encryption.

What does the SOC 2 Confidentiality criterion require?

The Confidentiality criterion (the C1.x Trust Services Criteria) requires that information designated as confidential is protected from collection, use, retention, disclosure, and disposal in ways that are not authorized — from the point it is obtained through to its secure destruction. In practice that means data classification, encryption at rest and in transit, restricted access, NDAs, and secure disposal. It is published by the AICPA (https://www.aicpa-cima.com) as one of the five Trust Services Criteria.

Is the Confidentiality criterion mandatory for SOC 2?

No. Only the Security category (Common Criteria CC1–CC9) is mandatory in every SOC 2 report. Confidentiality is one of four optional categories — alongside Availability, Processing Integrity, and Privacy — that an organization scopes in based on customer demand. Companies that receive trade secrets, proprietary algorithms, strategic plans, or other confidential business data under NDA usually add Confidentiality.

What is the difference between Confidentiality and Privacy in SOC 2?

Confidentiality protects confidential business information — trade secrets, proprietary methods, contracts, strategic plans — regardless of whose it is. Privacy (the P1–P8 criteria) specifically protects personal information (PII) and governs how it is collected, used, retained, disclosed, and disposed of, aligned with notice-and-choice principles. A company that handles a customer's proprietary algorithm needs Confidentiality; a company that handles individuals' personal data needs Privacy. Many organizations scope in both.

What encryption standards are expected for SOC 2 Confidentiality?

At rest, AES-256 for databases, file storage, and backups is the common standard. In transit, TLS 1.2 or higher for all external communication, with VPN for remote access. Key management should use a dedicated service (AWS KMS, Azure Key Vault, or HashiCorp Vault) with documented key-rotation procedures and separation of keys by data type. Weak ciphers (DES, 3DES, RC4) and unencrypted protocols (FTP, HTTP, Telnet) should be retired before the observation period.

What evidence will auditors request for the Confidentiality criterion?

Auditors typically request the data-classification policy, encryption evidence (settings and key-management procedures), NDA tracking for employees and vendors, access-control logs showing RBAC and periodic access reviews, DLP configurations and violation reports, confidentiality-training completion records, and secure-disposal logs. For a Type 2 report this evidence must cover the full observation period. Tranquility Cybersecurity helps teams build and evidence these controls as part of a SOC 2 engagement (indicative ₹2–4L).

Continue your SOC 2 research

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

SOC 2

Trust Services Criteria

Security, Availability, Confidentiality, Processing Integrity, Privacy.

Read more
SOC 2

TSC: Security (CC Series)

The mandatory common criteria — every SOC 2 report includes these.

Read more
SOC 2

TSC: Privacy

PII lifecycle management aligned with AICPA privacy principles.

Read more
SOC 2

SOC 2 Knowledge Hub

Type 1 vs Type 2, criteria, timelines and audit prep — all guides.

Read more
ISO 27001

ISO 27001 Overview

The ISMS standard — the baseline certificate global buyers ask for.

Read more
SOC 2

SOC 2 Audit Preparation

Evidence, readiness checks and what the CPA firm will sample.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations