SOC 2 • Privacy • Confidentiality • Security • SaaS Compliance • Trust Services Criteria
Common Mistakes: Misunderstanding SOC 2 Privacy, Confidentiality, and Security Criteria
Security, Confidentiality, and Privacy are not the same thing in SOC 2. If your SaaS team mixes them up, you may choose the wrong audit scope, collect the wrong evidence, confuse buyers, and create more work than needed.
Quick Snapshot
| SOC 2 Criteria | What It Really Focuses On |
|---|---|
| Security | Protecting systems and data from unauthorized access, misuse, and disruption. |
| Confidentiality | Protecting information designated as confidential from unauthorized disclosure. |
| Privacy | Managing personal information according to privacy commitments and obligations. |
| Common Mistake | Treating all three as interchangeable. |
| Best Outcome | Choose the right criteria, explain them clearly, and build evidence that matches your real data risk. |
Introduction
A SaaS founder hears this from a buyer:
“We need your SOC 2 report. Please confirm whether it covers Security, Confidentiality, and Privacy.”
The founder forwards it to the team. The CTO says, “We encrypt everything, so Privacy should be fine.” The COO says, “We have NDAs, so Confidentiality is covered.” Sales asks, “Can we just include all three so the buyer feels better?”
That is exactly how SOC 2 scope gets messy.
Security, Confidentiality, and Privacy overlap, but they are not the same. Each one has a different focus. Each one may require different controls, evidence, policies, and audit work.
Not Sure Which SOC 2 Criteria You Need?
Canadian Cyber helps SaaS companies scope SOC 2 properly, choose the right Trust Services Criteria, prepare evidence, answer buyer questions, and avoid unnecessary audit complexity.
The Simple Difference
| Criteria | Main Question | Example Evidence |
|---|---|---|
| Security | Can unauthorized users access, change, misuse, or disrupt your systems and data? | MFA reports, access reviews, logs, incident response, vendor reviews. |
| Confidentiality | Can you protect information that is meant to stay confidential? | Data classification, confidential data inventory, encryption, access controls. |
| Privacy | Can you manage personal information according to privacy commitments? | Privacy notice, personal data inventory, deletion workflow, DPAs. |
Practical rule: Security protects access. Confidentiality protects sensitive information. Privacy governs personal information.
Mistake 1: Thinking Security Automatically Covers Privacy
Security controls help protect personal information, but Privacy is broader than security.
You can enforce MFA, encrypt databases, restrict admin access, and monitor logs, but still have privacy gaps.
| Security Evidence | Privacy Evidence |
|---|---|
| MFA report | Privacy notice |
| Access review | Personal data inventory |
| Encryption settings | Retention schedule |
| Incident response plan | Deletion request workflow |
| Vendor security review | DPA and privacy vendor review |
Security protects personal data. Privacy governs how personal data is collected, used, shared, retained, and deleted.
Mistake 2: Thinking Confidentiality Means the Same Thing as Privacy
Confidentiality and Privacy overlap when personal information is confidential. But Confidentiality is not limited to personal information.
Confidentiality may include:
- customer contracts
- financial reports
- legal documents
- source code
- AI prompts and model outputs
- uploaded customer files
- business strategy documents
| Scenario | Security | Confidentiality | Privacy |
|---|---|---|---|
| Protecting admin accounts with MFA | Yes | Supports | Supports |
| Protecting customer financial reports | Yes | Yes | Maybe |
| Managing user deletion requests | Supports | Maybe | Yes |
| Protecting source code | Yes | Yes | Usually no |
Mistake 3: Adding Privacy Just Because Buyers Ask for It
A buyer may ask whether your SOC 2 includes Privacy. Your sales team may want to say yes. But adding Privacy can increase audit complexity.
| Privacy May Be Needed If… | Privacy May Not Be Necessary If… |
|---|---|
| You collect personal information directly from individuals. | Customers mainly want proof of security controls. |
| You process customer user data at scale. | You only process limited business contact data. |
| You handle patient, employee, student, or consumer data. | Buyers accept Security plus Confidentiality. |
| You have strong privacy commitments in contracts. | Privacy practices can be explained outside the SOC 2 report. |
Better buyer response if Privacy is not included:
“Our current SOC 2 scope includes Security and Confidentiality, which address system protection and confidential customer information. We also maintain privacy controls outside the SOC 2 report, including our privacy notice, vendor DPAs, retention practices, and data request process.”
Turn Buyer Questions Into SOC 2 Scope
Canadian Cyber helps SaaS teams translate buyer security questions into the right SOC 2 criteria, controls, evidence, and customer-ready answers.
Mistake 4: Adding Confidentiality Without Defining Confidential Information
If you include Confidentiality, you must define what confidential information means for your platform.
| Information Type | Example | Control Needed |
|---|---|---|
| Customer Documents | Contracts, reports, uploaded files | Access control, encryption, retention |
| AI Prompts | Business questions, client data | Logging control, data use restriction |
| Model Outputs | Summaries, recommendations, reports | Access control and storage rules |
| Source Code | Proprietary platform logic | Repository access control |
| Support Tickets | Customer issues and attachments | Support access controls |
Evidence to keep: data classification policy, confidential data inventory, access reviews, encryption evidence, retention rules, vendor reviews, support access logs, secure sharing controls, and incident response procedures.
Mistake 5: Assuming Encryption Solves Everything
Encryption is important, but it is not the whole answer.
| Concern | Encryption Helps? | Still Needed |
|---|---|---|
| Unauthorized database access | Yes | Access control and monitoring |
| Insider viewing customer data | Limited | Role restrictions and support logs |
| Vendor exposure | Limited | Vendor review and contracts |
| Data retention | No | Retention and deletion process |
| Privacy rights | No | Request workflow |
Encryption is necessary. It is not sufficient.
Mistake 6: Not Matching Criteria to Buyer Questions
SOC 2 should help sales. But that only happens if your criteria match buyer concerns.
| Buyer Question | Likely Criteria |
|---|---|
| How do you protect our data from unauthorized access? | Security |
| How do you control employee access to our files? | Security and Confidentiality |
| Do you protect confidential reports we upload? | Confidentiality |
| Do you process personal information? | Privacy |
| Are AI outputs stored securely? | Security and Confidentiality |
| Are vendors reviewed? | Security, Confidentiality, or Privacy depending on data. |
Special Case: AI Prompts, Model Outputs, and Support Access
For AI platforms, prompts and model outputs may be sensitive. They may contain business secrets, confidential customer documents, personal information, or regulated data.
| AI Data Issue | Security | Confidentiality | Privacy |
|---|---|---|---|
| Employee access to prompts | Yes | Yes, if confidential | Yes, if personal data |
| Model outputs stored | Yes | Yes, if sensitive | Yes, if personal data |
| Customer data used for training | Yes | Maybe | Yes, if personal data |
| AI vendor processes prompts | Yes | Yes | Maybe or yes |
Support access is another overlap area. Support teams may access customer accounts, uploaded files, tickets, logs, screenshots, personal information, AI prompts, model outputs, and billing information.
Evidence to keep: support access logs, access reviews, role permission matrix, customer data access approvals, support tool vendor reviews, data handling training, and deletion workflow records.
Need Help With AI, Support Access, or Sensitive Data Evidence?
Canadian Cyber helps SaaS teams review AI prompts, model outputs, support access, confidential data handling, privacy workflows, and SOC 2 evidence readiness.
Criteria Selection Checklist
Use this before finalizing your SOC 2 scope.
| Question | Yes / No |
|---|---|
| Do buyers specifically ask for Security, Confidentiality, or Privacy? | |
| Do we know what customer data is in scope? | |
| Do we process confidential customer information? | |
| Do we process personal information? | |
| Are prompts, outputs, files, or reports sensitive? | |
| Are vendors involved in processing confidential or personal data? | |
| Do we have retention and deletion rules? | |
| Do we have a customer-ready explanation of our scope? |
If several answers are unclear, pause before expanding SOC 2 scope.
How to Explain Your SOC 2 Scope to Buyers
| Your Scope | Buyer-Friendly Explanation |
|---|---|
| Security Only | “Our SOC 2 report covers Security, which addresses system protection, access control, incident response, change management, logging, vendor risk, and security governance.” |
| Security and Confidentiality | “Our SOC 2 report covers Security and Confidentiality. This means our controls address protection against unauthorized access and the handling of confidential customer information processed by our platform.” |
| Security, Confidentiality, and Privacy | “Our SOC 2 report covers Security, Confidentiality, and Privacy. This means our controls address system protection, confidential information handling, and management of personal information according to our privacy commitments.” |
| Privacy Not Included | “Our SOC 2 report does not currently include Privacy. However, we maintain privacy practices outside the report, including privacy notices, DPAs, data retention procedures, deletion workflows, and privacy incident handling.” |
What Good Looks Like
A SaaS company that understands Security, Confidentiality, and Privacy can show:
- clear SOC 2 scope
- criteria selection rationale
- data classification
- customer data inventory
- access control evidence
- confidential data handling rules
- privacy commitments
- vendor reviews
- retention and deletion procedures
- support access logs
- approved buyer responses
- evidence mapped to each criterion
This makes audits smoother. It also makes buyer conversations easier.
Canadian Cyber’s Take
At Canadian Cyber, we often see SaaS teams make SOC 2 harder by choosing criteria without understanding them.
Security is usually the starting point. Confidentiality may be needed when sensitive customer or business information must be protected from disclosure. Privacy may be needed when personal information handling is a major customer, contractual, or regulatory concern.
The right answer is not always “include everything.” The right answer is based on what your product does, what data you handle, what buyers require, what commitments you made, and what evidence you can prove.
SOC 2 should build trust. It should not create unnecessary confusion.
Takeaway
Security, Confidentiality, and Privacy are connected, but they are not interchangeable.
- Security protects systems and data from unauthorized access.
- Confidentiality protects information that must stay confidential.
- Privacy governs personal information according to commitments and obligations.
If your SaaS team mixes these up, you may choose the wrong scope, collect the wrong evidence, and confuse buyers. Start with the business need. Then choose the criteria. Then build the evidence.
How Canadian Cyber Can Help
Canadian Cyber helps SaaS companies choose the right SOC 2 criteria and prepare evidence that matches buyer expectations.
- SOC 2 criteria scoping
- Security, Confidentiality, and Privacy readiness reviews
- SOC 2 evidence mapping
- data classification support
- customer data inventory
- AI prompt and model output control reviews
- vendor risk reviews
- privacy control evidence planning
- access review workflows
- support access reviews
- SharePoint evidence vault setup
- vCISO support for SaaS trust and compliance
Stay Connected With Canadian Cyber
Follow Canadian Cyber for practical guidance on SOC 2, SaaS compliance, Privacy, Confidentiality, Security, ISO 27001, SharePoint ISMS, vCISO leadership, and customer trust.
