What are the Trust Services Criteria?

AICPA’s Trust Services Criteria are the framework used by auditors to determine which security and compliance controls they will test for in a company. The only Trust Services Criteria category required for every SOC 2 report is Security, but auditors have the option of adding Availability and Processing Integrity as well after determining the audit scope.  

Trust Services Criteria Categories:


  • Data and systems are protected against unauthorized access and disclosure, including potentially compromising damage to systems. Data should be protected during its collection or creation, use, processing, transmission, and storage.


  • Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.


  • The organization should protect data designated as confidential (i.e., any sensitive information).

Processing Integrity

  • System processing (particularly customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.


  • Personal data is collected, used, retained, disclosed, and disposed of under relevant regulations and policies.