SOC 2 is based on five Trust Services Criteria: Security (always required), Availability, Processing Integrity, Confidentiality and Privacy. In 2026, most Indian SaaS companies scope Security plus the criteria their customers care about — commonly Availability and Confidentiality — to keep the audit focused and cost-effective.
Security (the common criteria)
Security is mandatory in every SOC 2 report. It covers protection against unauthorised access — access control, network security, change management, monitoring and incident response.
Availability, Processing Integrity, Confidentiality, Privacy
Availability covers uptime and resilience; Processing Integrity covers accurate, complete processing; Confidentiality covers protection of confidential data; Privacy covers personal information handling aligned to notice and choice.
Choosing your scope
Pick the criteria your customers contractually require. Over-scoping adds cost and evidence burden; under-scoping risks failing procurement. Aanetic helps you scope to demand.
FAQ
Only Security (the common criteria) is mandatory. Availability, Processing Integrity, Confidentiality and Privacy are added based on customer requirements and your service.