Back to Checklists

SOC 2 Privacy Readiness Checklist

SOC 2Security Operations

SOC 2 Privacy Readiness Checklist

Use this checklist to prepare for a SOC 2 audit focused on the “Privacy” Trust Services Criteria (TSC). For each control, ensure you have the proper evidence and corresponding policy in place.

SOC 2 Control

Evidence to Provide

Relevant Policy

P1.1 Notice & Policy

Screenshot of a public-facing privacy policy.

Privacy Policy

P1.2 Communication

Screenshots of emails or in-app notifications to users.

Privacy Policy

P2.1 Explicit Consent

User consent forms, opt-in records, signed agreements.

Privacy Policy

P2.2 Choice Options

Website screenshots showing opt-in/opt-out options.

Privacy Policy

P3.1 Data Minimization

Data mapping document, data flow diagrams.

Data Minimization Policy

P3.2 Lawful Collection

Records of data collection methods and legal basis.

Privacy Policy, Data Handling Policy

P4.1 Purpose Limitation

Internal process document on data use.

Data Use Policy

P4.2 Retention Schedule

Data retention schedule document, data classification.

Data Retention Policy

P4.3 Secure Disposal

Logs of data deletion or media sanitization.

Data Disposal Policy

P5.1 Access & Review

Logs of access requests, DSAR tracking spreadsheet.

Data Subject Access Request (DSAR) Policy

P5.2 Identity Verification

Documentation on authentication methods for data access.

Identity Verification Policy

P5.3 Right to Correct

Ticket logs of data correction requests from users.

DSAR Policy

P6.1 Third-Party Consent

User agreements allowing for third-party disclosure.

Third-Party Disclosure Policy

P6.2 Written Agreements

Vendor contracts with data privacy addendums.

Vendor Risk Management Policy

P6.3 Disclosure Records

Records or logs of data disclosures to third parties.

Data Disclosure Log

P7.1 Security Controls

Screenshots of logical access controls (RBAC, MFA)

Access Control Policy, MFA Policy

P7.2 Encryption

Documentation of encryption at rest & in transit.

Encryption Policy

P7.3 Incident Response

Incident response plan, log of privacy-related incidents.

Incident Response Plan

P8.1 Data Accuracy

Process flow document for data validation, quality checks.

Data Quality Policy

P8.2 Data Completeness

Documented procedures for data completeness checks.

Data Quality Policy

P8.3 Data Relevance

Records of data quality reviews.

Data Quality Policy

Back to Checklists