SOC 2 Confidentiality Criteria: What C1.1–C1.2 Require

Who Needs the Confidentiality TSC

The Confidentiality TSC is relevant when your service commitments include protecting information that customers designate as confidential. Common use cases: legal tech platforms storing client contracts and case files; financial data platforms handling non-public financial information; HR systems storing compensation data and performance reviews; IP management platforms storing trade secrets and proprietary research.

The trigger is typically customer contract language. If your MSA or DPA includes a provision that your company will treat customer data as confidential and implement appropriate protections, you have a service commitment that the Confidentiality TSC evaluates. Enterprise customers in regulated industries often require Confidentiality in scope.

Confidentiality is the second most commonly added TSC after Availability. Like Availability, it adds $3,000–$8,000 to auditor fees and requires implementing specific controls. The incremental burden is low for companies that already have encryption-at-rest and data lifecycle management — primarily they need to formalize data classification and disposal procedures.

C1.1: Identifying and Protecting Confidential Information

C1.1 requires that the entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. This breaks into two requirements: identification (knowing what data is confidential and labeling it appropriately) and protection (ensuring that labeled confidential data has appropriate access controls and encryption).

Data classification is the operational backbone of C1.1. You need a written data classification policy that defines what constitutes confidential data (versus public or internal data), and a process for applying that classification to data as it enters your system. For SaaS platforms, classification is often implicit in the data type — all data uploaded by customers to a legal document repository is classified as confidential by default.

Protection controls for confidential data include: encryption-at-rest using AES-256 or equivalent for confidential data stores; encryption-in-transit using TLS 1.2+ for all data transmission; access controls limiting confidential data to authorized users; audit logging of all access to confidential data; and DLP (data loss prevention) controls preventing unauthorized export.

C1.2: Disposing of Confidential Information

C1.2 requires that confidential information is disposed of when no longer needed. This criterion addresses the full data lifecycle — from collection through retention to deletion. The requirement has two dimensions: (1) you have a retention policy defining how long different data types are kept, and (2) you have a disposal process that securely deletes or destroys confidential information when the retention period expires or when a customer requests deletion.

For cloud-hosted companies, secure disposal means cryptographic erasure — overwriting or deleting encryption keys for data stored with customer-managed keys, or using AWS's certified data destruction process for managed storage. For physical media, a certificate of destruction from a certified disposal vendor is required.

Customer off-boarding is the most common trigger for C1.2 evidence. When a customer terminates their contract, you must have a defined process for deleting their data within a committed timeframe, notifying the customer of completion, and retaining evidence of the deletion. Many companies have off-boarding processes that handle account access but neglect the data deletion step.

Evidence Required for Confidentiality

For C1.1: data classification policy; encryption-at-rest configuration for databases and file storage (KMS key configuration, S3 bucket encryption settings); encryption-in-transit configuration (TLS certificate configuration, HSTS headers); access control configuration showing confidential data stores are restricted to authorized roles; audit log configuration showing access to confidential data is logged.

For C1.2: data retention policy with defined retention periods by data type; automated data deletion workflow documentation or manual deletion procedure; evidence of customer data deletion upon off-boarding (deletion confirmation, ticket records); backup deletion procedures ensuring confidential data is removed from backups after retention period.

Confidentiality TSC vs Privacy TSC: The Distinction

The Confidentiality TSC and Privacy TSC address different types of information. Confidentiality protects information that organizations (your customers) designate as confidential — trade secrets, financial data, legal documents, proprietary research. Privacy protects personal information belonging to individuals — names, email addresses, behavioral data, health records.

A legal tech platform storing client contracts needs Confidentiality because the contracts are confidential business information. The same platform likely also needs Privacy if it stores the names and contact information of the individuals associated with those contracts.

Some companies add both; most add one or the other based on their primary customer concern. Legal, financial, and IP-focused platforms typically lead with Confidentiality. Consumer-facing or employee-data-processing platforms typically lead with Privacy. Many enterprise procurement teams ask specifically which TSC is in scope — knowing the difference matters for your sales conversations.