SOC 2: Confidentiality

Classify confidential data types and define handling requirements for storage, transfer, and disposal so teams apply consistent safeguards throughout the data lifecycle.

Restrict access to confidential data by role and business need, enforce strong authentication, and maintain audit trails for data access events.

Use encryption for confidential data in transit and at rest, and manage encryption keys securely with controlled access, rotation, and backup procedures.

Protect confidential information during transmission through approved secure protocols, endpoint validation, and controls that prevent unapproved data egress.

Apply documented retention schedules and secure disposal methods to minimize unnecessary data exposure and satisfy contractual or regulatory obligations.

Define and execute response procedures for suspected or confirmed unauthorized disclosure of confidential information, including containment and notification actions.

Require contractual and operational confidentiality safeguards for vendors and partners that process confidential data, including ongoing assurance and review.