SOC 2: Privacy

Provide clear privacy notices describing what personal information is collected, why it is processed, and how it is used, shared, retained, and protected.

Capture and honor user consent preferences where required, and ensure processing activities align with selected choices and stated legal basis.

Limit personal data collection and processing to what is necessary for defined business purposes, and prevent unauthorized secondary use.

Provide mechanisms to receive rights requests and verify requester identity before disclosing or modifying personal data.

Execute rights requests such as access, correction, deletion, restriction, and portability within required timelines and maintain fulfillment evidence.

Maintain incident response workflows specific to personal data events, including legal review, notification criteria, and post-incident corrective actions.

Maintain controls to keep personal data accurate, complete, and up to date for its intended purpose, including correction workflows and periodic quality checks.

Monitor privacy control performance and perform periodic evaluations to identify deviations, process breakdowns, and required corrective actions.

Maintain current privacy policies and operating procedures, assign ownership, and require periodic review and approval to reflect legal and operational changes.

Define and enforce retention timelines for personal data, and ensure secure disposal when retention obligations expire.

Assess and monitor third parties that process personal data, ensuring contracts, due diligence, and oversight address privacy obligations and cross-border transfer risks.

Review privacy program effectiveness through audits, metrics, and management review, and implement continuous improvements based on findings and evolving obligations.