For this one, it depends. In SOC 2, privacy deals primarily with controls around the information of data subjects. If you are a data processor only, you likely cannot manipulate the PII, therefore the privacy criteria will be mostly N/A for you. If you are a data controller, you more likely have direct impacts on data subject information, and therefore would have privacy in scope.
I hear a lot about privacy these days. Should I include privacy in my SOC 2?
tl:dr: It depends 🤷🏽♂️
Written by Mr. ByteChek
Updated over a week ago
Updated over a week ago