Which describes the trust service criteria covered by SOC 2?

• A. Security controls only
• B. Availability and processing integrity controls
• C. All five trust service criteria
• D. Security, availability, processing integrity, confidentiality and privacy controls; used by management, regulators, and others under an NDA

Answer: (D)

SOC 2 assessments revolve around five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Describing all five criteria is essential because SOC 2 reports are built to provide assurance across each of these areas, not just a subset. The added note that the report is used by management, regulators, and others under confidentiality or NDA reflects how SOC 2 information is typically shared in practice—sensitive details are disclosed only to authorized parties under confidentiality. This combination—covering all five criteria and acknowledging the confidential nature of the report—best captures what SOC 2 evaluates and how the results are used. The other options fall short by mentioning fewer criteria or omitting the confidentiality/access context that accompanies SOC 2 reporting.