SOC 2 Data Security and Retention Requirements

This post is maintained by Bytebase, an open-source database DevSecOps tool which is SOC 2 compliant and can also help your organization achieve SOC 2 compliance. We update the post every year.

Update History	Comment
2025/05/29	Initial version.

What is SOC 2?#

SOC 2 (System and Organization Controls 2) is a security framework developed by the American Institute of Certified Public Accountants (AICPA) that specifies how organizations should protect customer data from unauthorized access, security incidents, and other vulnerabilities. It was created in 2010 to establish trust between service providers and their customers, particularly for companies that store, process, or transmit customer data in the cloud.

The Five Trust Services Criteria#

SOC 2 is based on five key areas:

1. Security (mandatory) - Protecting against unauthorized access and system vulnerabilities
2. Availability - Ensuring systems are available as promised
3. Processing Integrity - Making sure processing is accurate and complete
4. Confidentiality - Protecting confidential information
5. Privacy - Handling personal information properly

Types of SOC 2 Reports#

• Type I: Evaluates controls at a single point in time
• Type II: Assesses controls over a period (3-12 months)

Type II reports are generally considered more valuable as they demonstrate the operational effectiveness of controls over time rather than just their design.

Who Needs SOC 2 Compliance?#

SOC 2 compliance is particularly important for:

• Service organizations that store, process, or transmit customer data
• SaaS (Software as a Service) companies
• Cloud computing providers
• Data centers
• Companies handling sensitive customer information

While SOC 2 is not legally mandated like HIPAA or GDPR, it has become a de facto requirement for many businesses, especially when dealing with enterprise clients who require assurance that their data will be protected.

Data Security Requirements#

Security is the only mandatory Trust Services Criteria in SOC 2, making it the foundation of any SOC 2 compliance program. It covers defenses against all forms of attack, from sophisticated man-in-the-middle attacks to physical access by malicious individuals.

Key Security Requirements#

1. Information Security: Organizations must implement robust measures to protect data from unauthorized access and use. This includes:

   • Implementing firewalls and intrusion detection systems
   • Establishing security monitoring and alerting
   • Conducting regular vulnerability assessments and penetration testing
   • Developing incident response procedures

2. Logical and Physical Access Controls: Organizations must manage and restrict both logical (system-based) and physical access to prevent unauthorized use:

   • Implementing multi-factor authentication
   • Establishing new employee onboarding and offboarding processes
   • Conducting quarterly user access and permissions reviews
   • Restricting physical access to data centers and sensitive areas
   • Installing systems to prevent downloading of customer data
   • Monitoring production systems

3. System Operations: Organizations must manage system operations to detect and mitigate process deviations:

   • Implementing system monitoring tools
   • Establishing baseline performance metrics
   • Creating procedures for handling operational anomalies
   • Developing incident management protocols

4. Change Management: Organizations must implement controlled change management processes to prevent unauthorized changes:

   • Establishing formal change request procedures
   • Requiring approval workflows for system changes
   • Testing changes before implementation
   • Documenting all system modifications
   • Creating rollback procedures

5. Risk Management: Organizations must identify and mitigate risks related to business disruptions and vendor services:

   • Conducting regular risk assessments
   • Developing business continuity and disaster recovery plans
   • Implementing vendor management programs
   • Establishing service level agreements with third parties

Practical Implementation Examples#

Different organizations may implement these requirements in various ways. For example:

• One company might establish new employee onboarding processes, implement multi-factor authentication, and install systems to prevent downloading customer data.
• Another company might restrict physical access to data centers, conduct quarterly user access and permissions reviews, and monitor production systems.

The key is that the controls put in place must fulfill the particular Trust Services Criteria, regardless of the specific combination of policies or processes used.

Data Retention Requirements#

A data retention policy defines what types of data should be retained, how long the data should be retained and in what format, and the requirements and procedures to delete data when it is no longer needed.

Key Retention Requirements#

SOC 2 doesn't specify exact retention periods but requires:

• Clear procedures for identifying confidential information
• Defined retention periods for different data types
• Protection of data during retention periods
• Secure deletion when retention periods end

Creating a Data Retention Policy#

1. Data Identification and Classification

   • Identify all types of data collected and the various methods of collection
   • Classify data into categories based on sensitivity and confidentiality (public, private, protected health information, confidential, restricted, etc.)
   • Document the classification system in the data retention policy

2. Requirement Identification

   • Identify and understand all relevant laws, regulations, service commitments, and contractual obligations
   • Consider industry-specific requirements (HIPAA, GDPR, FLSA, GLBA, SOX, PCI DSS, etc.)
   • Document these requirements and how they apply to different data classifications

3. Retention Period Definition

   • Set appropriate retention periods for each data category
   • Consider whether a standard retention period is sufficient or if multiple periods are needed
   • Document the retention periods in the data retention policy

4. Data Deletion Procedures

   • Establish clear procedures for identifying data that has reached the end of its retention period
   • Define secure deletion methods appropriate for different types of data and storage media
   • Document the deletion procedures and verification processes

Best Practices for Data Retention#

• Regular Review: Review and update the data retention policy regularly to ensure it remains current with changing laws, regulations, and business needs
• Documentation: Maintain detailed documentation of all data retention and deletion activities
• Employee Training: Ensure all employees understand the data retention policy and their responsibilities
• Automation: Implement automated tools for data classification, retention tracking, and secure deletion where possible
• Backup Considerations: Ensure backup systems and archives are included in the data retention policy
• Verification: Regularly verify that data retention and deletion procedures are being followed correctly
• Legal Hold Process: Establish a process for implementing legal holds that suspend normal retention and deletion procedures when necessary

Practical Implementation Steps for SOC 2#

1. Determine Scope and Criteria

• Decide which Trust Services Criteria to include (Security is mandatory)
• Define the systems and data in scope for the audit
• Determine whether to pursue Type I or Type II certification

2. Conduct a Readiness Assessment

• Evaluate current security controls against SOC 2 requirements
• Identify gaps in existing policies, procedures, and controls
• Create a remediation plan to address identified gaps

3. Develop and Implement Policies and Procedures

• Create comprehensive documentation of security policies
• Establish procedures for access control, change management, risk assessment, etc.
• Ensure policies align with the selected Trust Services Criteria

4. Implement Technical Controls

• Deploy necessary security technologies (firewalls, encryption, monitoring tools, etc.)
• Configure systems according to security best practices
• Implement access controls and authentication mechanisms

5. Train Employees

• Educate staff on security policies and procedures
• Conduct regular security awareness training
• Ensure employees understand their roles in maintaining compliance

6. Monitor and Document

• Implement continuous monitoring of security controls
• Maintain evidence of control effectiveness
• Document all security incidents and responses

7. Engage an Auditor

• Select a qualified CPA firm to conduct the audit
• Prepare for the audit by organizing evidence and documentation
• Facilitate auditor interviews and system demonstrations

Best Practices for SOC 2 Compliance#

1. Start with a Strong Foundation

• Establish a clear security governance structure
• Define roles and responsibilities for security management
• Obtain executive support and commitment to the compliance process

2. Focus on Documentation

• Maintain detailed, up-to-date documentation of all security policies and procedures
• Document evidence of control implementation and effectiveness
• Keep records of all security incidents, responses, and remediation efforts

3. Implement Continuous Monitoring

• Deploy automated monitoring tools to track system activity
• Establish regular review processes for security logs and alerts
• Conduct periodic vulnerability assessments and penetration testing

4. Prioritize Access Control

• Implement the principle of least privilege for all system access
• Use multi-factor authentication for sensitive systems
• Regularly review and update access permissions

5. Establish Robust Change Management

• Create formal processes for requesting, approving, and implementing changes
• Test all changes before deployment to production environments
• Document all changes and their impact on security controls

6. Develop Incident Response Capabilities

• Create a comprehensive incident response plan
• Establish clear procedures for detecting, reporting, and responding to security incidents
• Conduct regular incident response drills and tabletop exercises

7. Engage in Continuous Improvement

• Regularly review and update security policies and procedures
• Learn from security incidents and near-misses
• Stay informed about emerging threats and vulnerabilities

8. Consider Automation

• Implement automated tools for compliance monitoring and reporting
• Use security automation to reduce manual effort and human error
• Consider compliance platforms that streamline evidence collection and management

9. Prepare for the Long Term

• View SOC 2 compliance as an ongoing process, not a one-time project
• Build compliance requirements into new system development
• Establish a culture of security throughout the organization

Benefits of SOC 2 Compliance#

• Builds customer trust
• Improves security posture
• Creates competitive advantage
• Reduces risk of data breaches
• Establishes foundation for growth

Remember#

SOC 2 compliance isn't just a checkbox — it's an ongoing commitment to protecting data. By following these guidelines, you can create effective security and data retention practices that protect your organization and your customers.