Confidentiality

Confidentiality is one of the five Trust Services Criteria in SOC 2. It addresses how a service organization identifies, protects, and disposes of information designated as confidential by contract, regulation, or policy. Confidentiality differs from Privacy in that it covers any business-sensitive information including trade secrets, intellectual property, customer-confidential data, and competitive information, while Privacy focuses specifically on personal information. Controls in this category include data classification schemes, encryption of confidential data at rest and in transit, restricted access enforcement, secure data disposal and media sanitization, and confidentiality clauses in employee and vendor agreements. Companies often select Confidentiality when their customer contracts include explicit confidentiality obligations or when they handle non-personal but commercially sensitive information. Auditors test confidentiality controls by reviewing data classification documentation, encryption configurations, access logs for confidential repositories, and disposal records. Like other optional categories, Confidentiality layers on top of the required Security category in the SOC 2 scope.