Encryption

Encryption is the process of transforming readable data into a form that cannot be understood without a decryption key, protecting information against unauthorized disclosure. SOC 2 audits expect encryption of sensitive data both at rest and in transit, with documented standards for cipher selection, key length, and key management. Common implementations include TLS 1.2 or 1.3 for data in transit, AES-256 for data at rest in databases and object storage, full-disk encryption on laptops and servers, and envelope encryption with managed key services like AWS KMS or Azure Key Vault for application-level encryption. Key management is often the weakest part of encryption programs: keys must be rotated on documented schedules, access to key material must be tightly controlled and logged, and key compromise procedures must exist. Auditors test encryption by reviewing configurations, sampling network traffic captures, examining key rotation logs, and verifying disk encryption status on a sample of endpoints. Encryption is a baseline expectation in modern SOC 2 audits, not a competitive differentiator.