If you have completed a SOC 2 audit, does it include the Privacy Trust Service Principle?

This question is asking whether your organization's SOC 2 audit specifically included the Privacy Trust Service Principle. SOC 2 (Service Organization Control 2) is a framework for auditing a company's controls related to data security and privacy. SOC 2 audits can be conducted against five different Trust Service Principles: Security (also called Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy. Companies can choose which principles to include in their audit based on their business needs and customer requirements. The Privacy Trust Service Principle specifically focuses on how an organization collects, uses, retains, discloses, and disposes of personal information. It evaluates whether the organization's privacy practices align with its privacy notice and with the AICPA's Generally Accepted Privacy Principles (GAPP). This question is being asked in a security assessment because the assessor wants to understand the scope of your SOC 2 audit and whether it specifically evaluated your privacy controls. Many organizations only include the Security principle (which is mandatory) and perhaps one or two others, but not necessarily Privacy. Including the Privacy principle demonstrates a higher level of commitment to protecting personal information and indicates that your privacy controls have been independently verified. To best answer this question, you should: 1. Confirm whether your organization has completed a SOC 2 audit 2. If yes, check which Trust Service Principles were included in the scope 3. Specifically indicate whether the Privacy principle was included 4. If you're unsure, consult your SOC 2 report or speak with your compliance team