Skip to main content
The SOC2 Compliance Pack provides 9 production-ready rules based on the AICPA Trust Services Criteria, covering the five trust principles: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each rule includes breach cost data, real-world examples, and Common Criteria references (CC).

Trust Principles

SOC2 rules are organized into five trust service criteria:

Security

Protection against unauthorized access, disclosure, or damage (Common Criteria)

Availability

Systems are available for operation and use as committed

Confidentiality

Information designated as confidential is protected as committed

Processing Integrity

System processing is complete, valid, accurate, and authorized

Privacy

Personal information is collected, used, retained, disclosed, and disposed of appropriately

Detailed Rule Reference

Security (Common Criteria)

Severity: CRITICAL
Control: CC6.1 — Logical Access SecurityWhat it detects:Identifies accounts with access to PII or sensitive data that do not have multi-factor authentication enabled.Conditions:
{ "field": "mfa_enabled", "operator": "equals", "value": false }
Policy Excerpt:
Access to sensitive data must be protected by multi-factor authentication.
Historical Context:
  • Average Fine: $4.88M (Average cost of credential-based breach)
  • Breach Example: Uber 2022 — Contractor account without MFA allowed internal network pivot
Trust Principle: Security
Severity: CRITICAL
Control: CC6.2 — User Access ManagementWhat it detects:Detects API keys, passwords, or secret tokens stored in non-secure database columns or code repositories.Conditions:
{ "field": "contains_secrets", "operator": "equals", "value": true }
Policy Excerpt:
Controls should prevent unauthorized use of credentials.
Historical Context:
  • Average Fine: $2M (Average cost of secret key exposure in public repositories/DBs)
  • Breach Example: Twitter 2023 — Private keys leaked in source code allowed API takeover
Trust Principle: Security
Severity: MEDIUM
Control: CC6.3 — User Access ModificationWhat it detects:Identifies records where an “inactive” or “terminated” user still has active write permissions.Conditions:
{ "field": "is_active_user", "operator": "equals", "value": false }
Policy Excerpt:
Access is modified or terminated in a timely manner.
Historical Context:
  • Average Fine: $150k (Common administrative fine for failed access reviews)
  • Breach Example: Terminated employee used valid credentials to delete production databases
Trust Principle: Security
Severity: HIGH
Control: CC7.1 — System MonitoringWhat it detects:Identifies administrative actions or data access events not captured in audit logs.Conditions:
{ "field": "has_audit_log", "operator": "equals", "value": false }
Policy Excerpt:
Monitoring activities must be performed to identify anomalies.
Historical Context:
  • Average Fine: $1.2M (Cost increase when detection/containment exceeds 200 days)
  • Breach Example: Company unable to determine extent of breach due to disabled database logs
Trust Principle: Security

Availability

Severity: HIGH
Control: CC9.1 — Business ContinuityWhat it detects:Alerts when critical data has not been backed up in the last 24 hours.Conditions:
{ "field": "last_backup_age_hours", "operator": "greater_than", "value": 24 }
Policy Excerpt:
The entity protects the system against environmental risks.
Historical Context:
  • Average Fine: $5.1M (Average cost of ransomware data loss)
  • Breach Example: Cloud service provider lost 2 weeks of customer data during cluster failure
Trust Principle: Availability

Confidentiality

Severity: HIGH
Control: CC6.7 — Protection of InformationWhat it detects:Identifies databases or tables containing PII stored in plaintext (not encrypted at rest).Conditions:
{ "field": "is_encrypted", "operator": "equals", "value": false }
Policy Excerpt:
The entity protects confidential information during its processing lifecycle.
Historical Context:
  • Average Fine: $18M (British Airways breach — lack of security measures)
  • Breach Example: Unencrypted S3 buckets exposed 100M+ user records in plain text
Trust Principle: Confidentiality
Severity: MEDIUM
Control: CC5.2 — Communication and InformationWhat it detects:Verifies that EU customer data is not being processed or stored in unauthorized regions (e.g., outside EEA).Conditions:
{ "field": "region_mismatch", "operator": "equals", "value": true }
Policy Excerpt:
Entity communicates privacy objectives to internal and external parties.
Historical Context:
  • Average Fine: €1.2B (Meta — transferring data to US without valid basis)
  • Breach Example: French health data host fined for using non-EU cloud providers without consent
Trust Principle: Confidentiality

Processing Integrity

Severity: CRITICAL
Control: CC6.1 — Logical Access SecurityWhat it detects:Checks for rows in a customer export that contain data from other tenants (cross-tenant data leak).Conditions:
{ "field": "tenant_id", "operator": "equals", "value": "MISMATCH" }
Policy Excerpt:
Customer data must be logically isolated from other customers.
Historical Context:
  • Average Fine: $3.5M (Average fine for cross-tenant data leak)
  • Breach Example: SaaS provider leaked private reports to competitors due to query logic error
Trust Principle: Processing Integrity

Privacy

Severity: MEDIUM
Control: P1.1 — Privacy CriteriaWhat it detects:Identifies data that has exceeded the standard 7-year legal retention period.Conditions:
{ "field": "age_years", "operator": "greater_than", "value": 7 }
Policy Excerpt:
Personal information is retained for only as long as necessary.
Historical Context:
  • Average Fine: $1M (Sears — retaining customer tracking data post-consent withdrawal)
  • Breach Example: Startup failing audit because “Deleted Users” table still contained full PII from 2016
Trust Principle: Privacy

Rule Summary Table

Rule IDNameSeverityControlTrust Principle
SOC2-CC6.1-001Logical Access Control (MFA)CRITICALCC6.1Security
SOC2-CC6.1-002Tenant Data IsolationCRITICALCC6.1Processing Integrity
SOC2-CC6.7-001Encryption of Data at RestHIGHCC6.7Confidentiality
SOC2-CC7.1-001Audit Trail & LoggingHIGHCC7.1Security
SOC2-CC9.1-001Business Continuity (Backups)HIGHCC9.1Availability
SOC2-CC6.2-001Credential Leakage DetectionCRITICALCC6.2Security
SOC2-CC6.3-001Termination of AccessMEDIUMCC6.3Security
SOC2-CC5.2-001Data Residency ComplianceMEDIUMCC5.2Confidentiality
SOC2-P1.1-001Data Retention PolicyMEDIUMP1.1Privacy

Trust Principle Coverage

4 Rules — MFA enforcement, credential leakage detection, access termination, audit loggingSecurity is the foundational trust principle required for all SOC2 audits. These rules ensure:
  • Multi-factor authentication for sensitive data access
  • No hardcoded credentials or leaked API keys
  • Timely revocation of access for terminated users
  • Comprehensive audit trails for all administrative actions
1 Rule — Business continuity (backup validation)Ensures systems are available for operation and use as committed:
  • Critical data backed up within 24 hours
  • Protection against data loss from ransomware or system failures
2 Rules — Encryption at rest, data residency complianceProtects confidential information designated as sensitive:
  • PII encrypted at rest in all databases
  • Data stored only in authorized geographic regions
1 Rule — Tenant data isolationEnsures system processing is complete, valid, accurate, and authorized:
  • Multi-tenant SaaS applications prevent cross-tenant data leaks
  • Data exports contain only records belonging to the requesting customer
1 Rule — Data retention policyEnsures personal information is appropriately managed throughout its lifecycle:
  • Data not retained beyond legal or business requirements (7-year default)
  • Automated purge for records exceeding retention period

Using the SOC2 Pack

  1. Select SOC2 Framework — Choose “SOC2” when creating a new audit
  2. Choose Trust Principles — All 9 rules are loaded; toggle rules based on your SOC2 scope (Type I vs Type II)
  3. Upload Data — Upload your system access logs, user database, or configuration exports
  4. Confirm Mapping — Map your columns to fields like mfa_enabled, is_encrypted, tenant_id, etc.
  5. Run Scan — Execute the compliance scan
  6. Review Violations — Violations include Common Criteria references and breach cost estimates
SOC2 audits typically focus on controls rather than raw data scans. Use Yggdrasil’s SOC2 pack to validate that your data layer adheres to the Common Criteria controls before your formal audit.

SOC2 Type I vs Type II

Audit TypeScopeYggdrasil Use Case
Type IDesign effectiveness at a point in timeRun a one-time scan to validate controls are in place
Type IIOperating effectiveness over 6-12 monthsRun periodic scans and track score history to demonstrate continuous compliance

Next Steps

AML Compliance Pack

Explore the 11 AML/FinCEN rules for financial transaction monitoring

GDPR Compliance Pack

Explore the 15 GDPR rules for data protection compliance

Custom PDF Upload

Upload your own regulatory documents

Confidence Scoring

Learn how violations are scored and ranked

Build docs developers (and LLMs) love

Get started for freeTalk to us