SOC 2 and GDPR: Managing Both for Global SaaS Companies
At Agency, we work with SaaS companies selling internationally who face a dual compliance challenge that often feels like managing two separate programs: US.
At Agency, we work with SaaS companies selling internationally who face a dual compliance challenge that often feels like managing two separate programs: US enterprise buyers require SOC 2 reports as a standard procurement condition, while European customers and data protection authorities expect compliance with the General Data Protection Regulation (GDPR). These frameworks originate from different legal traditions — SOC 2 is a voluntary attestation framework developed by the AICPA for evaluating service organization controls, while GDPR is a comprehensive data protection regulation enforced by EU/EEA supervisory authorities with penalties up to four percent of global annual revenue or twenty million euros. Despite their different origins, what we consistently see is that SOC 2 and GDPR share substantial control overlap, and organizations that build their compliance program strategically can satisfy both frameworks with a single, unified control environment rather than maintaining parallel programs.
This guide helps SaaS companies operating globally understand where SOC 2 and GDPR overlap, where they diverge, how to build a unified compliance program, and how to use the SOC 2 report as evidence of GDPR technical and organizational measures. The target audience is compliance officers, data protection officers (DPOs), and security leads at SaaS companies with both US and European customers.
Fundamental Differences
Framework Comparison
| Dimension | SOC 2 | GDPR |
|---|---|---|
| Type | Voluntary attestation framework | EU regulation (legally binding) |
| Governing body | AICPA | European Commission; enforced by EU/EEA data protection authorities |
| Geographic scope | Primarily US; growing international recognition | EU/EEA; applies globally to any organization processing EU personal data |
| Who it applies to | Service organizations that choose to undergo the attestation | Any organization processing personal data of EU/EEA residents |
| Enforcement | Market-driven — customers require reports | Regulatory — fines up to €20M or 4% of global annual revenue |
| Assessment method | CPA firm attestation engagement | Self-assessment, data protection impact assessments, supervisory authority audits |
| Output | SOC 2 report with auditor opinion | No standard report; compliance demonstrated through documentation, DPIAs, records of processing |
| Focus | Security controls for service organizations | Data protection rights of individuals |
| Control framework | Trust Service Criteria (CC1-CC9 + optional criteria) | Articles 5, 6, 12-22, 24-39 (principles, rights, obligations) |
The Key Philosophical Difference
SOC 2 evaluates whether an organization's controls are suitably designed and operating effectively to protect data and systems. GDPR evaluates whether an organization processes personal data lawfully, fairly, and transparently — with specific rights granted to data subjects. What we always explain to clients is that SOC 2 is controls-focused while GDPR is rights-focused. A SOC 2 program without GDPR alignment may have excellent security controls but lack the data subject rights mechanisms, lawful basis documentation, and data processing transparency that GDPR requires.
Where SOC 2 and GDPR Overlap
Control Overlap Map
| Control Domain | SOC 2 Requirement | GDPR Requirement | Overlap Level |
|---|---|---|---|
| Access management | CC6 — logical access controls, authentication, authorization, deprovisioning | Article 32 — security of processing; appropriate technical measures | High |
| Encryption | CC6 — data protection at rest and in transit | Article 32 — pseudonymization and encryption of personal data | High |
| Risk assessment | CC3 — formal risk assessment and management | Article 35 — data protection impact assessment (DPIA); Article 32 — risk-appropriate security | High |
| Incident response | CC7 — incident detection, response, communication | Articles 33-34 — breach notification to supervisory authority (72 hours) and data subjects | High |
| Monitoring and logging | CC7 — security event logging and monitoring | Article 32 — ability to detect, respond to, and recover from incidents | Medium-High |
| Change management | CC8 — change authorization, testing, deployment | Article 32 — process for regularly testing effectiveness of technical measures | Medium |
| Vendor management | CC9 — vendor risk assessment and contractual requirements | Articles 28-29 — data processor agreements; sub-processor requirements | High |
| Employee training | CC1 — security awareness and training | Article 39(1)(b) — DPO responsibilities include awareness-raising and training | Medium |
| Data classification | CC6, C1 — data handling and confidentiality | Article 5(1)(c) — data minimization; processing only what is necessary | Medium |
| Business continuity | CC9, A1 — business continuity and disaster recovery | Article 32(1)(c) — ability to restore availability and access to personal data in a timely manner | Medium |
In our experience, an organization with a mature SOC 2 program addresses approximately fifty to sixty percent of GDPR's technical and organizational measures requirements. The remaining GDPR requirements are specific to data subject rights, lawful basis for processing, and data protection governance — areas that SOC 2 does not directly address.
SOC 2 Privacy Criterion and GDPR
Including the SOC 2 Privacy criterion significantly increases overlap with GDPR:
| Privacy Criterion Area | GDPR Alignment |
|---|---|
| Notice | Article 13-14 — information provided to data subjects about processing |
| Choice and consent | Article 6 — lawful basis for processing; Article 7 — conditions for consent |
| Collection limitation | Article 5(1)(b) — purpose limitation; Article 5(1)(c) — data minimization |
| Use, retention, and disposal | Article 5(1)(e) — storage limitation; Article 17 — right to erasure |
| Access | Article 15 — right of access by the data subject |
| Disclosure to third parties | Articles 28-29 — data processor agreements; Article 44-49 — international transfers |
| Quality | Article 5(1)(d) — accuracy of personal data |
| Monitoring and enforcement | Article 24 — responsibility of the controller; Article 32 — security of processing |
What we see across our client base is that organizations that include the Privacy criterion in their SOC 2 scope cover approximately seventy to seventy-five percent of GDPR requirements, compared to fifty to sixty percent with Security alone.
Where GDPR Goes Beyond SOC 2
GDPR-Specific Requirements
| GDPR Requirement | Description | Not Covered by SOC 2 |
|---|---|---|
| Lawful basis for processing | Article 6 — every processing activity requires a documented lawful basis (consent, contract, legitimate interest, etc.) | SOC 2 does not require documenting lawful basis for data processing |
| Data subject rights | Articles 15-22 — right to access, rectification, erasure, restriction, portability, objection, automated decision-making | SOC 2 Privacy criterion covers some rights but not the full GDPR scope |
| Data Protection Officer | Articles 37-39 — mandatory DPO appointment in certain circumstances | SOC 2 does not require a DPO |
| Data Protection Impact Assessment | Article 35 — DPIA required for high-risk processing activities | SOC 2 requires risk assessment but not processing-specific DPIAs |
| Records of processing activities | Article 30 — documented records of all processing activities | SOC 2 does not require processing activity records |
| International data transfers | Articles 44-49 — legal mechanisms for transferring personal data outside the EU (SCCs, adequacy decisions, BCRs) | SOC 2 does not address cross-border data transfer mechanisms |
| Data protection by design and default | Article 25 — privacy built into system design; default settings protect privacy | SOC 2 does not explicitly require privacy by design |
| Consent management | Article 7 — specific conditions for valid consent | SOC 2 Privacy criterion references consent but does not prescribe GDPR-specific consent requirements |
| Breach notification to supervisory authority | Article 33 — notification within 72 hours to the supervisory authority | SOC 2 requires incident response but not specific regulatory notification timelines |
Building a Unified Compliance Program
Implementation Strategy
The most efficient approach — and the one we recommend to all our global SaaS clients — is to build a single control environment that satisfies both frameworks, with supplemental GDPR-specific activities layered on top of the SOC 2 foundation:
| Layer | What It Contains | Purpose |
|-------|-----------------|---------|
| Foundation (SOC 2) | Security controls, access management, change management, monitoring, incident response, risk assessment, vendor management, policies | Addresses SOC 2 Trust Service Criteria and the technical/organizational measures of GDPR Article 32 |
| Extended controls (SOC 2 Privacy) | Notice, consent, data collection limitation, data lifecycle management, data subject access mechanisms | Addresses SOC 2 Privacy criterion and extends coverage into GDPR data protection principles |
| GDPR-specific layer | Lawful basis documentation, DPIA process, records of processing, data transfer mechanisms, DPO appointment, consent management | Addresses GDPR requirements not covered by SOC 2 |
Implementation Priority
| Priority | Activity | SOC 2 Benefit | GDPR Benefit |
|---|---|---|---|
| 1 | Implement access management controls | CC6 compliance | Article 32 security measures |
| 2 | Enable encryption at rest and in transit | CC6 compliance | Article 32 pseudonymization and encryption |
| 3 | Conduct risk assessment | CC3 compliance | Article 32 risk-appropriate measures; foundation for DPIAs |
| 4 | Implement incident response with 72-hour capability | CC7 compliance | Articles 33-34 breach notification |
| 5 | Build vendor management program with DPA templates | CC9 compliance | Articles 28-29 processor agreements |
| 6 | Document data processing activities | SOC 2 system description | Article 30 records of processing |
| 7 | Implement data subject rights mechanisms | SOC 2 Privacy criterion | Articles 15-22 data subject rights |
| 8 | Establish data transfer mechanisms | SOC 2 scope documentation | Articles 44-49 international transfers |
| 9 | Appoint DPO (if required) | Not directly required | Articles 37-39 DPO appointment |
| 10 | Conduct DPIAs for high-risk processing | SOC 2 risk assessment supports | Article 35 DPIA requirement |
Data Processing Agreements and SOC 2
For SaaS companies processing EU personal data on behalf of customers, Data Processing Agreements (DPAs) are required under GDPR Article 28. Your SOC 2 report can serve as evidence within the DPA relationship:
| DPA Requirement | How SOC 2 Supports It |
|---|---|
| Technical and organizational measures (Article 32) | SOC 2 report provides independent verification of security controls |
| Sub-processor management | SOC 2 vendor management controls (CC9) demonstrate sub-processor oversight |
| Audit rights | SOC 2 report satisfies many customers' audit requirements under the DPA |
| Breach notification | SOC 2 incident response controls (CC7) demonstrate notification capability |
| Data deletion upon contract end | SOC 2 controls can include data retention and deletion procedures |
Using SOC 2 as GDPR Evidence
Article 32: Security of Processing
GDPR Article 32 requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. A SOC 2 Type II report with an unqualified opinion provides strong evidence of Article 32 compliance for the security controls within its scope.
| Article 32 Requirement | SOC 2 Evidence |
|---|---|
| Pseudonymization and encryption | CC6 controls demonstrating encryption at rest and in transit |
| Confidentiality, integrity, availability | Trust Service Criteria coverage across Security, Availability, and Confidentiality |
| Ability to restore availability | Business continuity and DR controls (CC9, A1) |
| Regular testing of security measures | SOC 2 Type II demonstrates ongoing control effectiveness over the observation period |
How European Customers Use SOC 2 Reports
European customers increasingly accept SOC 2 reports as evidence of technical measures, but with specific expectations:
| European Buyer Expectation | How to Address |
|---|---|
| SOC 2 should include Privacy or Confidentiality criterion | Include at least one data protection-relevant criterion beyond Security |
| Report should reference GDPR-relevant controls | System description should mention EU data handling where applicable |
| Data transfer mechanisms should be documented | Include data residency and transfer mechanism documentation alongside the SOC 2 report |
| DPA should reference the SOC 2 report | Include the SOC 2 report as an exhibit or reference in your Data Processing Agreement |
International Data Transfers
Data Transfer Mechanisms
For SaaS companies transferring EU personal data to the US or other non-adequate countries:
| Mechanism | When to Use | SOC 2 Relevance |
|---|---|---|
| Standard Contractual Clauses (SCCs) | Most common mechanism for EU-US data transfers | SOC 2 provides evidence of the supplemental measures required alongside SCCs |
| EU-US Data Privacy Framework | Available for certified US companies | Certification is separate from SOC 2; both demonstrate data protection commitment |
| Binding Corporate Rules (BCRs) | Intra-group transfers within multinational companies | Primarily enterprise mechanism; SOC 2 supports the security measures component |
| Adequacy decisions | Transfers to countries with EU-recognized adequate protection | No additional mechanism needed for adequate countries |
SOC 2 as Supplementary Measures for SCCs
Following the Schrems II decision, organizations using SCCs for EU-US data transfers must implement supplementary measures to ensure an adequate level of data protection. What we advise our clients is that a SOC 2 report with appropriate criteria (Security + Confidentiality or Privacy) serves as strong evidence of supplementary technical measures:
| Supplementary Measure Category | SOC 2 Evidence |
|---|---|
| Encryption of data in transit and at rest | CC6 encryption controls |
| Access controls limiting who can access personal data | CC6 access management controls |
| Monitoring and logging of data access | CC7 monitoring controls |
| Incident detection and response | CC7 incident response controls |
Trust Service Criteria Selection for Global Companies
Recommended Criteria for GDPR Alignment
| Criterion | GDPR Alignment Value | Recommendation |
|---|---|---|
| Security | Addresses Article 32 technical measures | Required (mandatory for all SOC 2) |
| Confidentiality | Addresses data protection and access restrictions | Strongly recommended — demonstrates data confidentiality commitment |
| Privacy | Addresses data lifecycle management aligned with GDPR principles | Strongly recommended — maximizes GDPR overlap |
| Availability | Addresses Article 32 availability and resilience requirements | Recommended |
| Processing Integrity | Addresses data accuracy (Article 5(1)(d)) | Situational |
We recommend including Security, Confidentiality, and Privacy for the strongest SOC 2 foundation for GDPR compliance. This combination addresses the technical measures, data protection, and data lifecycle management requirements that overlap between the two frameworks.
Key Takeaways
- In our experience, SOC 2 and GDPR share approximately fifty to sixty percent control overlap on security measures; including the SOC 2 Privacy criterion increases overlap to seventy to seventy-five percent
- We consistently advise clients that a unified compliance program is significantly more efficient than maintaining parallel SOC 2 and GDPR programs
- SOC 2 provides strong evidence for GDPR Article 32 (security of processing) — a Type II report demonstrates ongoing effectiveness of technical and organizational measures
- GDPR goes beyond SOC 2 in data subject rights, lawful basis documentation, DPIAs, records of processing, data transfer mechanisms, and DPO requirements
- We recommend including Security, Confidentiality, and Privacy criteria for the strongest GDPR alignment in your SOC 2 report
- SOC 2 reports can serve as evidence of supplementary measures for Standard Contractual Clauses following Schrems II
- We advise referencing the SOC 2 report in your Data Processing Agreements to demonstrate compliance with Article 28 technical measures
- European customers increasingly accept SOC 2 as evidence of security measures but expect GDPR-specific documentation (DPA, transfer mechanisms, records of processing) alongside the SOC 2 report
- Our recommendation is to build the SOC 2 foundation first, then layer GDPR-specific requirements on top — this approach leverages the control overlap efficiently
- GDPR penalties (up to four percent of global revenue) make compliance a legal imperative, not just a procurement requirement
Frequently Asked Questions
Does SOC 2 compliance mean we are GDPR compliant?
What we tell every client clearly is: no. SOC 2 addresses security controls that overlap with GDPR's technical and organizational measures (Article 32), but GDPR includes extensive requirements beyond security — data subject rights, lawful basis for processing, Data Protection Impact Assessments, records of processing activities, international data transfer mechanisms, and potentially DPO appointment. A comprehensive SOC 2 program (especially with the Privacy criterion) provides a strong foundation for GDPR compliance, but supplemental GDPR-specific activities are required.
Should we include the Privacy criterion for GDPR alignment?
Our strong recommendation for SaaS companies with European customers is yes. The Privacy criterion covers the personal information lifecycle (notice, consent, collection, use, access, disclosure, disposal) that aligns with GDPR data protection principles. Including Privacy increases your SOC 2 and GDPR overlap from approximately fifty to sixty percent to seventy to seventy-five percent. European customers and DPAs increasingly reference SOC 2 Privacy criterion inclusion as evidence of data protection commitment.
Can we use the SOC 2 report to satisfy GDPR audit rights?
Based on what we see in practice: in many cases, yes. GDPR Article 28(3)(h) grants data controllers the right to audit data processors. Many DPAs include a provision allowing the SOC 2 report to satisfy this audit right — the independent CPA attestation provides equivalent assurance to a customer audit. However, some controllers (particularly in highly regulated industries) may insist on their own audit regardless. We advise including a clause in your DPA that references the SOC 2 report as satisfying audit requirements, with a provision for additional audits at the controller's expense if they require more.
How do we handle data residency requirements in our SOC 2 program?
The guidance we give clients is to document where personal data is stored and processed in your SOC 2 system description. If European customers require EU data residency, document which data center regions are available and how data residency is enforced. Your SOC 2 report itself does not mandate data residency, but the system description should accurately reflect where data is stored. Pair this with your DPA and transfer mechanism documentation (SCCs or EU-US Data Privacy Framework certification) to provide complete data residency and transfer transparency.
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
