Cloud Compliance (SOC2/GDPR) Cheat Sheet
Summarizes SOC 2 Trust Service Criteria and core GDPR requirements relevant to running compliant cloud infrastructure.
2 PagesIntermediateFeb 18, 2026
SOC 2 Trust Service Criteria
The five categories audited under a SOC 2 report.
- Security- Protection against unauthorized access, the only mandatory criterion
- Availability- Systems are available for operation and use as committed/agreed
- Processing Integrity- System processing is complete, valid, accurate, timely, and authorized
- Confidentiality- Information designated confidential is protected as committed/agreed
- Privacy- Personal information is collected, used, retained, and disposed of per policy
- Type I vs Type II- Type I audits design at a point in time; Type II audits operating effectiveness over a period (typically 6-12 months)
GDPR Core Concepts
Key requirements of the EU General Data Protection Regulation.
- Data Controller- Entity that determines the purposes and means of processing personal data
- Data Processor- Entity that processes personal data on behalf of the controller (e.g. a cloud vendor)
- Lawful Basis- Must have a valid legal ground (consent, contract, legitimate interest, etc.) to process personal data
- Right to Erasure- Data subjects can request deletion of their personal data ('right to be forgotten')
- Data Portability- Subjects can request their data in a structured, machine-readable format
- 72-Hour Breach Notification- Controllers must notify the supervisory authority within 72 hours of becoming aware of a breach
- DPA (Data Processing Agreement)- Contract between controller and processor defining data handling obligations
Common Cloud Controls Mapped to Compliance
Practical controls that support audit requirements.
- Encryption at Rest/Transit- Required by most frameworks; use KMS-managed keys and TLS 1.2+
- Access Logging (CloudTrail)- Immutable audit trail of who did what, required for SOC 2 evidence
- Least Privilege IAM- Role-based access scoped to only what's needed, reviewed periodically
- Data Residency Controls- Restrict where data is stored/processed to satisfy GDPR data transfer rules
Pro Tip
Compliance frameworks describe outcomes, not specific tools — map each control to concrete evidence (CloudTrail logs, IAM policies, encryption configs) early, since auditors want proof, not intent.
Was this cheat sheet helpful?
Explore Topics
#CloudComplianceSOC2GDPR#CloudComplianceSOC2GDPRCheatSheet#CloudComputing#Intermediate#SOC#Trust#Service#Criteria#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance