SOC2 Controls
SOC2 Privacy Controls
Choice & ConsentSOC2:2017.P.2
Privacy Consent and ChoiceSOC2:2017.P.2.1
Communicates to Data SubjectsSOC2:2017.P.2.1.1
Communicates Consequences of Denying or Withdrawing ConsentSOC2:2017.P.2.1.2
Addresses Inquiries, Complaints, and DisputesSOC2:2017.P.8.1.2
Documents and Reports Compliance Review ResultsSOC2:2017.P.8.1.4
SOC2 Privacy Evidences
|
Evidence Name |
Evidence Description |
Expiration Schedule |
Type |
|
Changes - Privacy Review |
Provide a ticket or other evidence
that demonstrates that a change has been reviewed for impact on data privacy.
This may look like a CAB meeting discussion or a checklist item on a change
ticket. |
30 |
General |
|
Complaint Procedure |
Provide the company's procedures for
addressing privacy related inquiries, complaints, and disputes. |
364 |
Policy |
|
Consent Form |
Provide a screenshot of the form or
button used to capture data subject consent. The screenshot should include
the date/time stamp to be valid. |
364 |
General |
|
Consent Process |
Provide the process steps for
re-obtaining data subject's consent when their data will be used for a new
purpose. |
364 |
Policy |
|
Data Breach Policy and Procedures |
Provide the Breach Notification
Policy and related procedures. |
364 |
Policy |
|
Data Collection |
Provide a screenshot of the member
profile sign-up showing that it only collects the minimum information
necessary to provide the service. The screenshot should include the date/time
stamp to be valid. |
364 |
General |
|
Data Deletion |
Provide evidence of the most recent
data subject request for deletion (e.g. email or ticket) and evidence that
the deletion script was run to delete personal information. Alternatively,
provide evidence within the system that the external user information is no longer
present. |
30 |
General |
|
Data Destroyed |
Provide the most recent evidence
that data was destroyed according to the Data Retention Policy. This may be
rare. |
30 |
General |
|
Data Dictionary |
Provide a system generated list of
all data elements used in the system. This should include data classification
category, data owner, and any other relevant metadata. |
364 |
General |
|
Data Subject Authenticate Identity |
Provide the documented procedure for
the data subject authentication process prior to granting access to their
personal information. |
364 |
Policy |
|
Data Subject Consent |
Provide the external user database
table that shows where consent is tracked in the table. Obscure any
personally identifiable information (PII) data to protect user privacy. If
uploading a manually created screenshot as evidence, it should include the date/time
stamp to be valid. |
364 |
General |
|
Data Subject Request List |
Provide a system generated list of
all inquiries and requests made by data subjects to the organization during
the audit period. Include the date of contact was made, the data subject's
name or unique identifier, the nature of the request, and the date of the resolution
of the request. The list should capture the following types of
inquiries/requests: Deletion of user data, change of user data, and export of
user data. The report or list must include a date/time stamp or other
indication of when the list was created. |
364 |
Population |
|
Data Subject Sign in |
Provide the documented process for
data subjects to access their user profile and update their personal
information. |
364 |
General |
|
Data Subject's Information Format |
Provide an example of how personal
information is made available to data subjects in an understandable format. |
180 |
General |
|
Deletion Request Tickets List |
Provide a list from the ticketing
system for all data deletion requests from the audit period. |
364 |
Population |
|
External User Validation |
Provide evidence/screenshots to
illustrate the external user validation process via the data dictionary. This
may look like a snippet of the back-end code that shows the rules for the
data collected, such as characters vs numbers, text length, a required field,
etc. If uploading a manually created screenshot as evidence, it should
include the date/time stamp to be valid. |
364 |
General |
|
Legal/Lawful Basis |
Provide the document that outlines
the organization's legal basis for processing PII. This may be a section of
the Privacy Notice or may be a stand-alone document. |
364 |
Policy |
|
List of PII Disclosure to Third
Parties |
Provide the list of all personally
identifiable information (PII) disclosures to third parties during the audit
period. |
364 |
General |
|
List of Unauthorized PII Disclosures |
Provide a system generated list of
unauthorized disclosures of a data subject's personal information during the
audit period. The list should include relevant data about the disclosure such
as the date, user, who disclosed to, and action taken. |
90 |
Population |
|
Management Review of PII Method
Collection |
Provide evidence (e.g. meeting
minutes, management reports, management notes, a PowerPoint deck, emails)
that management reviews the methods of collecting personal information before
they are implemented. |
90 |
General |
|
Nondiscrimination in Privacy Policy |
Provide the section of the
public-facing privacy notice which states that the organization shall not
discriminate against a consumer because the consumer exercised any of their
consumer?€?s rights. |
364 |
Policy |
|
Notice of Collection |
Provide the Notice of Collection
text. If this is included in the Privacy Notice, attach that document as
evidence here. |
364 |
Policy |
|
Notice of Financial Incentive |
Provide a sample Notice of Financial
Incentive to demonstrate that sufficient information is provided to data
subjects so that they may make an informed decision about participating in
the program. |
364 |
General |
|
Notice of Right to Limit |
Provide the text of the Notice of
Right to Limit. If this text is included within the Privacy Notice, attach
that evidence item here. The Right to Limit Notice must contain all elements
of current California privacy regulations. |
364 |
Policy |
|
PII Processor Contract |
Provide a contract signed with a PII
processor from within the audit period. |
364 |
General |
|
Privacy Notice at First Login |
Provide the code snippet or screen
shot demonstrating that new users are provided the Privacy Notice at initial
login. |
364 |
General |
|
Privacy Policy - Internal |
Provide the internal Privacy Policy.
The internal Privacy Policy may include procedures on data handling. |
364 |
Policy |
|
Privacy Policy on Website |
Provide the Privacy Notice or Policy
on the website. This should include sections that address: |
364 |
Policy |
|
Privacy Policy Workflow |
Provide documentation describing the
external user registration workflow process; show where the external user is
required to acknowledge the Privacy Policy in order to register. If uploading
a manually created screenshot as evidence, it should include the date/time
stamp to be valid. |
364 |
General |
|
Request for Identifying PII |
Provide a screenshot of the tool
used to track and record data subject's requests. The screenshot should
include the date/time stamp to be valid. |
30 |
General |
|
Secure Document Storage |
Provide evidence that shows where or
how legal documentation is securely stored. |
364 |
Settings |
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tQztXZDb_MesT1tXbkgQ-dbsa05Zbs7GuzRzxVJ1wea2bWyXzii78f5okCVWxjlChwyicmREbuK82NA6Ud4v_ScGF03KxEiavY8Knz8rFHDg)
No comments:
Post a Comment