100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Cloud Compliance (SOC2/GDPR) Cheat Sheet

Cloud Compliance (SOC2/GDPR) Cheat Sheet

Summarizes SOC 2 Trust Service Criteria and core GDPR requirements relevant to running compliant cloud infrastructure.

2 PagesIntermediateFeb 18, 2026

SOC 2 Trust Service Criteria

The five categories audited under a SOC 2 report.

  • Security- Protection against unauthorized access, the only mandatory criterion
  • Availability- Systems are available for operation and use as committed/agreed
  • Processing Integrity- System processing is complete, valid, accurate, timely, and authorized
  • Confidentiality- Information designated confidential is protected as committed/agreed
  • Privacy- Personal information is collected, used, retained, and disposed of per policy
  • Type I vs Type II- Type I audits design at a point in time; Type II audits operating effectiveness over a period (typically 6-12 months)

GDPR Core Concepts

Key requirements of the EU General Data Protection Regulation.

  • Data Controller- Entity that determines the purposes and means of processing personal data
  • Data Processor- Entity that processes personal data on behalf of the controller (e.g. a cloud vendor)
  • Lawful Basis- Must have a valid legal ground (consent, contract, legitimate interest, etc.) to process personal data
  • Right to Erasure- Data subjects can request deletion of their personal data ('right to be forgotten')
  • Data Portability- Subjects can request their data in a structured, machine-readable format
  • 72-Hour Breach Notification- Controllers must notify the supervisory authority within 72 hours of becoming aware of a breach
  • DPA (Data Processing Agreement)- Contract between controller and processor defining data handling obligations

Common Cloud Controls Mapped to Compliance

Practical controls that support audit requirements.

  • Encryption at Rest/Transit- Required by most frameworks; use KMS-managed keys and TLS 1.2+
  • Access Logging (CloudTrail)- Immutable audit trail of who did what, required for SOC 2 evidence
  • Least Privilege IAM- Role-based access scoped to only what's needed, reviewed periodically
  • Data Residency Controls- Restrict where data is stored/processed to satisfy GDPR data transfer rules
Pro Tip

Compliance frameworks describe outcomes, not specific tools — map each control to concrete evidence (CloudTrail logs, IAM policies, encryption configs) early, since auditors want proof, not intent.

Was this cheat sheet helpful?

Explore Topics

#CloudComplianceSOC2GDPR#CloudComplianceSOC2GDPRCheatSheet#CloudComputing#Intermediate#SOC#Trust#Service#Criteria#CheatSheet#SkillVeris