What SOC 2 covers
SOC 2 is an assurance framework for service organizations that store, process, transmit, or otherwise touch customer information. The report evaluates whether a company has designed and operated controls around the Trust Services Criteria. Those criteria cover Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the common criteria and appears in every SOC 2 report. The other criteria are included when they are relevant to the service being examined.
For server-side tracking, the most visible criteria are usually Security, Confidentiality, Availability, and Processing Integrity. Security covers logical access, vulnerability management, change management, monitoring, and incident response. Confidentiality looks at whether sensitive customer data is protected from unauthorized use. Availability considers uptime commitments, recovery, and capacity planning. Processing Integrity asks whether events are complete, valid, timely, authorized, and correctly routed to the destinations your company selected.
Type I and Type II reports answer different questions. A Type I report looks at whether controls are suitably designed at a point in time. A Type II report examines whether those controls operated effectively across a review period, often six to twelve months. Buyers often start by accepting Type I for a newer vendor, then request Type II once the vendor has completed the operating window.
Why security teams block ad tech
Ad tech is frequently blocked because it enters companies through growth teams before security, privacy, legal, and procurement have a complete view of it. A tag can be added quickly, but the risk it creates is not limited to a script on a page. It may collect identifiers, enrich events, share data with multiple destinations, create cookies, and change behavior based on consent state. When nobody can explain that flow, it looks like shadow IT.
Unvetted subprocessors are another common trigger. A tracking tool might depend on hosting, database, logging, email, analytics, support, and enrichment vendors. Each vendor can affect confidentiality, availability, transfer risk, and incident response. Security teams need a list of those vendors, the role each one plays, which data categories they receive, and where their assurance reports can be reviewed.
Surveillance advertising concerns add a third layer. Even when an implementation is technically secure, sending behavioral data to advertising platforms can raise privacy, consent, profiling, and reputational questions. A compliance-ready setup gives reviewers a controlled path: events are minimized, consent state is attached, destinations are explicit, access is logged, and deletion has an owner instead of being handled as an afterthought.
Type II in progress, Q3 2026 target. Type I report available on request.
Customers can request the current Type I report, security materials, and supporting vendor information through the normal assurance process. The Type II audit window is underway, and the target completion timing is Q3 2026.
Controls we help you inherit
Inherited controls do not remove your own responsibility, but they can reduce duplicate work. When a vendor provides strong access, encryption, monitoring, deletion, and processing controls, your auditors can review that evidence instead of asking your team to rebuild every safeguard from scratch.
| Control ID | Requirement | How TrackLayer helps |
|---|---|---|
| CC6.1 | Logical access controls | SSO, MFA, role-based access, and audit log coverage help restrict administrative access and preserve evidence of privileged activity. |
| CC6.6 | Data transmission protection | TLS 1.3 is used for supported data paths, and TrackLayer is designed to avoid plaintext PII in destination payloads where hashing or suppression is required. |
| CC6.7 | Data at rest protection | Event, account, and configuration data are protected with AES-256 encryption through Supabase-managed storage controls. |
| CC7.2 | System monitoring | /audit-log and /anomalies give teams reviewable traces for administrative changes, event anomalies, delivery issues, and unusual routing behavior. |
| CC9.1 | Risk identification + mitigation | Destination policy, consent enforcement, subprocessor visibility, and operational logging support a documented risk treatment process for tracking data. |
| A1.2 | Availability SLA | Growth and higher plans include a 99.99% availability target for covered ingestion and routing services. |
| C1.2 | Information deletion | A right-to-delete endpoint supports customer deletion workflows for matched event data and identifiers within configured retention windows. |
| PI1.3 | Processing integrity | Deduplication, schema validation, consent checks, and destination response monitoring help keep server events complete, authorized, and correctly routed. |
Evidence + artifacts
SOC 2 reviews run on evidence. Good architecture matters, but the auditor still needs artifacts that show the control exists, has an owner, runs on a defined cadence, and leaves a record that can be inspected later.
Access reviews
Auditors expect a record of who can administer systems, how access was approved, when access was last reviewed, and whether departed users were removed promptly.
Incident response plan
The plan should define severity levels, escalation owners, communications, forensic preservation, regulator or customer notice evaluation, and post-incident review.
Vendor management
Maintain due diligence for processors and subprocessors, including contracts, security reviews, report requests, data categories, and renewal cadence.
Encryption keys management
Evidence should show who can access keys, how keys are rotated, which services manage them, and how production secrets are separated from lower environments.
Logging + monitoring
Keep logs for access, configuration changes, processing anomalies, delivery errors, security alerts, alert review, and alert disposition.
Pen-test report
Auditors commonly request the latest penetration test summary, remediation plan, exception register, and closure evidence for findings.
What you still need
TrackLayer can support technical controls, but it cannot supply your company's governance decisions. Your auditor will still ask for the customer-side policies and records that show how tracking is approved, operated, reviewed, and retired.
Customer-side access policy
Define who can approve tracking access, which roles are allowed, how MFA and SSO are enforced, and how quarterly reviews are documented.
Customer-side incident plan
Your incident process should include TrackLayer contact paths, internal security owners, customer notification criteria, and evidence preservation steps.
Customer-side vendor list
List TrackLayer as a subprocessor or processor where applicable, and map the destinations that receive events from your TrackLayer workspace.
Customer-side DPIA/PIA
Document purposes, data categories, consent basis, risk controls, advertising destinations, deletion process, and residual risk for server-side tracking.
Subprocessors
Subprocessor evidence should be practical: name the vendor, map the service it supports, and reference where the vendor's SOC 2 assurance can be reviewed. Keep this list aligned with your vendor register and privacy notices.
| Subprocessor | Role | SOC 2 report reference |
|---|---|---|
| Cloudflare | Edge network, routing, security, and DDoS protection | SOC 2 Type II report referenced through the Cloudflare Trust Hub and customer assurance process. |
| Supabase | Database, authentication primitives, storage, and managed infrastructure | SOC 2 Type II report referenced through the Supabase security portal or trust materials. |
| AWS SES | Transactional email delivery for operational notices | SOC 2 reports referenced through AWS Artifact for eligible AWS customers. |
| Vercel | Application hosting, deployment, and edge delivery | SOC 2 Type II report referenced through Vercel Security and Trust Center resources. |
Common auditor questions
The fastest reviews happen when the same answer appears in the contract, trust materials, product behavior, and operational logs. These are the canonical answers customers can use as a starting point in their own evidence package.
What personal data does TrackLayer process?
TrackLayer processes server-side event data under the customer's instructions. Typical fields include event name, timestamp, consent state, order metadata, product IDs, destination status, and normalized or hashed identifiers where configured.
Can administrators access raw customer event data?
Administrative access is restricted by role, protected by SSO and MFA where enabled, logged, and reviewed. Support access is limited to operational need and handled under confidentiality obligations.
How are events protected in transit and at rest?
Supported transmission paths use TLS 1.3, and stored data is encrypted at rest through managed infrastructure controls. Customers can further reduce exposure with consent-aware suppression and identifier hashing.
How does TrackLayer detect processing issues?
TrackLayer records audit activity, monitors delivery and anomaly signals, validates event structure, tracks destination responses, and exposes review surfaces such as /audit-log and /anomalies.
What happens when a customer requests deletion?
The right-to-delete endpoint helps locate and remove matching event records within the configured retention window. The customer remains responsible for coordinating deletion across its own systems and downstream destinations.
FAQ
Does SOC 2 make tracking legally compliant?
No. SOC 2 assesses controls, not whether a specific advertising or analytics purpose is lawful. You still need privacy notices, consent where required, data minimization, vendor governance, and a documented legal basis.
Should TrackLayer be in our vendor register?
Yes. If TrackLayer processes event data for your company, include it in your vendor register with the data categories, purpose, contract owner, report status, subprocessors, and review cadence.
Can we give our auditor TrackLayer's SOC 2 report?
Type I is available on request under the appropriate confidentiality process. Type II is in progress with a Q3 2026 target, so customers should also keep their own control evidence current.
Do we need a separate DPIA or PIA?
Often yes, especially for advertising, profiling, cross-border transfers, or sensitive customer segments. TrackLayer can provide technical details, but your company owns the assessment.
Does hashing remove SOC 2 evidence requirements?
No. Hashing reduces exposure, but hashed identifiers may still be regulated personal data and still require access control, retention, monitoring, deletion, and vendor oversight.