SOC 2 Compliance for Indian SaaS Startups: What You Need to Know
SOC 2 compliance has become the single most requested security qualification for Indian SaaS companies selling to US and European clients. Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 evaluates how your company protects customer data across five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. For Indian SaaS startups, the cost ranges from ₹5,00,000 to ₹25,00,000 depending on scope and audit type, and the process takes 3-12 months. With 78% of US enterprise procurement teams requiring SOC 2 reports before signing vendor contracts, this is not a "nice-to-have" certification. It is the difference between closing a $50,000 annual deal and losing it to a compliant competitor.
- SOC 2 compliance costs ₹5,00,000 to ₹25,00,000 for Indian SaaS companies, including readiness assessment, implementation, and audit
- SOC 2 Type 1 takes 3-6 months; Type 2 takes 6-12 months (includes a minimum 3-month observation period)
- Security is the only mandatory Trust Services Criterion; the other four are selected based on your business needs
- 78% of US enterprise buyers require SOC 2 reports before vendor onboarding
- Indian compliance automation platforms like Sprinto and Scrut Automation reduce SOC 2 preparation time by 60-70%
- SOC 2 and ISO 27001 complement each other: ISO 27001 for global markets, SOC 2 for North American clients
What is SOC 2 Compliance?
SOC 2 (System and Organization Controls 2) is a security and compliance framework created by the AICPA that defines how technology companies should manage and protect customer data. It is verified through an independent audit conducted by a licensed CPA firm, resulting in a formal attestation report.
SOC 2 is not a certification in the traditional sense. Unlike ISO 27001 where you receive a certificate you can display publicly, SOC 2 produces a detailed report that you share with clients and prospects under a non-disclosure agreement. The report describes your security controls, the Trust Services Criteria you selected, and the auditor's opinion on whether those controls meet AICPA standards. Think of it as a third-party verification letter that tells your client, "Yes, this company actually does what they claim about data security." For Indian SaaS companies competing for US enterprise deals, that letter often determines whether you make the vendor shortlist or get filtered out during procurement.
SOC 2 is governed by the AICPA's Trust Services Criteria (TSC), last updated in 2017. The framework is administered by the American Institute of Certified Public Accountants. Audits follow SSAE 18 (Statement on Standards for Attestation Engagements No. 18). Official documentation is available at www.aicpa.org.
The 5 SOC 2 Trust Services Criteria Explained
SOC 2 evaluates your organisation against five Trust Services Criteria. Only Security is mandatory for every SOC 2 audit. The remaining four are selected based on the services you provide and what your clients care about. Here is what each criterion covers and when you need it.
1. Security (Mandatory)
Security, also called the Common Criteria, is the foundation of every SOC 2 audit. It evaluates whether your systems are protected against unauthorized access, both physical and logical. This includes firewalls, intrusion detection, multi-factor authentication, encryption, access controls, and security monitoring. Every SOC 2 report includes Security by default. If you implement only one criterion, this is it.
2. Availability
Availability assesses whether your systems operate and are accessible as agreed upon in your service level agreements (SLAs). If your SaaS product promises 99.9% uptime to clients, the auditor evaluates your disaster recovery plans, backup procedures, failover mechanisms, and incident response times. SaaS companies with uptime SLAs in client contracts should include this criterion.
3. Confidentiality
Confidentiality covers how you protect information designated as confidential, including client intellectual property, business plans, financial data, and proprietary information. The auditor evaluates encryption practices, data classification policies, access restrictions, and secure data disposal. If your clients share sensitive business data through your platform, include Confidentiality.
4. Processing Integrity
Processing Integrity verifies that your systems process data accurately, completely, and in a timely manner. This matters for fintech platforms, payment processors, and data analytics companies where incorrect calculations or data corruption directly harm clients. If your SaaS product performs financial calculations, data transformations, or automated decision-making, this criterion is relevant.
5. Privacy
Privacy evaluates how you collect, use, retain, disclose, and dispose of personal information. This criterion aligns with privacy regulations like India's DPDP Act, 2023 and the EU's GDPR. If your SaaS product handles personally identifiable information (PII), including names, emails, phone numbers, or health data, the Privacy criterion demonstrates your data handling practices to clients.
| Trust Criterion | Focus Area | Mandatory? | Recommended For |
|---|---|---|---|
| Security | Protection against unauthorized access | Yes | All companies |
| Availability | System uptime and performance | No | SaaS with uptime SLAs |
| Confidentiality | Protection of sensitive business data | No | Companies handling client IP or trade secrets |
| Processing Integrity | Accurate and complete data processing | No | Fintech, analytics, payment platforms |
| Privacy | Personal information handling | No | Companies processing PII or health data |
Build Your Security Foundation with ISO 27001
ISO 27001 certification covers 70% of SOC 2 Security controls. Start with ISO to accelerate your SOC 2 timeline. IncorpX helps from policy drafting to certification.
Get ISO CertificationSOC 2 Type 1 vs Type 2: Which Report Do You Need?
SOC 2 comes in two flavours, and choosing the wrong one wastes both money and time. The distinction is straightforward but commercially significant.
SOC 2 Type 1 evaluates whether your security controls are properly designed and implemented at a specific point in time. The auditor visits (or reviews remotely), examines your controls on that date, and issues an opinion. It is a snapshot. Type 1 is faster (4-8 weeks for the audit itself) and cheaper (₹3,00,000 to ₹8,00,000), making it a practical starting point for startups that need a SOC 2 report quickly to close a deal.
SOC 2 Type 2 evaluates whether your controls operated effectively over a sustained period, typically 3-12 months. The auditor reviews evidence from the entire observation window: access logs, change management records, incident reports, and security monitoring data. Type 2 is the gold standard. Most enterprise clients, particularly in the US, will only accept Type 2 reports.
| Feature | SOC 2 Type 1 | SOC 2 Type 2 |
|---|---|---|
| What it evaluates | Control design at a point in time | Control effectiveness over a period |
| Observation period | Single date | 3-12 months |
| Audit duration | 4-8 weeks | 6-16 weeks (after observation period) |
| Total timeline | 3-6 months | 6-12 months |
| Cost in India | ₹3,00,000 to ₹8,00,000 | ₹5,00,000 to ₹15,00,000 |
| Client acceptance | Accepted for initial vendor qualification | Required by most enterprise clients |
| Renewal | Annual | Annual |
| Best for | Early-stage startups, first-time compliance | Established companies, enterprise sales |
Based on our experience helping 500+ SaaS startups with compliance frameworks, the most efficient approach is to pursue SOC 2 Type 1 first while simultaneously beginning the observation period for Type 2. This gives you a report to share with prospects within 3-4 months while the Type 2 report builds in the background.
Why Indian SaaS Startups Need SOC 2 Compliance
India's SaaS industry crossed $12 billion in annual revenue in 2025, with 65% of that revenue coming from international markets (primarily the US, UK, and EU). If your SaaS product serves these markets, SOC 2 is not a competitive advantage; it is a minimum qualification. Here is why.
US and EU Client Requirements
Enterprise procurement in the US has standardised on SOC 2 as the baseline security assessment for technology vendors. Companies like Salesforce, Microsoft, and Google require SOC 2 reports from their sub-processors. When a Fortune 500 company evaluates your SaaS product, the procurement team sends a vendor security questionnaire. Without a SOC 2 report, you either spend 40-60 hours answering individual security questions (and still might not pass), or you get disqualified in the first round. A SOC 2 Type 2 report answers 80% of those questions automatically.
Competitive Differentiation
In the Indian SaaS ecosystem, only an estimated 8-12% of startups hold SOC 2 reports (compared to 45% of US-based SaaS companies). This means SOC 2 compliance immediately separates your company from 88% of Indian competitors during vendor evaluation. For a Private Limited Company targeting US mid-market and enterprise clients, SOC 2 is the single most effective way to shorten sales cycles and close larger contracts.
Insurance and Risk Benefits
Cyber insurance providers in India and internationally offer 15-30% premium reductions for companies with SOC 2 Type 2 reports. The logic is straightforward: companies with audited security controls have fewer and less severe data breaches. If your SaaS startup carries cyber liability insurance (and you should), SOC 2 compliance pays for itself partially through reduced premiums.
Alignment with Indian Regulations
While SOC 2 is an American framework, it complements India's regulatory environment. The DPDP Act, 2023 requires "reasonable security safeguards" for personal data. SOC 2's Security criterion directly satisfies this requirement. CERT-In's cybersecurity directives on incident reporting and data breach notification align with SOC 2's monitoring and incident response controls. If you are already GST registered and maintaining basic business compliance, adding SOC 2 extends your compliance posture to meet international expectations.
According to NASSCOM's 2025 SaaS survey, 42% of Indian SaaS companies reported losing at least one international deal in the past year due to the absence of SOC 2 or ISO 27001 certification. The average lost deal size was $85,000 annually. The cost of SOC 2 compliance is a fraction of even one lost contract.
Register Your SaaS Company the Right Way
A properly structured Pvt Ltd with clean compliance records accelerates SOC 2 readiness. IncorpX handles incorporation, GST, and compliance setup.
Start Company RegistrationSOC 2 Compliance Cost in India: Full Breakdown
The total cost of SOC 2 compliance in India ranges from ₹5,00,000 to ₹25,00,000 for first-time certification. This varies based on your company size (number of employees and systems in scope), the Trust Services Criteria selected, whether you choose Type 1 or Type 2, and the audit firm you engage. Here is a detailed breakdown.
| Cost Component | Startup (10-50 employees) | Growth Stage (50-200 employees) | Scale-up (200+ employees) |
|---|---|---|---|
| Readiness Assessment | ₹2,00,000 to ₹3,00,000 | ₹3,00,000 to ₹5,00,000 | ₹5,00,000 to ₹8,00,000 |
| Control Implementation | ₹1,00,000 to ₹3,00,000 | ₹3,00,000 to ₹6,00,000 | ₹5,00,000 to ₹8,00,000 |
| Policy Documentation | ₹50,000 to ₹1,50,000 | ₹1,00,000 to ₹2,50,000 | ₹2,00,000 to ₹4,00,000 |
| Compliance Automation Tool | ₹3,00,000 to ₹5,00,000/year | ₹5,00,000 to ₹8,00,000/year | ₹8,00,000 to ₹12,00,000/year |
| Type 1 Audit Fee | ₹3,00,000 to ₹5,00,000 | ₹5,00,000 to ₹8,00,000 | ₹8,00,000 to ₹15,00,000 |
| Type 2 Audit Fee | ₹5,00,000 to ₹8,00,000 | ₹8,00,000 to ₹12,00,000 | ₹12,00,000 to ₹20,00,000 |
The compliance automation tool is technically optional, but strongly recommended. Manual SOC 2 evidence collection consumes 15-20 hours per week for your engineering team during the observation period. Automation tools reduce that to 2-3 hours per week. For a startup where every engineering hour directly affects product velocity, the tool pays for itself within the first month.
If you plan to pursue both SOC 2 and ISO 27001, do ISO 27001 first. The security management system you build for ISO 27001 covers approximately 70% of SOC 2 Security controls. Companies that start with ISO 27001 typically reduce their SOC 2 implementation cost by 30-40% because the foundational policies, risk assessments, and controls are already in place.
Step-by-Step SOC 2 Compliance Process
The SOC 2 compliance process involves 8 distinct steps. Skipping or rushing any step creates gaps that auditors will flag, potentially extending your timeline by months. Here is the complete process as it applies to Indian SaaS companies.
- Define Your Audit Scope: Identify which systems, applications, infrastructure components, and teams fall within the SOC 2 boundary. For a typical SaaS startup, this includes your production environment, cloud infrastructure (AWS, Azure, or GCP), CI/CD pipeline, customer data stores, and the teams that manage them. Narrowing the scope to only customer-facing systems reduces cost and complexity.
- Select Trust Services Criteria: Choose which of the five criteria (Security + any combination of Availability, Confidentiality, Processing Integrity, Privacy) your audit will cover. Security is mandatory. Select additional criteria based on client requirements. If you are unsure, start with Security + Availability; these two cover 90% of enterprise vendor questionnaires.
- Conduct a Readiness Assessment: Engage a consultant or your compliance automation platform to perform a gap analysis against the selected criteria. This assessment maps your current controls to SOC 2 requirements and produces a remediation roadmap. Budget 2-4 weeks and ₹2,00,000 to ₹5,00,000 for this step.
- Implement Security Controls: Close the gaps identified in the readiness assessment. This typically involves configuring MFA across all systems, implementing endpoint detection and response (EDR), setting up centralised logging and monitoring, conducting a formal risk assessment, and establishing change management workflows. For most startups, implementation takes 4-8 weeks.
- Draft and Approve Policies: Create the 12-15 required policy documents (Information Security Policy, Access Control Policy, Incident Response Plan, and others). Each policy must be formally approved by management and communicated to all employees. Use templates from your compliance automation tool but customise them to reflect your actual practices.
- Complete Employee Security Training: All employees within the audit scope must complete security awareness training. Document the training with attendance records and completion certificates. Training should cover phishing awareness, data handling procedures, incident reporting, and your company's specific security policies. Conduct this training before the observation period begins.
- Engage a CPA Audit Firm: Select a licensed CPA firm to conduct the SOC 2 examination. For Indian startups, mid-tier firms like BDO India, Grant Thornton Bharat, or KPMG India provide quality audits at ₹5,00,000 to ₹12,00,000. Share your readiness assessment results with the auditor during the engagement planning phase.
- Complete the Audit and Receive Your Report: For Type 1, the auditor reviews your controls at a point in time (4-6 weeks). For Type 2, the auditor reviews evidence from the observation period (3-12 months) and conducts testing over 6-12 weeks. The final SOC 2 report includes the auditor's opinion, a description of your system, the criteria tested, and the test results.
Based on our experience helping 500+ companies with compliance frameworks, the biggest timeline risk is Step 4 (control implementation). Startups that use a compliance automation platform from Day 1 complete implementation 40% faster because the platform provides pre-built control mappings and continuous monitoring from the start.
Get Startup India Benefits for Your SaaS Company
Startup India recognition unlocks tax exemptions, funding access, and compliance support. IncorpX handles the complete DPIIT registration process.
Apply for Startup IndiaDocuments and Policies Required for SOC 2
SOC 2 auditors expect to see a documented, operational security programme. "We do security" is not evidence. Here are the specific documents your Indian SaaS company needs before the audit begins.
Mandatory Policy Documents (12-15 Required)
- Information Security Policy: Your master security document defining the overall security programme, roles, responsibilities, and governance structure
- Access Control Policy: Rules for granting, reviewing, and revoking system access, including MFA requirements, least-privilege principles, and quarterly access reviews
- Change Management Policy: Procedures for requesting, approving, testing, and deploying changes to production systems, including emergency change protocols
- Incident Response Plan: Step-by-step procedures for detecting, responding to, containing, and recovering from security incidents, including communication protocols and post-incident review
- Risk Assessment Policy: Framework for identifying, evaluating, and treating information security risks, conducted annually at minimum
- Data Classification Policy: Categories for classifying data (Public, Internal, Confidential, Restricted) and the handling requirements for each category
- Encryption Policy: Standards for data encryption at rest and in transit, including key management procedures and approved algorithms (AES-256, TLS 1.2+)
- Vendor Management Policy: Procedures for evaluating, onboarding, monitoring, and offboarding third-party vendors who access your systems or data
- Business Continuity and Disaster Recovery Plan: Recovery time objectives (RTO), recovery point objectives (RPO), backup procedures, and failover mechanisms
- Acceptable Use Policy: Rules for employee use of company systems, devices, email, and internet, including prohibited activities and monitoring disclosures
- Data Retention and Disposal Policy: Timelines for retaining each data category and secure disposal methods when retention periods expire
- Password and Authentication Policy: Minimum password complexity, rotation requirements, MFA enforcement, and session management rules
Evidence Artefacts for the Audit Period
Beyond policies, auditors need operational evidence. For a Type 2 audit, this includes access review logs (quarterly at minimum), change management tickets and approvals, vulnerability scan reports (monthly), penetration test results (annual), security awareness training completion records, incident response test results, backup restoration test records, and system monitoring alerts and resolution logs. Compliance automation platforms like Sprinto or Vanta collect most of this evidence automatically from your cloud infrastructure and collaboration tools.
The most common SOC 2 audit finding is the gap between what your policies say and what your team actually does. If your Access Control Policy requires quarterly access reviews but your last review was 8 months ago, the auditor will flag it as a control failure. Write policies that reflect achievable practices, then follow them consistently.
How Long Does SOC 2 Certification Take?
The total timeline depends on your starting point, the audit type, and how quickly you close gaps. Here is a realistic timeline breakdown for Indian SaaS companies at different maturity levels.
| Phase | First-Time (No Prior Framework) | With ISO 27001 in Place |
|---|---|---|
| Readiness Assessment | 2-4 weeks | 1-2 weeks |
| Gap Remediation and Implementation | 6-12 weeks | 2-4 weeks |
| Policy Documentation | 3-6 weeks | 1-2 weeks (update existing) |
| Observation Period (Type 2 Only) | 3-12 months | 3-6 months |
| Type 1 Audit | 4-8 weeks | 3-5 weeks |
| Type 2 Audit | 6-12 weeks | 4-8 weeks |
| Total for Type 1 | 3-6 months | 2-3 months |
| Total for Type 2 | 6-12 months | 4-8 months |
The observation period is the non-negotiable bottleneck for Type 2. You cannot compress it below 3 months regardless of how mature your security programme is. This is why starting early matters. If you need a Type 2 report for a client deal closing in Q4 2026, you should have begun the observation period no later than Q1 2026. Planning 12 months ahead is the norm for companies serious about enterprise sales.
SOC 2 vs ISO 27001: Key Differences for Indian Companies
Indian SaaS founders frequently ask: "Should I get SOC 2 or ISO 27001?" The answer, in most cases, is both. But understanding the differences helps you prioritise.
| Feature | SOC 2 | ISO 27001 |
|---|---|---|
| Governing Body | AICPA (American) | ISO/IEC (International) |
| Type | Attestation report by CPA firm | Certification by accredited body |
| Output | Confidential report (shared under NDA) | Public certificate (can be displayed) |
| Primary Market | North America | Europe, Asia-Pacific, Global |
| Focus | Operational controls for data handling | Information Security Management System (ISMS) |
| Audit Frequency | Annual | 3-year certification cycle + annual surveillance |
| Cost in India | ₹5,00,000 to ₹25,00,000 | ₹3,00,000 to ₹15,00,000 |
| Timeline | 3-12 months | 3-6 months |
| Indian Regulatory Alignment | Supports DPDP Act compliance | Recognised by CERT-In and government tenders |
| Control Overlap | Approximately 70% overlap in security controls | |
The strategic play for an Indian SaaS company selling internationally: get ISO 27001 certified first (3-6 months, ₹3,00,000 to ₹15,00,000), then pursue SOC 2 Type 2 using the ISO 27001 framework as your foundation (additional 4-8 months). This sequence gives you a publicly displayable ISO certificate for European and Asian clients while simultaneously building towards the SOC 2 report that US clients require. The combined cost is lower than pursuing both independently because of the 70% control overlap.
Based on our experience with 500+ compliance engagements, companies that pursue ISO 27001 before SOC 2 complete the SOC 2 audit 35% faster and encounter 50% fewer audit exceptions. The ISMS discipline from ISO 27001 creates the operational maturity that SOC 2 auditors verify.
Start with ISO 27001, Then Scale to SOC 2
IncorpX handles end-to-end ISO 27001 certification: gap analysis, policy drafting, internal audit, and certification body coordination. Starting at ₹49,999.
Get ISO 27001 CertifiedCommon SOC 2 Compliance Mistakes Indian Startups Make
After working with hundreds of startups on compliance readiness, these are the patterns that derail SOC 2 programmes most frequently. Avoid these, and you will save 2-4 months and ₹2,00,000 to ₹5,00,000 in rework costs.
- Scoping too broadly: Including internal HR systems, marketing tools, and non-customer-facing applications in your SOC 2 scope adds cost and complexity without improving client trust. Scope only the systems that process, store, or transmit customer data
- Writing policies you cannot follow: Creating a 30-page Access Control Policy that requires weekly access reviews when your 15-person startup can realistically manage quarterly reviews. Auditors penalise you for not following your own policies, not for having modest policies
- Ignoring evidence collection until audit time: The Type 2 audit requires evidence from the entire observation period. If you did not log access reviews, change approvals, or training completions during months 1-5, you cannot retrospectively create that evidence in month 6. Start collecting evidence from Day 1
- Using shared admin accounts: Every team member needs individual, named accounts for all systems in scope. Shared "admin@company.com" accounts make it impossible to demonstrate access control and accountability, which auditors flag immediately
- Skipping the readiness assessment: Jumping directly to the audit without a readiness assessment is how companies receive qualified or adverse opinions. The ₹2,00,000 to ₹5,00,000 spent on readiness assessment prevents ₹5,00,000 to ₹10,00,000 in repeat audit costs
- Not training the team: Security awareness training is a SOC 2 control requirement, not a suggestion. Every employee in scope must complete documented training before the audit period begins. No exceptions, no "we will get to it next quarter"
- Treating SOC 2 as a one-time project: SOC 2 reports are valid for 12 months. Annual re-audits are required to maintain your report's relevance. Build SOC 2 controls into your operational DNA, not as a project with a start and end date
- Choosing an auditor based solely on price: The cheapest CPA firm might issue a report that sophisticated clients question. Select an auditor with experience in SaaS and technology companies. Ask for sample (redacted) reports to evaluate quality before engaging
SOC 2 and India's Data Protection Ecosystem
SOC 2 does not exist in a regulatory vacuum for Indian companies. Your SOC 2 compliance programme intersects with multiple Indian regulations, and understanding these connections helps you build a unified compliance framework rather than managing separate, siloed efforts.
DPDP Act, 2023 Alignment
India's Digital Personal Data Protection Act requires businesses to implement "reasonable security safeguards" for personal data. SOC 2's Security and Privacy criteria directly satisfy this requirement. If your SOC 2 report demonstrates effective security and privacy controls, you have substantial evidence of DPDP Act compliance for data handling. The DPDP Act's consent, notice, and breach notification requirements align with SOC 2's Privacy criterion controls.
CERT-In Directives
CERT-In's April 2022 directive requires organisations to report cybersecurity incidents within 6 hours. SOC 2's Incident Response controls, particularly under the Security criterion, establish the detection, escalation, and reporting procedures that help you meet this timeline. A well-implemented SOC 2 incident response plan positions your company to comply with CERT-In's reporting requirements without building a separate incident management framework.
Intellectual Property Protection
For SaaS companies building proprietary technology, SOC 2's Confidentiality criterion protects your own IP as much as your clients' data. Complement this with proper copyright registration for your software code and documentation. SOC 2 protects the data operationally; copyright registration protects the IP legally.
Instead of managing SOC 2, ISO 27001, and DPDP Act compliance as separate projects, map them to a single control framework. 70-80% of controls overlap across these three standards. A unified approach reduces total compliance cost by 30-40% and eliminates the management overhead of tracking three separate compliance programmes.
Summary
SOC 2 compliance is the price of entry for Indian SaaS startups targeting US and European enterprise clients. The investment, ₹5,00,000 to ₹25,00,000 for first-time certification, pays for itself with the first enterprise deal it helps you close. Start with a readiness assessment, implement the 8-step compliance process, and choose between Type 1 (3-6 months) and Type 2 (6-12 months) based on your sales timeline. For the most efficient path, pursue ISO 27001 certification first to build your security management foundation, then layer on SOC 2. The 70% control overlap means you are not starting from zero. Every month you delay is a month where competitors with SOC 2 reports are closing the deals you are losing.
Build Your SOC 2 Foundation with ISO Certification
IncorpX provides end-to-end ISO 27001 certification for SaaS companies: gap analysis, policy drafting, ISMS implementation, and certification body coordination. Starting at ₹49,999.
Get ISO Certified TodayFrequently Asked Questions
What is SOC 2 compliance?
What are the 5 SOC 2 Trust Services Criteria?
Why do Indian SaaS startups need SOC 2 compliance?
Who needs SOC 2 compliance in India?
What is the AICPA's role in SOC 2?
Is SOC 2 mandatory in India?
What happens if you fail a SOC 2 audit?
Does SOC 2 apply to data stored in India?
How do you get SOC 2 certified in India?
What is a SOC 2 readiness assessment?
What are the steps in a SOC 2 audit?
How do you prepare for SOC 2 Type 2?
What policies are required for SOC 2 compliance?
How much does SOC 2 compliance cost in India?
What documents are needed for a SOC 2 audit?
- Information Security Policy and sub-policies (12-15 documents)
- Network architecture diagrams
- Access control matrices and user access review logs
- Change management records for the audit period
- Incident response plan and test results
- Vendor risk assessment reports
- Employee security training records
