July 18, 2025
SOC 2 vs. HIPAA Compliance: What’s the Difference?
Explore the differences between SOC 2 and HIPAA and how both boost your data security.
Subservice Organization
Overview of Subservice Organizations
As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment and forms part of the SOC 1 or SOC 2 scope.
What is a Subservice?
Essentially, a subservice organization is a certain type of vendor that an organization uses to perform certain services relevant to user entities’ internal controls over financial reporting (SOC 1) or to the Trust Services Criteria (SOC 2).
So, what is subservice exactly? A subservice refers to a distinct service or task provided by a subservice organization. These subservices are integral to the organization’s ability to meet its compliance requirements. For instance, the management of security logs, data storage, or backup services may be outsourced to a subservice organization. The subservice organization performs these tasks on behalf of the service organization, which in turn relies on their controls and processes to maintain compliance.
Examples of subservice organizations most commonly seen in SOC 1 and SOC 2 reports are:
- Cloud service providers (AWS, GCP, Azure)
- Software as a service or platform as a service provider
- Datacenter providers
Understanding what a subservice is and how these organizations operate is crucial for businesses assessing third-party risks and ensuring the effectiveness of their overall GRC programs.
Example of a Service Organization and Subservice Organization Relationship
A service organization may outsource parts of its operations to subservice organizations. An example would be a SaaS company that relies on a third-party data center provider (subservice organization) to store its data. This relationship is essential for the SaaS company to meet its security and availability commitments under SOC 2.
💡 New to compliance as a SaaS startup? Dive into SOC 2 for Startups to see how you can tackle security compliance without the hassle.
Subservice vs. Vendor: What’s the Difference?
It’s important to distinguish between subservice organizations and vendors, as they play different roles in relation to compliance and risk management. The table below highlights the key differences between subservice organizations and vendors:
| Subservice Organization | Vendor |
|---|---|
| Provides essential services that directly impact SOC 1 or SOC 2 compliance | Supplies goods or services, but may not impact compliance criteria directly |
| Their controls are integral to the organization’s control environment | May not directly influence the organization’s control environment |
| Examples include cloud providers, data center services, and managed security services | Examples include office supply companies, consultants, and non-IT-related service providers |
Understanding Controls Performed by Subservice Organizations
In order to achieve SOC 1 objectives or SOC 2 Trust Services Criteria, an organization might need to find a vendor or a subservice organization to perform certain services in order to assist the organization in becoming SOC 1 or SOC 2 compliant.
The organization will therefore need to rely upon the controls performed by the subservice organization because these controls have an impact on the service delivery to the user entities. A typical scenario would be when an organization uses a cloud service provider, like AWS. The organization will be relying upon the controls performed at AWS (subservice organization) in order to perform certain functions that support the services provided to their user entities.
Examples of Key Security Controls Managed by Subservice Organizations
- Controls to enable security and monitoring tools within the production environment
- Implement logical access security measures to infrastructure components including native security or security software and appropriate configuration settings.
- Restrict access to the virtual and physical servers, software, firewalls, and physical storage to authorized individuals and review the list of users and permissions on a regular basis.
Reviewing Subservice Organization Controls in SOC 1 and SOC 2 Reports
The example of controls given above would typically be documented in a SOC report. In this case, AWS will have a SOC 2 report. The organization should be reviewing this report primarily for two reasons:
- Understanding the control design and operating effectiveness of the controls ensures that organizations can rely on them in providing their services to their user entities.
- Understanding what are the complementary user entity controls (CUECs), which means, understanding what controls the organization is responsible for.
It is important to understand that if the subservice organization has identified any CUECs in its SOC report, then the organization will need to ensure that those controls are in place.
GET SOC 2 COMPLIANT 90% FASTER
The Importance of Managing Subservice Organizations for SOC 1 and SOC 2 Compliance
A subservice organization plays a vital role in the SOC 1 or SOC 2 compliance process. It’s important for the service organization to understand that role, in order to properly report on their system and control environment.
When business functions are outsourced and the service organization needs to rely on the subservice organization’s controls, the vendor relationship becomes critical to manage appropriately. If this relationship is managed appropriately, then subservice organizations can greatly assist service organizations in achieving their SOC 1 objectives or SOC 2 Trust Services Criteria.