Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

  / ,

  / SSAE 18 vs SOC 2: What’s the Difference and Which One Do You Need?

SSAE 18 vs SOC 2: What’s the Difference and Which One Do You Need?

The “SSAE 18 vs SOC 2” debate typically surfaces when buyers, vendors, and even internal teams are all talking about the same general assurance problem, but using the wrong labels.

A procurement team asks, “Do you have SSAE 18?” A founder says, “We’re going for SSAE 18 certification.” A customer security team asks for an “SSAE 18 SOC 2 report.” Everyone is circling the same planet, but not always landing on the right terminology.

SSAE 18 and SOC 2 are not competing things. They are related, but they are not interchangeable.

The AICPA defines SOC 2 as an examination and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE 18, by contrast, is the attestation standard framework under which these kinds of engagements are performed.

That distinction matters because buyers often ask for the wrong artifact. If you answer the wrong question, you can waste months preparing the wrong report.

Quick Answer: SSAE 18 Is a Standard; SOC 2 Is a Report

The simplest accurate explanation is this: SSAE 18 is the professional attestation standard; SOC 2 is the report deliverable. The standard tells the auditor how to perform the engagement. The report is what your customers actually read.

The AICPA states that SSAE No. 18 was issued as part of its attestation clarity project, which clarified and recodified attestation standards. The same organization also explains that SOC reports are part of the AICPA’s broader SOC suite of services used to communicate controls at service organizations.

So when someone says, “We need SSAE 18,” what they usually mean is one of two things: either they want a SOC 1 report for financial-reporting-related controls, or they want a SOC 2 report for security and broader system controls.

How SSAE 18 Relates to SOC 1, SOC 2, and SOC 3

SOC 1 addresses controls at a service organization that are relevant to a user entity’s internal control over financial reporting. The AICPA positions SOC 1 specifically for management of user entities and their financial statement auditors.

SOC 2 addresses controls relevant to the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is designed for customers and other specified users who need detailed information about system controls.

SOC 3 covers the same trust services subject matter as SOC 2, but in a general-use format with less detail, so it can be freely distributed. (Think of it as the marketing-friendly version.)

In plain English: SSAE 18 sits underneath the engagement methodology; SOC 1, SOC 2, and SOC 3 are the reporting formats and scopes that come out of it.

What Is SSAE 18?

SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. It is an AICPA-issued attestation standard used in examinations, reviews, and agreed-upon procedures for nonissuers. The AICPA describes SSAEs as applicable to the preparation and issuance of attestation reports for nonissuers, and specifically notes that SSAE No. 18 completed the attestation clarity project through clarification and recodification.

Who Issues SSAE 18 and Who Performs the Engagement

The AICPA Auditing Standards Board (ASB) issues SSAE standards. The actual engagement, however, is performed by an independent CPA firm or service auditor. That division of labor is important. Your company does not “self-issue” SSAE 18. A CPA firm performs an attestation engagement under that standard and then issues the related report.

Insider Tip

When a buyer asks whether you are "SSAE 18 certified," they are using market shorthand, not technical language. The better response is: "We have a SOC 2 Type 2 report issued by an independent CPA firm under the applicable attestation standards."

What SSAE 18 Replaced (SSAE 16 / SAS 70 Context)

Historically, the service-organization reporting world moved from SAS 70 to SSAE 16, and then to SSAE 18. The AICPA’s clarity and convergence work eliminated the old SAS 70 framing, established the SOC-branded reports, and recodified the underlying attestation standards into SSAE 18. The standard was introduced in 2016 and implemented in 2017 as part of this evolution. (For international context, SSAE 18’s closest equivalent is ISAE 3402, issued by the International Auditing and Assurance Standards Board.)

That is why older buyers may still talk in legacy language. They remember SAS 70. Mid-generation buyers remember SSAE 16. Today’s market usually asks for SOC 1 or SOC 2, but sometimes with yesterday’s vocabulary still attached.

Which Engagements Fall Under SSAE 18

Within the SOC context, SSAE 18 governs how the practitioner performs examinations that lead to reports such as SOC 1, SOC 2, and SOC 3. The AICPA’s SOC suite overview frames these offerings as assurance reports used to help assess and address outsourcing risk.

What Is a SOC 2 Report?

A SOC 2 report is an independent attestation report on controls at a service organization relevant to the Trust Services Criteria. The AICPA defines SOC 2 around the five criteria categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 2 exists because businesses increasingly outsource critical systems to cloud and SaaS providers, and they want a way to evaluate whether those providers have appropriate controls in place. We’ve written an in-depth guide on what SOC 2 is, which you can read here.

What SOC 2 Evaluates (Controls Aligned to Trust Services Criteria)

SOC 2 evaluates whether the service organization’s system and controls are suitably designed—and, in a Type 2 engagement, whether they operated effectively over a review period—against the applicable TSC. Security is always part of SOC 2, while Availability, Processing Integrity, Confidentiality, and Privacy are included based on the nature of the service and customer commitments.

If you’re unsure which criteria apply to your organization, a gap analysis is a smart first step.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

SSAE 18 vs SOC 2: Side-by-Side Comparison

Category SSAE 18 SOC 2
What it is Attestation standard Report deliverable
Issued by AICPA Auditing Standards Board Independent CPA firm (after the engagement)
Primary purpose Governs how the engagement is performed Communicates results about controls relevant to TSC
Scope Broad attestation framework Security and system controls at a service organization
Main users Auditors and firms performing the work Customers, prospects, procurement, security reviewers
Output Professional standard / methodology Management assertion, system description, testing, opinion
Distribution Not the deliverable buyers request Restricted-use report in most cases

Standard vs Report Deliverable

This is the big one. SSAE 18 is not something you hand to a customer. A customer asks for the report, not the standard. If someone on your team is confused about this, that’s normal—and it’s worth correcting early.

Scope: Financial Reporting (SOC 1) vs Security/Compliance Controls (SOC 2)

SOC 1 and SOC 2 both live in the same general family, but they solve different problems. The AICPA states that SOC 1 is about controls relevant to financial reporting, while SOC 2 addresses the TSC categories tied to system security and reliability. Understanding this distinction is fundamental—if you’re also weighing other frameworks, the comparison between ISO 27001 and SOC 2 is worth reading.

Where “SSAE 18” Shows Up in a SOC 2 Report (What to Look For)

Auditor’s Report Section and Applicable Professional Standards

The report will identify the professional standards under which the examination was performed. In practical terms, this is where the “SSAE” connection shows up most clearly—you’ll see a reference to the applicable AT-C sections that originate from SSAE 18.

System Description Boundaries

A SOC 2 report includes a system description outlining the services, boundaries, infrastructure, software, people, procedures, and data relevant to the examination. Reading this section carefully is essential—it tells you exactly what is (and isn’t) covered by the report.

Subservice Organizations (Carve-Out vs Inclusive Method)

This is where many teams get surprised. If you rely on a cloud host, colocation provider, or other third party, the report needs to explain how those subservice organizations are handled. SSAE 18 places stronger emphasis on monitoring subservice organizations and on describing whether they are included in the scope of the examination or carved out.

  • Inclusive method: The subservice organization’s controls are tested as part of the engagement.

  • Carve-out method: The subservice organization’s controls are excluded, and the report states that the user entity should obtain and review the subservice organization’s own SOC report.

Complementary User Entity Controls (CUECs) and Why They Matter

CUECs are the controls the user entity is expected to implement for the overall control environment to work as intended. If the provider’s controls assume the customer will manage IAM, encryption choices, backups, or log review, those assumptions are documented here.

For organizations implementing continuous monitoring for SOC 2, understanding CUECs is essential because many of these complementary controls need ongoing attention, not just a one-time setup.

Common Misconceptions (and the Correct Terminology)

“SSAE 18 Certification” vs “SOC 2 Report”

There is no formal thing called “SSAE 18 certification.” The more accurate language is that a company has obtained a SOC 2 report resulting from an examination performed under the applicable attestation standards. The AICPA does not issue certifications—it publishes the standards that CPA firms use to perform and report on engagements.

“SSAE 18 SOC 2” as Shorthand vs Formal Naming

People say it. Search engines love it. Procurement spreadsheets keep it alive. But formally, the better phrasing is simply “SOC 2 report” or “SOC 2 Type 2 report.”

“SOC 2 Compliant” vs Having an Issued SOC 2 Report

This phrase is common, but slippery. “SOC 2 compliant” can mean almost anything—from “we follow the spirit of the criteria” to “our report is in progress.” The stronger, more credible statement is: “We have an issued SOC 2 report.” That tells the buyer there is a real deliverable from a real CPA firm, not just an internal claim.

Which One Do You Need?

If a customer asks for “SSAE 18,” do not answer too quickly. Ask what they want to evaluate.

  • If they care about your impact on their financial reporting, they likely want SOC 1.

  • If they care about your security controls, availability commitments, or handling of sensitive information, they likely want SOC 2.

If customers ask for SOC 2, Type 2 is usually what they really expect once you are selling into mid-market or enterprise accounts, because that is the version showing operating effectiveness over time.

If you process transactions that affect customer financial statements, SOC 1 may be necessary—and SOC 2 may still be useful if security teams are also reviewing you.

Do You Ever Need Both SOC 1 and SOC 2?

Yes, absolutely.

Typical Scenarios for Dual Reporting

Organizations in payroll, payments, claims processing, benefits administration, and some fintech categories often need both. Finance wants SOC 1. Security and procurement want SOC 2.

How to Reduce Overlap

The efficient path is not running two totally separate universes. Smart teams align control narratives, evidence collection, and testing calendars where possible. Shared controls around access, change management, monitoring, and vendor management can support both engagements, even though the report objectives differ.

If you’re weighing compliance tooling to manage that workload, our comparison of Drata vs Vanta is a good starting point.

How to Choose the Right Path: A Practical Decision Framework

  1. Start with your services and system boundaries. What do you actually do? What systems are in scope? Which data do you touch?

  2. Identify customer and regulatory requirements. What are buyers asking for in security reviews, MSAs, and procurement portals?

  3. Select the applicable Trust Services Criteria categories for SOC 2. Security is mandatory; the other categories depend on your commitments and risk profile.

  4. Decide Type 1 vs Type 2 based on your sales motion and buyer expectations. Early-stage companies sometimes begin with Type 1 to accelerate initial deals, then move to Type 2. More mature B2B SaaS companies are increasingly expected to present Type 2.

Not sure where you stand? A gap analysis can clarify whether you need SOC 1, SOC 2, or a coordinated path to both. If you’d like to talk it through, click here to get in touch.

FAQ: SSAE 18 vs SOC 2

Is SSAE 18 the same as SOC 2?

No. SSAE 18 is the attestation standard; SOC 2 is the report. They are related—SOC 2 examinations are performed under the SSAE 18 framework—but they are not the same thing.

No. It is the professional standard used to perform attestation engagements. The SOC report is the output of an engagement performed under that standard.

Yes. SOC 2 Type 2 examinations are performed under the applicable attestation standards, and SSAE 18 is the foundational reference point in this context.

SOC 1 addresses controls relevant to financial reporting. SOC 2 addresses controls relevant to the Trust Services Criteria. Both engagements are performed under the SSAE 18 framework, but they serve different audiences and evaluate different control objectives.

That is the wrong comparison. For most SaaS vendors, the relevant deliverable is SOC 2. SSAE 18 is the standard behind the engagement, not the thing you choose instead of SOC 2. To learn more about what to expect from a SOC 2 engagement, we’ve laid out the process step by step.

That wording is not technically accurate. Say you have a SOC 2 report, ideally specifying Type 1 or Type 2. The AICPA does not issue “certifications”—it provides the standards under which CPA firms perform and report on examinations.

Final Thoughts

The cleanest takeaway is this: SSAE 18 is the standard. SOC 2 is the report. Once you separate those ideas, the rest of the decision tree gets much easier.

If your buyers are asking for “SSAE 18,” clarify whether they really need SOC 1 or SOC 2. If you are a SaaS or cloud service organization, the answer is very often SOC 2 Type 2. If your services affect customer financial statements, you may need SOC 1, and in some cases both.

If you are planning your next move, now is the right time to book a SOC readiness assessment, request an audit scoping review, or a gap analysis so you can confirm whether you need SOC 1, SOC 2, or a coordinated path to both.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.

Blog Highlights

Explore More Articles

SOC 2 Report vs. Certification

SOC 2 is not a certification, and no auditor will ever hand you a SOC 2 certificate. What you receive at the end of the audit is an attestation report: a detailed document, often 60 to 100 pages long, in which a licensed CPA firm expresses a professional opinion on your controls. That distinction sounds like pedantry until a prospect’s security team asks to see your “certificate” and you have nothing that looks like one. This article explains exactly what a SOC 2 report is, what it contains, how it differs from an ISO 27001 certificate, and how to talk about your SOC 2 status without misrepresenting it. Is SOC 2 a Certification or a Report? The Common Misconception About “SOC 2 Certification” Search volume tells the story: far more people look for “SOC 2 certification” than for “SOC 2 attestation,” and sales teams, procurement questionnaires, and even some auditors use the certification shorthand daily. The misconception is understandable. Every other major framework in the compliance stack, from ISO 27001 to PCI DSS, ends in something that looks like a pass. SOC 2 does not work that way, and treating it as if it does leads to awkward conversations during vendor due diligence. Why SOC 2 Is Technically an Attestation, Not a Certification A certification is a binary judgment issued by an accredited body: you meet the standard, or you do not. SOC 2 sits under the AICPA’s attestation standards, primarily SSAE 18 and its later amendments (SSAE 21 updated the relevant examination sections), specifically AT-C section 105 and AT-C section 205. Under those standards, an independent service auditor examines your controls and reports an opinion on them. Nobody “passes.” The auditor attests to what they found, in writing, with evidence. The output is a report, and the report is the entire deliverable. Understanding the SOC 2 Attestation Model What Is an Attestation Engagement? An attestation engagement is a formal examination in which a practitioner evaluates subject matter prepared by another party against defined criteria, then issues a written conclusion. In SOC 2, the subject matter is your system and its controls, the criteria are the AICPA’s Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy), and the party preparing the subject matter is you, the service organization. Security is the only mandatory category; the other four are scoped in based on your service commitments. The Role of the AICPA and Licensed CPA Firms The AICPA (American Institute of Certified Public Accountants) owns the SOC framework and the attestation standards behind it, but it does not perform audits and does not issue anything to your company. Only a licensed CPA firm can conduct a SOC 2 examination and sign the resulting opinion. That licensing requirement is the quality mechanism: the firm’s professional liability, independence rules, and peer review obligations stand behind the report. In practice, this means the assurance you get is only as strong as the auditor’s reputation and independence posture, which is why enterprise buyers often look at who signed the report almost as carefully as they look at what it says. How Attestation Differs from Certification and Accreditation The three terms describe different assurance models. Certification means an accredited certification body confirms conformity with a standard and issues a certificate, as happens with ISO 27001. Accreditation is one level up: it is the process by which national bodies, such as those coordinated through the International Accreditation Forum, authorize those certification bodies to certify in the first place. Attestation involves no certificate and no accreditation chain. A CPA firm examines evidence and expresses an opinion under professional standards. The credibility comes from the auditor’s license and independence, not from a badge. What You Actually Receive After a SOC 2 Audit The SOC 2 Attestation Report Explained The deliverable is a confidential, restricted-use document addressed to your management and intended for your customers, their auditors, and other informed parties. It is dense by design. A prospect’s risk team reads it to understand what your system does, which controls you operate, how the auditor tested them, and what the auditor found. It replaces a certificate with something far more useful: evidence. Key Components of the Final Report Independent service auditor’s opinion. The first section, usually two to three pages, states the auditor’s formal conclusion on whether your system description is fairly presented and whether your controls were suitably designed (and, for Type 2, operating effectively). This is the section report readers check first. Management’s assertion. A signed statement in which your leadership formally asserts that the system description is accurate and that controls meet the applicable criteria. SSAE 18 made this management assertion a mandatory element, which means responsibility for the description sits with you, not the auditor. System description. The longest narrative section was prepared by management against the AICPA’s SOC 2 description criteria. It covers the services provided, infrastructure, software, people, data, processes, subservice organizations, and complementary user entity controls. Trust Services Criteria and controls tested. A mapping of each in-scope criterion to the specific controls you operate. This is where scoping decisions become visible: a report covering Security only looks very different from one covering all five categories. Results of testing. For Type 2 reports, a control-by-control table showing the tests the auditor performed and the results, including any exceptions. Sophisticated readers spend most of their time here, because exceptions and the auditor’s response to them reveal more than the opinion page does. What a SOC 2 Report Is NOT (No Certificate, No Logo, No Pass/Fail Badge) There is no official SOC 2 certificate, no numbered credential, and no register of “certified” companies you can be listed in. The AICPA licenses a standard SOC logo that service organizations may display for a limited time after report issuance, but the logo confirms only that an examination took place. It says nothing about the opinion inside. Anyone selling you a “SOC 2 certificate” as a standalone artifact is selling something the framework does not produce. Important: If

SIG Lite What It Covers, When to Use It, and Where It Falls Short

The full SIG content library contains 1,936 questions. SIG Lite asks 128 of them. That difference is the entire point: most vendor relationships do not justify a multi-week questionnaire exchange, and SIG Lite exists so risk teams can run standardized due diligence on lower-risk vendors without burning analyst hours or vendor goodwill. What Is SIG Lite? SIG Lite is the streamlined version of the Standardized Information Gathering (SIG) questionnaire, the most widely used third-party risk assessment instrument in the industry. It condenses the full SIG question set into a short, high-level assessment of a vendor’s information security, privacy, and resilience controls. It is a self-assessment, not an audit: the vendor answers, the assessor evaluates, and the completed questionnaire becomes evidence of due diligence in a third-party risk management (TPRM) program. Purpose of the SIG Lite Questionnaire The purpose is speed with consistency. SIG Lite gives an outsourcing organization a broad understanding of a third party’s internal control environment using a standardized question set, so answers are comparable across an entire vendor portfolio. It works either as a complete assessment for low-risk vendors or as a preliminary screen that decides whether a deeper review is warranted. Because every vendor answers the same questions, risk teams can rank, tier, and triage instead of interpreting fifty differently formatted responses. Who Created and Maintains SIG Lite? SIG Lite is owned and maintained by Shared Assessments, a member-driven standards organization formed in 2005 when the Big Four accounting firms and six global banks set out to fix the inefficiency of every company writing its own vendor questionnaire. The SIG is developed through a formal governance process that draws on practitioner feedback and tracks evolving regulations and standards, which is a large part of why it has held its position as the de facto industry template. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule Free Assessment What’s Included in the SIG Lite Questionnaire? Number of Questions and Structure The 2025 release of SIG Lite contains 128 questions. The exact count shifts slightly with each annual update (recent versions have ranged from roughly 126 to 133), so always confirm the version you are working with. Questions are predominantly yes/no with room for comments and references to supporting evidence, and each question maps back to the SIG content library and to external frameworks. SIG Lite ships as a single-worksheet questionnaire, which keeps completion and review manageable. Risk Domains Covered in SIG Lite SIG Lite draws its questions from the same 21 risk domains that structure the entire SIG, grouped into four control areas: Governance and Risk Management, Information Protection, IT Operations and Business Resilience, and Security Incident and Threat Management. In practice, that means high-level coverage of access control, information security policy, data privacy, cloud security, business continuity, incident response, supply chain risk, human resources security, compliance management, and ESG, among others. The breadth is the same as SIG Core; the depth per domain is what gets trimmed. Format and Delivery (Spreadsheet and Toolkit) Historically, the SIG has been delivered as an Excel workbook generated by the SIG Manager, the macro-driven engine inside the SIG Questionnaire Toolkit that lets assessors scope, generate, store, and compare questionnaires. That is changing. In March 2026, Shared Assessments launched SIG EV (Evolution), a browser-based platform that moves questionnaire creation, distribution, comparison, and grading to the cloud while preserving the same content and methodology. Vendors can still respond in Excel, and assessors can upload completed files, so the transition does not break existing workflows. Worth Knowing: SIG Questions & Permissions SIG questions cannot be edited without written permission from Shared Assessments, but assessors can add up to 100 custom questions to a scoped questionnaire. That is usually enough headroom to cover industry-specific requirements without abandoning the standard. When Should You Use SIG Lite? Ideal Vendor Risk Scenarios SIG Lite fits three situations well. First, vendors with no access to sensitive data or critical systems, where a full assessment would be disproportionate. Second, large vendor portfolios, where sending 600-plus questions to every supplier would stall onboarding across the board. Third, early-stage evaluation, where you need enough signal to decide whether a relationship is worth deeper diligence. Low-Risk vs. High-Risk Vendor Assessments The dividing line is data and criticality. A marketing tool that touches no customer records, a facilities contractor, or a niche SaaS product with read-only access to public data can all be assessed adequately with SIG Lite. A payroll processor, a cloud provider hosting production data, or any vendor storing regulated information under HIPAA, PCI DSS, GDPR, or GLBA should get SIG Core. Using Lite on a high-risk vendor is a documented gap waiting to be found in your next audit. Initial vs. In-Depth Risk Screening Many mature programs use SIG Lite as a gate rather than a destination. The Lite response feeds an initial risk score; vendors that trip defined thresholds (a missing incident response plan, no encryption at rest, no independent certification) graduate to SIG Core or a targeted domain-level assessment. This two-stage pattern keeps effort proportional to risk and gives vendors a lighter first touch. SIG Lite vs. SIG Core: Key Differences Both questionnaires come from the same content library and cover the same 21 risk domains. The differences are scope, depth, and effort. Question Count and Scope SIG Lite’s 128 questions sit at the top of the control hierarchy: does a policy exist, is a program in place, and is there independent validation? SIG Core’s 627 questions descend into how each control actually operates. Beyond both sits the full SIG Detail library of 1,936 questions, which assessors use to build custom scopes by regulation, domain, or control family. Depth of Assessment A SIG Lite answer tells you a vendor has an access control program. A SIG Core response tells you how privileged accounts are reviewed, how quickly access is revoked at termination, and how authentication is enforced across environments. If your obligation is

The PDPA Compliance Singapore Checklist

In 2018, a cyberattack on SingHealth exposed the records of 1.5 million patients, including the Prime Minister. The Personal Data Protection Commission (PDPC) handed down S$1 million in combined penalties, and that decision still sits on its public enforcement page today. The Personal Data Protection Act (PDPA) has sharper teeth than it did a few years ago. Since October 2022, the PDPC can impose financial penalties of up to 10% of an organisation’s annual turnover in Singapore, or S$1 million, whichever is higher. Breach notification is now mandatory. And a hard deadline is approaching: from 1 January 2027, using NRIC numbers for authentication becomes an enforcement target. A checklist is how you turn all of that into something you can actually execute against, rather than a legal document you skim once and forget. What Is the PDPA Compliance Checklist? A PDPA compliance checklist translates the law’s 11 data protection obligations into concrete, verifiable actions. The obligations themselves are principles: Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, Data Breach Notification, Accountability, and Data Portability (legislated in 2020 but not yet in force). A principle tells you what good looks like. A checklist tells you whether you have done it. The distinction matters because the PDPC does not accept good intentions as a defense. When it investigates, it looks for documented policies, a named Data Protection Officer (DPO), evidence of consent, and a breach plan that existed before the breach. The checklist is what produces that evidence trail. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule Free Assessment Who Needs to Follow the PDPA Compliance Checklist in Singapore Every private sector organisation that collects, uses, or discloses personal data in Singapore falls under the PDPA. That covers sole proprietorships, partnerships, companies, and foreign entities with Singapore operations. Headcount is irrelevant. A five-person startup carries the same obligations as a multinational, and the PDPC has shown it will penalize small and mid-sized businesses, not only household names. Physical presence is not the trigger either. If your processing touches individuals in Singapore, the Act can reach you even without a local office. Public sector agencies sit under separate legislation, but the private sector rules administered by the PDPC, which operates under the Info-communications Media Development Authority (IMDA), apply broadly. One useful carve-out: business contact information used purely for business purposes is largely exempt from the consent rules. Worth Knowing: PDPA Roles Explained The PDPA distinguishes an organisation from a data intermediary, a party that processes data on another’s behalf. Intermediaries carry a narrower but real set of duties, mainly protection and retention. If you outsource payroll, hosting, or email marketing, you are the organisation and your vendor is the intermediary, and the contract between you needs to say so explicitly. PDPA Compliance Checklist: Step-by-Step Guide The 15 steps below move roughly in the order you should tackle them, from governance foundations through operational controls to ongoing assurance. Treat them as a sequence, not a menu. Step 1: Appoint a Data Protection Officer (DPO) The PDPA requires every organisation to designate at least one individual responsible for compliance, and to make that person’s business contact details available to the public. You do not have to hire a specialist. In smaller firms, an existing employee can hold the DPO role alongside other duties. What matters is that the role is named, resourced, and reachable, because the DPO is who the PDPC and affected individuals contact first. Publish the contact details on your website and inside your privacy notice. Step 2: Map and Inventory Personal Data You cannot protect data you cannot see. Build a data inventory that records what personal data you hold, where it lives, which systems and people can access it, why you collected it, and how long you keep it. This map is the single most useful artifact in your entire program. It feeds your privacy notice, your retention schedule, your breach assessments, and your vendor reviews. Most compliance failures trace back to a blind spot, a spreadsheet of customer records nobody remembered, or a legacy database still holding data long past its purpose. Step 3: Establish Lawful Basis and Obtain Valid Consent Under the Consent Obligation, you generally need an individual’s consent before you collect, use, or disclose their personal data, and that consent must be tied to a specific, notified purpose. The 2020 amendments added flexibility: deemed consent covers scenarios like contractual necessity, and the legitimate interests exception lets you process data where the benefit outweighs any adverse effect, provided you document the assessment. You cannot make consent to unrelated data uses a condition of providing a service. Important: Bundled consent is a common enforcement trigger. A single checkbox that forces a customer to agree to marketing in order to complete a purchase is not valid consent for the marketing. Separate the purposes, and let people say yes to one without being forced into the other. Step 4: Draft and Publish a Compliant Privacy Notice Your privacy notice is the public expression of how you handle personal data. It should state what you collect, the purposes you collect it for, who you share it with, how long you retain it, and how individuals can contact your DPO or exercise their access and correction rights. Write it in plain language. A notice dense enough to deter reading does not satisfy the spirit of the Notification Obligation, and regulators notice the difference. Step 5: Implement the Notification of Purpose Requirement The Notification Obligation and the Purpose Limitation Obligation work as a pair. You must inform individuals of the purpose before or at the point of collection, and you must then confine your use of the data to that purpose. Practically, that means a clear notice at every collection point: sign-up forms, website pop-ups, contact forms, event registrations. Selling a customer list you gathered for order fulfillment is precisely the kind of