SOC 2 Type II

SOC 2 Type II scan-to-email compliance, mapped criterion by criterion.

The SOC 2 Trust Services Criteria CC6.7 requires the entity to restrict the transmission of information to authorized users and protect it during transmission. Multifunction printer scan-to-email is the largest unaddressed transmission path inside most SaaS, fintech, and service-organization environments. SecureMFP closes the CC6.1, CC6.6, CC6.7, and CC7.2 obligations on every device, ahead of the next Type II observation period.

Trust Services Criteria

What SOC 2 Type II requires for transmission and audit logging

SOC 2 is the attestation report defined by the American Institute of Certified Public Accountants under the SSAE 18 standard. A Type II report covers a defined audit period of typically six to twelve months and tests both the design and the operating effectiveness of controls against the Trust Services Criteria. The 2017 Trust Services Criteria, updated in 2022, organize the Security category into nine common criteria from CC1 through CC9. Transmission of information falls under CC6 Logical and Physical Access Controls, specifically CC6.7. System monitoring falls under CC7 System Operations, specifically CC7.2. The auditor tests each criterion through walkthroughs, sample testing, and inspection of evidence drawn from the audit period. Scan-to-email transmits customer information across the mail relay and the public internet, and the control attaches directly to that path.

CC6.1, CC6.6, CC6.7, CC7.2

The Trust Services Criteria mapping for MFP scan-to-email

Four common criteria attach to the multifunction printer scan-to-email path. CC6.1 covers logical access security including authentication of the sender at the device and the recipient on retrieval. CC6.6 covers protection against threats from sources outside the system boundary, which includes the public mail relays scan-to-email traverses. CC6.7 covers restricting the transmission of information to authorized internal and external users and protecting it during transmission. CC7.2 covers system monitoring and the ability to detect security events including failed transmissions and unauthorized access attempts. The auditor tests each criterion through walkthroughs, sample testing of log records drawn from the audit period, and inspection of the policies and procedures supporting the control. Scan-to-email crossing the public internet without enforced encryption and without separate audit logging fails the four criteria together.

Where the gap lives

Why SaaS customer audits flag the scan-to-email path as a finding

Enterprise customers reviewing a service organization's SOC 2 Type II report read the Section III system description and the Section IV control matrix to find the transmission-security control. When the system description mentions multifunction printers, printing workflows, or scan-to-email and the matrix does not show encryption coverage on that path, the customer security team raises a finding. The customer questionnaire that accompanies the SOC 2 report request asks how the service organization protects customer data routed through scan-to-email workflows. The questionnaire also asks whether the recipient mailbox is in scope under the data-handling commitment in the customer contract. Service organizations that cannot answer either question lose enterprise deals or accept contract addenda that create additional reporting burdens. A documented gateway control answers both questions cleanly and reuses the same evidence pack across customer reviews.

The auditor walkthrough

The auditor's walkthrough on MFP scans, what they ask and what they need to see

The SOC 2 auditor follows a predictable five-question walkthrough on the multifunction printer scan-to-email path. Each question maps to a specific Trust Services Criterion. The walkthrough happens twice in a Type II engagement. The first walkthrough occurs at planning, where the auditor confirms control design and selects the sample period. The second occurs at testing, where the auditor inspects sampled log records and traces them back to the control statement. Service organizations that supply clean answers to all five questions reduce management response time during fieldwork.

What the auditor asksMaps to
Which devices handle customer information through scan-to-email?CC6.1, CC6.6
How is transmission protected from the device to the recipient?CC6.7
How is authentication enforced for the sender and the recipient?CC6.1
How does the system monitor and log transmissions?CC7.2
How does the entity detect and respond to a failed transmission?CC7.2
The exception patterns

Common SOC 2 audit findings on scan-to-email and how to remediate

SOC 2 fieldwork on the scan-to-email path produces three recurring exception patterns. Each is preventable with encrypted transport, authenticated retrieval, and a separate gateway audit log. The first is a design exception when the auditor compares the system description to the control matrix. The second is an operating-effectiveness exception when sampled records show plaintext transmissions. The third is a confidentiality exception when recipient mailbox retention conflicts with the customer contract commitment.

Finding patternWhat the auditor sees
CC6.7 design gapSystem description mentions MFP scan-to-email but the control matrix has no corresponding control statement covering transmission protection on that path.
Operating-effectiveness exceptionSampled log records show TLS falling back to plaintext on a percentage of transmissions across the audit period. Auditor documents as deviation.
Confidentiality criterion exceptionRecipient mailbox retention does not match the customer contract data-handling commitment. Carve-out language is incomplete.
Control-by-control mapping

How SecureMFP maps to CC6.1, CC6.6, CC6.7, and CC7.2

SecureMFP intercepts scan-to-email at a stateless gateway between the multifunction printer and the institution mail relay. The plaintext SMTP hop is replaced with an encrypted transport channel under organizational key management. The recipient retrieves the document through an authenticated session, not a mailbox copy. The gateway emits a per-document audit log on a separate component. The deployment package supplies control-statement language for each of the four common criteria that drops into the Section IV control matrix. The mapping below ties each control surface to the criterion the SOC 2 auditor tests during Type II fieldwork.

CriterionSecureMFP control surface
CC6.1 Logical AccessSender authentication at the device, recipient authentication at retrieval.
CC6.6 External ThreatsPublic mail relays bypassed. Encrypted channel terminates inside the boundary.
CC6.7 TransmissionEncrypted transport replaces plaintext SMTP. No TLS fallback to plaintext.
CC7.2 MonitoringPer-document audit log on a separate component, sampled by auditor.
FAQ, the criteria and the obligations

What SOC 2 Type II requires and how the criteria attach

The SOC 2 Trust Services Criteria CC6.7 governs transmission protection. CC6.1, CC6.6, and CC7.2 cover access, external threats, and monitoring respectively.

Does SOC 2 Type II require encryption of scan-to-email?

The Trust Services Criteria do not name scan-to-email explicitly. CC6.7 requires the entity to restrict the transmission of information to authorized users and to protect it during transmission. Scan-to-email transmits sensitive information across the mail relay and the public internet. Plaintext SMTP fails CC6.7. Opportunistic TLS that falls back to plaintext also fails because protection is not enforced.

What are the Trust Services Criteria that apply to scan-to-email?

Four common criteria attach. CC6.1 covers logical access security including authentication. CC6.6 covers protection against threats from sources outside the system boundary. CC6.7 covers restricting transmission and protecting it during transit. CC7.2 covers system monitoring and incident detection. The auditor tests each through walkthroughs, sample testing, and inspection.

FAQ, customer audits and the walkthrough

Why customer reviews flag scan-to-email and what auditors ask

Customers reading a SOC 2 Type II report flag scan-to-email when the matrix lacks coverage. The auditor walkthrough follows a five-question pattern.

Why do SaaS customer audits flag scan-to-email as a finding?

Enterprise customers read the system description and Section IV control matrix to find the transmission-security control. When the description mentions scan-to-email and the matrix does not show encryption coverage, the customer raises a finding. The questionnaire asks how the service organization protects customer data on that path. A documented gateway control answers it.

What does the SOC 2 auditor ask during the MFP walkthrough?

The auditor asks five questions. Which devices handle customer information through scan-to-email. How transmission is protected device to recipient. How authentication is enforced for sender and recipient. How the system monitors and logs transmissions. How the entity responds to a failed transmission. The auditor then samples log records.

FAQ, common findings and the SecureMFP response

What audit findings recur and how SecureMFP closes them

Three exception patterns recur during SOC 2 fieldwork on the scan-to-email path. SecureMFP closes all three with one gateway deployment.

What are the common SOC 2 audit findings on scan-to-email?

Three findings recur. The system description includes MFP scan-to-email but the control matrix has no corresponding control statement, a CC6.7 design gap. Log evidence shows TLS falling back to plaintext for a percentage of transmissions, an operating-effectiveness exception. Recipient mailbox retention does not match the customer contract commitment, a confidentiality exception.

How does SecureMFP map to the SOC 2 Trust Services Criteria?

SecureMFP intercepts scan-to-email at a stateless gateway and replaces the plaintext SMTP hop with an encrypted transport channel under organizational key management. The recipient retrieves the document through an authenticated session, not a mailbox copy. The gateway produces a per-document audit log the auditor samples. The package supplies control-statement language for CC6.1, CC6.6, CC6.7, and CC7.2.

FAQ, Type II preparation and report language

How SecureMFP supports first-time Type II and report language

Service organizations preparing for the first Type II observation period register SecureMFP early to reduce management responses during fieldwork. The deployment package supplies optional subservice-organization language for the report.

Will SecureMFP help us achieve our first SOC 2 Type II report?

Yes. The deployment package includes the control-statement language for the four common criteria, the auditor-evidence schema for the audit-log sample test, and the system description language covering the scan-to-email transmission path. Service organizations preparing for the first Type II observation period register SecureMFP early and reduce the volume of management responses during audit fieldwork.

Does our SOC 2 report need to mention SecureMFP by name?

The service organization controls the language in Section III system description and Section IV control matrix. The deployment package supplies optional subservice-organization language. Some organizations list SecureMFP as a subservice organization with a carve-out, some embed the control inside the transmission-security control statement. Both approaches are acceptable under AICPA guidance.

Related regulations

Related compliance pages on the SOC 2 perimeter

SOC 2 sits inside a broader assurance and regulatory framework that maps to the industry-specific obligations covered on the related pages. NIST SP 800-53 Rev. 5 covers the same transmission and audit-logging concepts under SC-8, SC-12, SC-28, and AU-9 for federal contractors and FedRAMP cloud providers. HIPAA carries the parallel transmission-security obligation for protected health information under 45 CFR 164.312(e)(1). The FTC Safeguards Rule applies the encryption-in-transit principle to customer financial information at non-bank financial institutions. Service organizations that hold a SOC 2 Type II report and serve regulated customers register the same scan-to-email control across pages with shared evidence packages.

Back to compliance overview →

Patents and head-to-head

The patent estate and the alternatives comparison

The patented Secure Digital Transport architecture is the technology layer underneath every regulation on this shelf, and the head-to-head comparison against PaperCut, uniFLOW Online, and Tungsten Automation is the procurement evaluation surface buyers use alongside the regulatory mapping. The two pages below are adjacent reading for any chief information security officer, compliance officer, or audit-firm partner already deep inside the scan-to-email replacement evaluation. Use the patents page during vendor due diligence and supply-chain risk review. Use the compare page during head-to-head selection against print management and document capture incumbents.

Talk to a specialist

Talk to a SecureMFP specialist about your SOC 2 obligations

A SecureMFP specialist will walk through the CC6.1, CC6.6, CC6.7, and CC7.2 mapping for your specific multifunction printer fleet, supply the control-statement language your Section IV control matrix can register, and coordinate with your SOC 2 auditor ahead of the next Type II observation period. Thirty minutes is the standard slot. The walkthrough covers the per-criterion mapping for scan-to-email, the audit-log sample evidence under CC7.2, and the system description language for Section III. SaaS, fintech, and service organizations are closing the scan-to-email gap before the next customer audit cites it. The rollout is two to four weeks for a typical fleet, with five minutes per device on site.