SOC 2 · PDPD

SOC 2 and PDPD: complying with both

Vietnamese companies with US customers face two sets of requirements at once: SOC 2 from enterprise buyers, and PDPD from domestic law. This page breaks down the overlaps, the gaps, and how to run both programs without doubling the work.

By pTrackly Compliance Team · Updated July 2026 · AICPA SOC 2 & Decree 13/2023

Who faces both frameworks?

A concrete example: an HR tech SaaS company in Ho Chi Minh City, whose product stores personnel data for Vietnamese users. The company has entered the US market and signed contracts with several San Francisco-based enterprises. The US customers require a SOC 2 Type II report within 12 months. At the same time, because the system processes personal data of Vietnamese citizens, Decree 13/2023 applies from the moment the first data point is collected.

This situation is not rare. It is common for fintech, healthtech, HR tech, and cloud SaaS companies with Vietnamese users and US investors or B2B customers. Outsourcing vendors delivering services to US corporations while processing PII of Vietnamese employees fall into the same category.

Fintech Healthtech HR tech Cloud SaaS IT Outsourcing

What each framework covers

SOC 2 (AICPA)
  • Nature Voluntary, not a law
  • Purpose US B2B market access
  • Output Audit report issued by a CPA firm
  • Basis 5 Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
  • Renewal Typically annual (Type II)
  • Enforcement Market pressure, no enforcement authority
PDPD / Decree 13/2023
  • Nature Legal, mandatory
  • Effective Since July 2023
  • Scope Personal data of Vietnamese citizens
  • Enforcer Ministry of Public Security (A05)
  • Violations Fines, administrative penalties
  • Key requirements Mandatory registration for sensitive data, consent mechanism, cross-border transfer controls

Overlaps and gaps

Requirement SOC 2 PDPD / Decree 13
Access controls on personal data Yes Yes
Data breach notification Yes (notify customers) Yes (notify Ministry of Public Security within 72h)
Internal security policies Yes Yes
Data minimization Partially Yes
User consent mechanism No Yes
Registration of sensitive data processing No Yes (mandatory)
Cross-border data transfer controls No Yes (specific PDPD rules)
Vendor / third-party contracts Yes Yes

How to run both programs in parallel

1

Build one shared control inventory

Do not build two separate programs. Start by listing every technical and process control you already have, then tag each control by which framework it satisfies. A well-written access control policy can meet SOC 2 CC6 and PDPD access requirements simultaneously.

2

Map controls in parallel during gap assessment

During gap assessment, use a two-column mapping table: SOC 2 TSC on one side, PDPD requirements on the other. For each gap, classify whether it is missing for one framework or both. Gaps that belong to PDPD but SOC 2 does not cover typically include consent management, data localization, and sensitive data registration.

3

PDPD-specific actions SOC 2 does not cover

  • Appoint a Data Protection Officer (DPO), internal or contracted
  • Register with the Ministry of Public Security if processing sensitive data (health, financial, biometric, ethnic origin)
  • Build a consent management flow specific to Vietnamese user data, including a consent withdrawal mechanism
  • Assess and document any cross-border data transfers if using cloud providers outside Vietnam
4

Use a compliance platform to avoid duplicate evidence work

When a control is tested for both SOC 2 and PDPD, evidence should be collected once. A compliance platform with multi-framework mapping lets you link one evidence artifact to multiple requirements, rather than maintaining two separate documentation sets. This saves significant preparation time when the SOC 2 Type II observation period begins.

Frequently asked questions

Do PDPD and SOC 2 overlap?

There is partial overlap. Both require controls on personal data access, data breach notification, and internal security policies. However, PDPD is Vietnamese law with specific requirements for processing Vietnamese personal data, while SOC 2 is a voluntary framework for B2B service organizations.

Does SOC 2 help with PDPD compliance?

Partially. SOC 2 builds a data security control foundation that PDPD also requires. But SOC 2 does not cover PDPD-specific obligations such as registering sensitive data processing with the Ministry of Public Security, or consent requirements under Decree 13.

Can a company do SOC 2 and PDPD compliance at the same time?

Yes. Many controls overlap, so you do not need two independent programs. The most efficient approach is to build a shared control framework, then map each control to both SOC 2 TSC and PDPD requirements in parallel.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo