What are User Entity Controls?
What are User Entity Controls?
User entity controls (UECs) are controls that a service organization expects its customers (user entities) to implement in order for the service organization's own controls to function effectively. They represent the shared responsibility between a service provider and its customers within a SOC 2 or SOC 1 reporting framework.
Why user entity controls exist
No service organization operates in complete isolation. The security of a system depends not only on the provider's controls but also on how customers use the service. For example, a SaaS platform may enforce role-based access control, but if the customer assigns administrator privileges to every employee, the control environment breaks down.
UECs acknowledge this shared responsibility by explicitly listing what the customer must do on their end.
Common examples of UECs
User entity controls frequently address:
- Access management — customers are responsible for managing their own user accounts, including timely deactivation when employees leave
- Password policies — customers should enforce strong password requirements for their users
- Data handling — customers must classify and protect sensitive data according to their own policies before sharing it with the service provider
- Configuration management — customers are responsible for properly configuring security settings within the platform
- Monitoring — customers should review audit logs and activity reports provided by the service organization
- Incident reporting — customers should promptly report suspected security incidents to the service provider
Where UECs appear in SOC 2 reports
UECs are documented in the service organization's SOC 2 report, typically in a section titled "Complementary User Entity Controls" or similar. The service auditor includes these to clarify the boundaries of the service organization's control environment.
When a customer reads a SOC 2 report, they should pay close attention to the UECs section. If the customer is not implementing these controls, the overall assurance provided by the SOC 2 report is diminished.
Responsibilities for service organizations
Service organizations should:
- Clearly define UECs — be specific about what customers need to do, avoiding vague or overly broad statements
- Communicate UECs to customers — proactively share UEC expectations during onboarding and in security documentation
- Provide enablement — offer tools, configurations, and documentation that make it easy for customers to implement UECs
- Review regularly — update UECs as the platform evolves and new features or risks emerge
Responsibilities for user entities
Customers who receive SOC 2 reports from their vendors should:
- Review the UECs section — understand what controls they are expected to implement
- Assess their own compliance — verify that their internal processes satisfy the stated UECs
- Document their controls — if the customer is also subject to audits, demonstrate that vendor UECs are addressed
- Follow up on gaps — if a UEC cannot be met, discuss alternative mitigations with the service provider
UECs and the shared responsibility model
The concept of user entity controls aligns closely with the shared responsibility model popularized by cloud providers. Just as AWS or Azure define which security responsibilities belong to the provider and which belong to the customer, UECs in a SOC 2 report define the same boundary for any service organization.
Understanding and implementing UECs is critical for organizations that rely on third-party services and want to maintain a robust security posture.
How episki helps
episki helps service organizations define and document user entity controls as part of their compliance program. For customers evaluating vendors, episki tracks which UECs apply to each vendor relationship and monitors whether your internal controls satisfy those requirements. Learn more on our SOC 2 compliance page.
