The conversation around offshore data engineering in asset management usually comes down to one question: how do you maintain SOC 2 Type II compliance when an offshore team handles your data?

We understand that this concern is valid. SOC 2 Type II audits evaluate how effectively your controls operate over time. When those controls extend to a Global Delivery Center (GDC) across different jurisdictions, time zones, and operating environments, the scope becomes harder to manage.

However, this is no longer an edge case. Firms that build the right controls into their GDC model from the beginning can consistently meet audit expectations. The difference comes down to how early these controls are designed into the operating model.

This guide will help you understand the prerequisites for designing GDC security controls that satisfy auditors, regulators, and institutional investor due diligence teams.

SOC 2 Trust Service Criteria: GDC-Specific Controls

SOC 2 compliance is organized around 5 Trust Service Criteria. And this is how each applies to a GDC operating model for asset management data engineering:

  1. Security

Security is mandatory under SOC 2 and is the first area auditors will examine in a GDC model:

  • Logical Access Controls:
    • All GDC engineer access flows through the client’s Microsoft Azure AD tenant with conditional access enforcing MFA, device compliance, and geo-restrictions.
    • Privileged access to production Snowflake environments requires CyberArk PAM with session recording and time-bound credentials (max. 4-hour sessions).
    • Access provisioning follows a defined workflow, with automated deprovisioning on exit and manual verification within 24 hours.
  • Network Security:
    • Zero-trust architecture using tools like Zscaler Private Access. Every session is authenticated individually.
    • Split tunneling is disabled to ensure all traffic passes through the security stack.
    • Network segmentation isolates GDC environments from other tenants within the same facility.
  • Endpoint Security:
    • Client-managed devices enforced through Microsoft Intune.
    • Endpoint detection using tools like CrowdStrike Falcon with continuous monitoring.
    • USB access, screen capture, and clipboard redirection are restricted through policy controls.
  1. Availability

Once security is enforced, the next expectation is whether the GDC can reliably support operations without disruption, which includes:

I. Business continuity plans with tested alternate site readiness within defined timelines.

II. Minimum staffing thresholds with cross-training to remove single points of failure.

III. Redundant communication channels (Teams, Slack, phone bridges) with documented fallback procedures.

  1. Processing Integrity

Availability alone is not enough. Your pipelines must also produce consistent and reliable outputs:

  • Code changes require peer review with enforced approval thresholds.
  • CI/CD pipelines include automated testing gates before deployment.
  • Change management includes rollback strategies that are tested in advance.
  • Data reconciliation checks validate outputs after every pipeline run.
  1. Confidentiality

With asset management data, confidentiality controls must be enforced at both system and operational levels:

  • Data is accessed stringently within the client’s cloud environment and never stored locally in the GDC.
  • All engineers sign enforceable NDAs covering MNPI and post-engagement restrictions.
  • Clean desk policies are actively enforced within the facility (No paper documents, personal devices, or unauthorized recording devices permitted in work areas).
  • Background verification of data engineers is completed before granting any system access.
  1. Privacy:

When investor PII is involved, privacy controls extend beyond access, and they define how data is handled at every step:

  • Mandatory privacy training covering regulations like the California Consumer Privacy Act and internal policies.
  • Strict controls preventing the extraction or storage of PII outside the platform.
  • Use of synthetic data for development and testing environments.
  • Defined incident response procedures with immediate escalation paths.

Note that many of these GDC control requirements also overlap with emerging SEC 2026 cybersecurity expectations, in which regulators are now assessing how access, data protection, and monitoring are enforced at the system level.

 

SOC 2 Compliance

Audit Evidence Collection: Automating the Pain

We’ve defined how access is controlled, how data is protected, and how systems are monitored within the GDC. The next challenge is demonstrating that these controls are consistently followed every day, with evidence that can withstand a SOC 2 Type II audit.

In a GDC model, evidence spans both client systems and offshore operations. Without automation, this becomes unmanageable. Have Automated Evidence Sources for:

  1. Access logs from Azure AD validating, authentication, and policy enforcement.
  2. Session recordings from CyberArk for privileged access tracking.
  3. Code and deployment records from platforms like GitHub or Azure DevOps.
  4. Incident logs from monitoring tools like Datadog and PagerDuty.
  5. HR systems tracking onboarding and offboarding timelines.

Regarding organizing the evidence, structure it by the Control and Trust Service Criteria so auditors can independently verify compliance. Above all, the key is consistency. Maintain a continuously updated repository instead of assembling evidence just before the audit window.

Start evidence collection from Day-1. When controls operate continuously, the audit becomes validation. When implemented late, the audit becomes an investigation.

Institutional Investor Due Diligence

SOC 2 compliance does not stop at the audit report. Institutional investors will still evaluate your operating model separately. Common questions typically focus on:

  • What data can the offshore team access?
  • How is data movement controlled and restricted?
  • What happens when the offshore engagement ends?
  • Whether the model has been independently validated?

Your answers need to align with both your implemented controls and policy documents.

Final Thoughts

SOC 2 compliance in offshore data engineering is not difficult, given the audit itself. It becomes challenging when controls are introduced after the operating model is already in place. When GDC models are designed with SOC 2 regulatory controls built in from the start, compliance becomes part of daily operations rather than a periodical exercise.

And for asset management CTOs, the ROI is straightforward. A GDC typically delivers 30-40% cost savings on data engineering operations, while the SOC 2 compliance investment accounts for only 5-10% of those savings. The result is a setup that is both cost-effective and audit-ready compared to many fully onshore models.

SOC 2 Compliance

At UBTI, we work with leading asset management firms to design SOC 2-aligned GDC operating models, covering access controls, security architecture, evidence automation, audit readiness, and more. Speak with our team to review your current GDC setup and identify the specific control gaps to address before your next audit cycle.

Frequently Asked Questions

Is using client-managed devices mandatory for SOC 2 compliance?

It is not explicitly mandated, but in practice, client-managed devices enforced through tools like Microsoft Intune make it easier to prove endpoint security, patching, and policy enforcement during audits.

How can you assess if your current GDC setup is audit-ready?

Start by checking three areas: access governance, evidence availability, and monitoring coverage. If any of these rely on manual effort or incomplete logs, it usually indicates gaps that need to be addressed before an audit.

Does SOC 2 require the GDC facility itself to be certified?

No, SOC 2 applies to your organization’s controls, not merely the facility. However, if the GDC provider has its own SOC 2 or ISO certifications, it strengthens your position during audits and investor due diligence.

How do you handle jurisdiction risks when data is accessed from another country?

You’re still accountable for the data regardless of location. Most firms address this through geo-restrictions, contractual clauses, and ensuring all data access happens within the client’s cloud tenant, not within the offshore country’s infrastructure.

What role do SLAs play in SOC 2 compliance for GDCs?

SLAs define accountability. They typically include response times, incident handling expectations, and availability targets. Auditors often review whether these commitments are met in practice, as well as documented.