What is Complementary User Entity Controls (CUECs)?
Complementary User Entity Controls (CUECs) are controls a service organization assumes its customers (user entities) will implement for the Trust Services Criteria to be fully met. Listed in the SOC 2 report, they place specific responsibilities on the customer; the service organization's controls alone do not achieve the objectives without them.
CUECs exist because a service organization's controls rarely cover the whole picture on their own. The report explicitly lists the controls it expects the customer to operate — such as managing their own user access, configuring the service securely, or reviewing activity logs — so the stated objectives are only fully met when both parties play their part. Responsibility for CUECs sits with the user entity, not the provider.
For example, a SaaS provider may enforce strong infrastructure and password policies, but the report's CUECs will state that customers are responsible for promptly removing access when their own employees leave and for enabling multi-factor authentication. If you receive a vendor's SOC 2 report, reading the CUEC section tells you exactly what you must do on your side. CUECs differ from complementary subservice organization controls (CSOCs), which are controls expected of the provider's own subservice vendors.
For a service organization, documenting CUECs clearly helps customers understand the shared-responsibility boundary and reduces back-and-forth during their reviews. Templates and a well-structured report help you articulate these responsibilities, but documentation does not produce the auditor's assurance — the SOC 2 examination by a licensed CPA firm does.
Related terms: Service Organization · Trust Services Criteria (TSC) · Vendor Risk Management · Access Control
Frequently asked questions
- Who is responsible for Complementary User Entity Controls?
- The user entity — the customer — is responsible for implementing CUECs. The service organization lists them in its SOC 2 report, but the stated Trust Services Criteria objectives are met only if the customer actually operates these controls.
- What is the difference between CUECs and CSOCs?
- CUECs are controls the customer (user entity) is expected to implement. CSOCs — complementary subservice organization controls — are controls the service organization expects its own subservice vendors to implement. They address different parties in the chain.
- Where do I find CUECs in a SOC 2 report?
- They are listed in the report's description of the system, usually near the controls section. When reviewing a vendor's SOC 2, read the CUECs to confirm which security responsibilities fall to you.
Toolkits that cover Complementary User Entity Controls (CUECs)
SOC 2 Policy Pack — Core
15 editable SOC 2 policies mapped to the Trust Services Criteria — the document set your auditor asks for first.
SOC 2 Complete Toolkit
22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.
Startup Trust Pack — SOC 2 + AI Governance
25 editable documents bundling the SOC 2 Core policy set with the full AI Governance pack — answer enterprise security questionnaires AND the new AI-policy questions in one purchase.
Learn more in our SOC 2 guide, explore the editable policy templates, or browse the full compliance glossary.