We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

complementary user entity controls

I am having a hard time understanding exactly what complementary user entity controls are and how to identify them. I was wondering if someone could shed some light on this for me.


  • @travis_fahlgren - Complementary User Entity Controls (CUEC) are all controls within the service organization's processes that rely on the user entity for implementation and function.

    For example, let's take AWS and Tugboat Logic. Tugboat Logic is the User Entity and AWS is the Service Organization. Tugboat Logic ensures that its employees with privileged access to AWS have their accounts provisioned and de-provisioned in a timely manner. We make sure that we enable disk encryption, etc. For AWS to fulfill its security control objectives, the end users of their systems need to do their part. Those are the CUECs.

    In a way, CUECs are a way to clarify who is responsible for what.

    Hope that helps!