Back to Blog
SOC 2 5 min read

SOC 2 NDA for Report Distribution: Template and Guidance

SOC 2 reports must be shared under NDA. A template for your report NDA, what clauses to include, and how to manage report distribution efficiently.

Key Takeaways
  • SOC 2 reports should be distributed under a Non-Disclosure Agreement to protect sensitive control information.
  • A report-specific NDA is 1–2 pages and can be signed electronically (DocuSign) within minutes.
  • Key NDA clauses: definition of confidential information, permitted use, non-disclosure to third parties, duration.
  • Track every report distribution in a log — your auditor may request a distribution list.
  • A click-through NDA on your trust centre is the lowest-friction approach for high-volume distribution.

Why a Report NDA Is Necessary

SOC 2 reports contain: your detailed control environment descriptions, auditor testing procedures and results, exceptions found and management responses, system architecture information, and data handling procedures. This information could help an attacker understand your security control landscape.

The AICPA's AT-C Section 205 guidance notes that SOC 2 reports are intended for "specified parties" who have sufficient knowledge to understand the report. Most CPA firms include specific distribution restriction language in the report itself.

Key NDA Clauses

Definition of confidential information: specifically define the SOC 2 report, including all attachments and exhibits, as "Confidential Information."

Permitted use: the recipient may use the report solely for the purpose of evaluating the company as a vendor for the recipient's security and compliance assessment. No other use is permitted.

Non-disclosure: the recipient shall not share the report with any third party without the company's prior written consent. Permitted disclosures: the recipient's legal and compliance advisors who have a need to know and are bound by equivalent confidentiality obligations.

Return or destruction: upon request by the company, the recipient shall promptly destroy or return the report and all copies.

Duration: confidentiality obligations survive for 2–3 years following the last date of the report.

Template Language

"[Company Legal Name] ("Company") is providing this SOC 2 Type II Report ("Report") to the undersigned recipient ("Recipient") solely to enable Recipient to evaluate Company as a technology vendor. The Report constitutes confidential information of Company. Recipient agrees to: (i) maintain the Report in strict confidence using not less than the same care used to protect its own confidential information; (ii) use the Report solely for vendor evaluation purposes; (iii) not disclose the Report to any third party without Company's prior written consent; and (iv) promptly destroy or return the Report upon Company's request."

"This Agreement will be governed by the laws of [jurisdiction] and will survive for three (3) years from the date of last receipt of the Report. By signing below, Recipient acknowledges receipt of this Agreement and the Report."

Distribution Process

Manual NDA process: (1) Prospect requests the report (via email, trust centre form, or sales rep). (2) Sales or compliance sends the NDA template via DocuSign to the requestor's named contact. (3) NDA is signed and countersigned (target: same business day). (4) Report is emailed as a PDF to the signed contact.

Click-through NDA: for high-volume distribution, build a self-service page on your trust centre: "To receive our SOC 2 Type II Report, please review and accept the following terms." After acceptance (logged with IP and timestamp), the report is available for download. This is the lowest-friction approach.

Target response time: 24 hours from report request to report delivery. Enterprise buyers conducting security reviews are often time-sensitive. Same-day delivery for signed NDA responses signals operational maturity.

Tracking and Record-Keeping

Maintain a report distribution log: company name, requestor name and title, NDA execution date, report version sent, and date sent. Review this log when you issue a new report — contact previous recipients to offer the updated version.

Your auditor may ask about report distribution as part of the next engagement. Being able to provide a complete, accurate distribution log demonstrates responsible report management.

Retention: retain NDA agreements for the confidentiality obligation duration (typically 3 years) plus your document retention period. DocuSign and similar tools maintain executed agreements automatically.

Frequently Asked Questions

Can a prospect refuse to sign an NDA before receiving our SOC 2 report?
Some large enterprises have policies against signing external NDAs (they prefer to receive information under their own NDA). In this case: offer to use their mutual NDA (review it quickly for compatibility) or a click-through acceptance. An enterprise buyer who refuses any confidentiality mechanism before receiving your SOC 2 report is unusual — most expect and accept an NDA.
Do we need a separate NDA for each report update?
If your original NDA covers "the SOC 2 report and all subsequent updates," a separate NDA for each annual renewal is not required. If the original NDA covers only the specific report version, new NDAs are needed for new reports. Draft your NDA to cover all report versions to avoid annual re-execution.
Can competitors request and receive our SOC 2 report?
Technically yes, but you can decline. Your NDA can specify that the report is for vendor evaluation purposes only. If a competitor requests it without a genuine procurement context, you can decline the request citing the restriction.
Is DocuSign appropriate for SOC 2 report NDAs?
Yes. DocuSign and equivalent electronic signature platforms (HelloSign, Adobe Sign) produce legally binding electronic signatures in most jurisdictions including the US and India. The executed NDA should be retained in DocuSign's secure archive or downloaded to your document management system.
What if a report recipient shares the report without authorisation?
This is a breach of the NDA and potentially your trade secret protections. Your recourse: a formal demand letter for immediate destruction of all copies, followed by legal action if not complied with. Practically, unauthorised distribution is rare — the NDA's value is deterrent and not just remedial.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free