SOC 2 NDA for Report Distribution: Template and Guidance
SOC 2 reports must be shared under NDA. A template for your report NDA, what clauses to include, and how to manage report distribution efficiently.
- SOC 2 reports should be distributed under a Non-Disclosure Agreement to protect sensitive control information.
- A report-specific NDA is 1–2 pages and can be signed electronically (DocuSign) within minutes.
- Key NDA clauses: definition of confidential information, permitted use, non-disclosure to third parties, duration.
- Track every report distribution in a log — your auditor may request a distribution list.
- A click-through NDA on your trust centre is the lowest-friction approach for high-volume distribution.
In this guide
Why a Report NDA Is Necessary
SOC 2 reports contain: your detailed control environment descriptions, auditor testing procedures and results, exceptions found and management responses, system architecture information, and data handling procedures. This information could help an attacker understand your security control landscape.
The AICPA's AT-C Section 205 guidance notes that SOC 2 reports are intended for "specified parties" who have sufficient knowledge to understand the report. Most CPA firms include specific distribution restriction language in the report itself.
Key NDA Clauses
Definition of confidential information: specifically define the SOC 2 report, including all attachments and exhibits, as "Confidential Information."
Permitted use: the recipient may use the report solely for the purpose of evaluating the company as a vendor for the recipient's security and compliance assessment. No other use is permitted.
Non-disclosure: the recipient shall not share the report with any third party without the company's prior written consent. Permitted disclosures: the recipient's legal and compliance advisors who have a need to know and are bound by equivalent confidentiality obligations.
Return or destruction: upon request by the company, the recipient shall promptly destroy or return the report and all copies.
Duration: confidentiality obligations survive for 2–3 years following the last date of the report.
Template Language
"[Company Legal Name] ("Company") is providing this SOC 2 Type II Report ("Report") to the undersigned recipient ("Recipient") solely to enable Recipient to evaluate Company as a technology vendor. The Report constitutes confidential information of Company. Recipient agrees to: (i) maintain the Report in strict confidence using not less than the same care used to protect its own confidential information; (ii) use the Report solely for vendor evaluation purposes; (iii) not disclose the Report to any third party without Company's prior written consent; and (iv) promptly destroy or return the Report upon Company's request."
"This Agreement will be governed by the laws of [jurisdiction] and will survive for three (3) years from the date of last receipt of the Report. By signing below, Recipient acknowledges receipt of this Agreement and the Report."
Distribution Process
Manual NDA process: (1) Prospect requests the report (via email, trust centre form, or sales rep). (2) Sales or compliance sends the NDA template via DocuSign to the requestor's named contact. (3) NDA is signed and countersigned (target: same business day). (4) Report is emailed as a PDF to the signed contact.
Click-through NDA: for high-volume distribution, build a self-service page on your trust centre: "To receive our SOC 2 Type II Report, please review and accept the following terms." After acceptance (logged with IP and timestamp), the report is available for download. This is the lowest-friction approach.
Target response time: 24 hours from report request to report delivery. Enterprise buyers conducting security reviews are often time-sensitive. Same-day delivery for signed NDA responses signals operational maturity.
Tracking and Record-Keeping
Maintain a report distribution log: company name, requestor name and title, NDA execution date, report version sent, and date sent. Review this log when you issue a new report — contact previous recipients to offer the updated version.
Your auditor may ask about report distribution as part of the next engagement. Being able to provide a complete, accurate distribution log demonstrates responsible report management.
Retention: retain NDA agreements for the confidentiality obligation duration (typically 3 years) plus your document retention period. DocuSign and similar tools maintain executed agreements automatically.
Frequently Asked Questions
Can a prospect refuse to sign an NDA before receiving our SOC 2 report?
Do we need a separate NDA for each report update?
Can competitors request and receive our SOC 2 report?
Is DocuSign appropriate for SOC 2 report NDAs?
What if a report recipient shares the report without authorisation?
Automate your compliance today
AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.
Start for free