Back to Blog
Industry 6 min read

How to Share Your SOC 2 Report with Customers and Prospects

SOC 2 reports contain sensitive control detail. Learn the right process for sharing under NDA, building a trust centre, and handling prospect security review requests.

Key Takeaways
  • SOC 2 reports should be shared under NDA — they contain detailed control descriptions that could benefit attackers.
  • SOC 3 is the public-facing version: post it on your website freely without NDA.
  • Build a simple report request workflow: prospect requests → NDA signed → report delivered within 24 hours.
  • Track who has received your SOC 2 report in a log — your auditor may ask about report distribution.
  • Enterprise buyers expect a response to SOC 2 report requests within 1 business day.

Why Reports Need NDA Protection

A SOC 2 Type II report contains: a description of your system architecture, a list of your controls and how they operate, auditor testing procedures and sample results, and any exceptions found. This is operationally sensitive information — a detailed map of your security programme that an attacker could use to identify weaknesses.

Most CPA firms include distribution restriction language in the report itself, typically in the introductory section: "This report is intended solely for the information and use of [Company] and the user organisations that have contracted with [Company] during the specified period..." AICPA standards require that you control who receives the report.

SOC 3 for Public Distribution

SOC 3 is designed specifically for public distribution. It contains the auditor's opinion without the detailed control descriptions and test results. Post it on your security trust centre page, include the AICPA seal or your auditor's equivalent seal, and reference it in sales conversations.

SOC 3 achieves: prospects can verify you have an independent audit without your sharing operational control details publicly. It is the right format for your website, press releases, and marketing materials.

Building a Request Workflow

Create a simple, responsive workflow for SOC 2 report requests: (1) Prospect requests the report (via your trust centre form, email, or directly from your sales rep). (2) You send a standard mutual NDA (pre-prepared, 1–2 pages). (3) Prospect signs and returns the NDA (same day or next day). (4) You send the PDF report within 24 hours of NDA execution.

Speed matters in enterprise sales. A 5-day turnaround on a SOC 2 report request signals operational unreadiness. Have your NDA template and report ready to send immediately.

Assign ownership: who in your organisation owns the report request process? Typically the Head of Sales, Sales Operations, or Security/Compliance function. Ensure this person (or their backup) can respond within 1 business day.

NDA Options

Option 1: Mutual NDA specifically for SOC 2 report sharing. 1–2 pages. Covers: definition of confidential information (the report), permitted use (security assessment only, not shared with third parties without consent), return or destruction of the report on request, and duration (typically 2 years).

Option 2: Use the prospect's standard mutual NDA if they send one. Review quickly — most standard mutual NDAs are acceptable for report sharing purposes.

Option 3: SOC 2 report-specific click-through NDA on your website. Prospects click "I agree to the following terms" and immediately download the report. This is the lowest-friction option but requires careful NDA drafting to ensure enforceability.

Tracking Report Distribution

Maintain a log of who has received your SOC 2 report: company name, recipient name and title, NDA execution date, report sent date, and report version. Your auditor may ask about report distribution as part of next year's engagement. Some auditor firms require a representation from management confirming the report was only distributed to appropriate recipients.

This log also helps you proactively reach out when you issue a new report: "Our updated SOC 2 Type II report covering [new period] is now available. Would you like us to send the updated version under the existing NDA?" This is a useful customer success and renewal conversation opportunity.

Trust Centre Strategy

A well-designed trust centre reduces inbound security questions and demonstrates security maturity before sales conversations begin. Include: SOC 3 report or seal, current compliance status (SOC 2 Type II report period, ISO 27001 certificate number), security overview (encryption at rest/in transit, access control approach, backup and DR), privacy information (link to privacy policy, DPDP Act and GDPR status), and a request form for the full SOC 2 report.

Update your trust centre every time you receive a new SOC 2 report. Stale information (a trust centre showing a report from 18 months ago) erodes rather than builds trust.

Frequently Asked Questions

Can we share our SOC 2 report with any customer without an NDA?
Technically you can, but it is not recommended. The report contains operational security detail that could be useful to attackers. CPA firms typically require distribution to be restricted to relevant parties under confidentiality agreements. For enterprise security reviews, an NDA is standard practice and expected.
How do we handle competitors who request our SOC 2 report?
You can decline to share with parties who are not legitimate customers or prospects. The NDA can include a clause specifying that the report may only be used for vendor security evaluation purposes. If a competitor requests the report, you can decline or request evidence of a genuine vendor evaluation context.
How often should we update the SOC 2 report on our trust centre?
Update your trust centre immediately when you receive a new report (annually for Type II). Clearly display the report period covered (e.g. "Type II report covering April 2025 – March 2026"). Prospects will notice a trust centre showing a report over 12 months old.
Should we share our management response to exceptions in the report?
Yes — the management response is part of the report. Do not edit or omit exceptions before sharing. Enterprise security reviewers will notice if the report appears incomplete. A strong management response that explains root cause and remediation of exceptions can actually build more trust than a report with no exceptions (which may raise questions about audit thoroughness).
Can we reference specific sections of the SOC 2 report in RFP responses?
Yes. When completing security questionnaires, reference specific control descriptions from your SOC 2 report by criterion number and page. For example: "See attached SOC 2 Type II report, Section IV, Criterion CC6.2 for evidence of our access control procedures." This is efficient and auditor-verified.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free