SecurancePro
Talk to an expert
All field notesSOC

SOC 3 reports: the public-use version of your SOC 2

SOC 3 is the publicly distributable version of a SOC 2 Type II. Here is what it contains, how it is produced, and when it is worth adding to your audit.

6 min read

Your marketing team wants a compliance badge on the homepage. Your security team will not let the SOC 2 report out the door without an NDA. Both are right, and the report that resolves the argument is the SOC 3.

Here is what a SOC 3 actually is, how it gets produced, and when it earns the extra line on your audit invoice.

The short answer

A SOC 3 is the publicly distributable version of a SOC 2 Type II. Same CPA firm, same Trust Services Criteria, same observation window, same testing. The difference is the deliverable. A SOC 3 is a short, general-use report you can post on your website, attach to a prospect's email without an NDA, or drop into an investor deck. It does not include the system description detail or the control test tables that make a SOC 2 sensitive.

The AICPA calls it an SOC for Service Organizations: Trust Services Criteria for General Use Report. Everyone else calls it a SOC 3. It sits alongside SOC 1 and SOC 2 in the AICPA's SOC suite of services, and the shape of a finished report follows the AICPA's illustrative SOC 3 template.

If you have never read a SOC 2 cover to cover, the pillar primer on what SOC 2 compliance is is the right place to start. The rest of this post assumes that context.

How a SOC 3 is produced

A SOC 3 is not a separate engagement. It is a second deliverable derived from a SOC 2 Type II that has already been performed.

The mechanics:

  • Your CPA firm performs the SOC 2 Type II against the applicable Trust Services Criteria. Security is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are additive based on the commitments you make to customers.
  • The same testing supports both reports. The auditor does not run a second set of procedures for the SOC 3. If you want the ground-level view of what that testing looks like, see our walkthrough of the SOC 2 audit process.
  • At the end of the engagement, the firm issues two documents. The SOC 2 is the long, restricted-use report. The SOC 3 is the short, general-use report.

The same AICPA attestation standards apply (SOC 2 and SOC 3 engagements are performed under the attestation standards clarified and recodified in SSAE No. 18), and only a licensed CPA firm can issue either report. A compliance platform, a consultancy, or a "virtual CISO" cannot issue your SOC 3, just as they cannot issue your SOC 2.

There is no SOC 3 equivalent for SOC 1. The financial-reporting audience that reads a SOC 1 report does not exist in a marketing context, so the AICPA never defined a general-use version. If you are weighing which report you actually need, the SOC 1 vs SOC 2 comparison is the right next read.

You cannot produce a SOC 3 from a SOC 2 Type I, either. General-use distribution requires the operating-effectiveness evidence that only a Type II engagement produces.

What is in a SOC 3

A SOC 3 is short, usually three to five pages. It contains:

  • The independent auditor's report. One page. The opinion on whether your controls were suitably designed and operated effectively over the period.
  • Management's assertion. A short statement from your leadership confirming the controls met the applicable Trust Services Criteria.
  • A brief, unrestricted-use system description. A paragraph or two describing what your service does and what is in scope. Nothing like the Section 3 detail of a SOC 2.

What is not in a SOC 3 is the point:

  • No detailed system description with subservice organizations, infrastructure diagrams, and data flow.
  • No table of controls.
  • No description of the auditor's tests.
  • No exceptions list.

That last one matters. The full SOC 2 Section 4 control table is exactly what an enterprise procurement team reads when they evaluate you. A SOC 3 gives them none of it. That is a feature for public distribution and a bug for serious vendor review.

SOC 2 vs SOC 3

A SOC 2 answers a procurement team's questions. A SOC 3 answers a prospect's question before they have sent the questionnaire.

The two reports serve different audiences in the same sales funnel.

A SOC 2 is restricted-use. The cover page says so, and the AICPA standards require it. Your auditor issues it on the assumption that readers are customers, prospects under NDA, regulators, or other parties who understand the report and its limitations. A security team flips straight to Section 4 and reads the exceptions column. They need the detail.

A SOC 3 is general-use. Anyone can read it. Because anyone can read it, the report is scrubbed of everything that would help a sophisticated reader evaluate your control design in depth. A prospect's security engineer cannot use it to replace the SOC 2 for vendor review. They can use it to confirm that a current, clean SOC 2 exists.

The right way to think about it: a SOC 3 is a credible public signal, not a procurement document. It says "we have passed an annual SOC 2 Type II, and here is the auditor's opinion you can verify." The buyer still requests the SOC 2 when the deal gets to vendor risk.

When a SOC 3 is worth it

A SOC 3 earns its keep when public signal is worth more than what it costs to produce, which, since the testing is already done, is mostly the marginal fee your firm charges to issue the second deliverable. Usually a few thousand dollars, sometimes bundled into the SOC 2 fee.

The cases where we see it pay off:

  • A trust center or security page. A downloadable SOC 3 PDF next to your security writeup removes a friction step for prospects who want quick reassurance before they fill out the questionnaire.
  • Self-serve and mid-market sales motions. Deals that close without a vendor-risk review still benefit from a public compliance signal. Gating every download behind an NDA when the ACV is $30k is too much friction.
  • Investor decks and fundraising. Due diligence is faster when counsel can verify the auditor's opinion from a public source.
  • Partner marketplaces and RFP responses. Many marketplace listings and RFP templates have a "attach SOC report" field that a SOC 3 fills cleanly without NDA negotiation.
  • AWS Artifact-style publishing. If you sell into an ecosystem where buyers expect a standing, publicly verifiable attestation, a SOC 3 is the document that fits that expectation.

When it is not worth it

A SOC 3 is not worth buying in two common situations.

First, if your entire go-to-market is enterprise and every deal runs through vendor risk. Those buyers want the full SOC 2 every time. A SOC 3 sitting next to it on the marketing page is a rounding error on their decision, and you are paying to produce a document nobody in your actual sales process reads.

Second, if you do not have a SOC 2 Type II yet. A SOC 3 is derived from that engagement. Buying it before you have an operating-effectiveness report to derive it from is not possible.

There is a third trap worth naming. Some companies treat a SOC 3 as a replacement for the SOC 2 in sales conversations because it avoids the NDA step. That backfires. A sophisticated buyer will ask for the SOC 2 within one email, and leading with a SOC 3 reads as either naivete or an attempt to hide something.

How to use a SOC 3

Once you have one, the delivery channels are straightforward.

  • Link it from your trust page. One click, no form, no NDA. Include the report's period and the auditor's name.
  • Refresh it every annual cycle. A stale SOC 3 is worse than no SOC
    1. Between report periods, the bridge letter mechanics that cover the SOC 2 apply here too in spirit, though the SOC 3 itself is not bridged. The public-facing version is either the current period's report or it is stale.
  • Publish the auditor's opinion page prominently. That is the signal your readers will copy into their notes.
  • Do not edit it. Companies occasionally try to reformat or trim the report. The cover page, the opinion, and the assertion are issued documents. Post the PDF your firm issued.

The reports page on our homepage services section is where clients land when they are trying to figure out which SOC deliverables they need, and the compliance overview on the same page lays out which framework maps to which audience. Most are deciding between SOC 1, SOC 2, and whether to add a SOC 3 on top.

If you are running a SOC 2 Type II this year and wondering whether to add a SOC 3 to the engagement, get in touch and we will walk through whether your sales motion has the public-signal use case to make the second deliverable worth the line on the invoice.

§ Related notes
All field notes →