FAQ
FAQ’s
Are SOC reports public?

Are SOC reports public?

The SOC 2 report, by its nature, is a restricted-use document. So, it’s not made for public release unlike the SOC 3 report. The main reason for this is that the report contains highly confidential information about your company’s system and details about your controls.

Many service organizations wonder if they must give their SOC reports to potential clients. The simple answer is that they don’t have to. The SOC report belongs to the service organization, and there’s no obligation to share it.

However, it’s worth noting that sharing a SOC report can be beneficial for most organizations. While there are valid reasons for not sharing, many clients or potential clients look for SOC reports or third-party certifications to feel secure about the service organization’s control environment.

Sharing your SOC report is essential to prove that you meet specific control objectives (for SOC 1) or Trust Services Criteria (for SOC 2). Without sharing, each client or their auditors must assess your controls themselves.

Thankfully, you can indeed share your SOC reports with certain entities. The report’s limited distribution specifies who these entities are. So, while you’re not obligated to make it public, you can still share it with the right parties mentioned in the report.

Was this article helpful?

How can we improve this article?

Related questions

  • How often is HIPAA training required?
  • What is the key to HIPAA compliance?
  • What are examples of covered entities?
  • How to share my SOC 2 report?
  • How long does a SOC 2 audit take?
  • How long does it take to get SOC 2 compliant?
  • How long is a SOC 2 report valid?
  • What does SOC 2 stand for?
  • How to review a SOC 2 report?

Get SOC 2 compliance
ready in 4 weeks!

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.