FAQ
FAQ’s
Are SOC reports public?

Are SOC reports public?

The SOC 2 report, by its nature, is a restricted-use document. So, it’s not made for public release unlike the SOC 3 report. The main reason for this is that the report contains highly confidential information about your company’s system and details about your controls.

Many service organizations wonder if they must give their SOC reports to potential clients. The simple answer is that they don’t have to. The SOC report belongs to the service organization, and there’s no obligation to share it.

However, it’s worth noting that sharing a SOC report can be beneficial for most organizations. While there are valid reasons for not sharing, many clients or potential clients look for SOC reports or third-party certifications to feel secure about the service organization’s control environment.

Sharing your SOC report is essential to prove that you meet specific control objectives (for SOC 1) or Trust Services Criteria (for SOC 2). Without sharing, each client or their auditors must assess your controls themselves.

Thankfully, you can indeed share your SOC reports with certain entities. The report’s limited distribution specifies who these entities are. So, while you’re not obligated to make it public, you can still share it with the right parties mentioned in the report.

Was this article helpful?

How can we improve this article?

Related questions

  • How is the HITRUST assessment process conducted?
  • What is HITRUST Compliance and Regulatory Mapping?
  • How do workflow checks work in Sprinto?
  • Does Sprinto help handle the Objection on CRM as a Critical System?
  • With respect to the services they should choose, do they need to have the combo of both EU and UK services or only EU services should be good? Context: They have opted for GDPR and not UK GDPR.
  • What is the difference between an EU Representative and a DPO? What is their requirement under GDPR?
  • Do companies need a lawyer to draft their agreements for GDPR?
  • Is having an EU/UK representative mandatory under GDPR?
  • Why don’t we cover all the TSCs?
  • Do we support HITRUST certification? What is the audit price?

Get SOC 2 compliance
ready in 4 weeks!

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.