Logo Menu

Platform

Best Auditors Directory Software Cost Calculator

By Country

πŸ‡ΊπŸ‡Έ United States πŸ‡¬πŸ‡§ United Kingdom πŸ‡¨πŸ‡¦ Canada πŸ‡¦πŸ‡Ί Australia πŸ‡©πŸ‡ͺ Germany

Free Tools

SOC 2 Readiness Assessment Cost Calculator Timeline Calculator Find My Auditor Framework Selector

Resources

Compliance Frameworks SOC 2 Buyer Guides What is SOC 2? Pricing Guide Insights Find Near Me

About

How We Review For Vendors For Auditors
Buyer guide Β· Last verified 2026-05-13

Can customers see my SOC 2 report?

Short answer

Yes, but not publicly. SOC 2 reports are confidential by industry convention and shared only under a signed NDA. The report contains detailed system descriptions, control procedures, and sometimes specific exceptions, information that would be useful to an attacker or a competitor. The standard process is to share the full report with customers and serious prospects after a mutual NDA, and to post a public trust center page that confirms your report type, audit period, auditor name, and scope without disclosing the report itself. Most GRC platforms include a trust center feature that automates the NDA-gated distribution and logs who has accessed the report.

One of 8 SOC 2 buyer guides we maintain.

What people get wrong

Some teams post their SOC 2 report publicly on their website thinking transparency builds trust; this is not recommended and most auditors advise against it because the control descriptions give potential attackers a detailed map of your environment.

What a trust center should and should not show

Public-facing trust center page (no NDA needed):

  • Report type (Type 1 or Type 2) and audit period
  • Auditor firm name
  • Scope: which Trust Services Criteria are covered (Security, Availability, Confidentiality, Processing Integrity, Privacy)
  • Sub-processor list and your data handling overview
  • Public versions of policies (security overview, privacy notice)

NDA-gated (full report request flow):

  • The full SOC 2 report PDF
  • The detailed system description
  • The test results and any exceptions
  • Bridge letters for the gap between report periods

Why public posting is a bad idea

The system description in a SOC 2 report is essentially a target package: production architecture, control owners, backup cadences, vendor list, sometimes specific tooling versions. Most auditors include language in the engagement letter restricting how the report can be distributed, and many explicitly prohibit unrestricted public posting. Beyond the audit firm’s preference, a public report tells attackers exactly what to probe.

Practical trust center setup

The lightweight setup most teams use: a /trust or /security page on the marketing site listing the bullets above, plus a β€œrequest the full report” form that triggers an NDA via a tool like Whistic, SafeBase, Vanta Trust Center, or Drata Trust Center. The form should capture: company name, requester email, intended use, and a click-through NDA. The full report PDF gets watermarked with the requester’s company on each download.

When you do not have a report yet

A trust center page is still worth building. Listing your security program, sub-processors, and a roadmap to SOC 2 (with a target date) is a credible substitute for buyers willing to bridge with you for 6 to 12 months. It also pre-populates the exact data points enterprise procurement teams will ask about later.

Other questions buyers ask

See all guides β†’