With whom can I share the SOC 2 Report?
SOC 2 reports are considered ‘limited distribution’ reports, meaning that your organization should only share it with customers, prospects, or stakeholders that explicitly ask to see it; do not post your report on your website or social media accounts. Further, while not required, it is strongly recommended that the interested party signs a non-disclosure agreement before gaining access.
Can I share a specific section of the report?
SOC 2 reports are only regarded as valid in their entirety. This means that your organization should not carve out any sections to share. When sharing your report, all pages should be included (as opposed to only sharing the System Description, for example).
Is there other documentation that's helpful to share with customers, prospects, or stakeholders?
If your organization is interested in sharing your overall compliance program and security stature without sharing a document as sensitive as a SOC 2 report, consider:
Utilizing Strike Graph's Security Overview trust asset
Unlike a SOC 2 report, this feature allows you to customize the content that is shared; you are able to create and deliver as much information with which your organization is comfortable.
Note: Before generating your report, ensure that all controls that you’d like included are manually assigned the "In Place" progress flag.
Obtaining a SOC 3 report
A SOC 3 is a less-detailed and more public-facing version of the SOC 2 Type 2 report that omits confidential information and therefore can be shared more freely than a SOC 2 report.
Note: SOC 3 reports are not available for SOC 2 Type 1 certifications.
Questions?
Reach out through our chat feature for real-time Customer Success support 8 AM-5 PM PT Monday through Friday.