The SOC 3 report, prepared by a third-party auditor, is based on the AICPA (American Institute of Certified Public Accountants) Trust Services Principles, which assess five criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. As with SOC 2, Security is mandatory. You can choose to add any relevant TSCs to your SOC 3 just as you would for your SOC 2 audit.

The main objective of a SOC 3 Audit Report is to demonstrate the strength of an organization’s internal controls. It’s a less-detailed and more public-facing version of the SOC 2 Type 2 report that omits confidential information and therefore can be shared more freely than a SOC 2 report.

The SOC 3 Report includes four sections:

If you want to obtain a SOC 3 report for your organization, it’s important to know where your organization stands with your SOC 2 Type 2 compliance. It is best to receive a SOC 3 Report at the same time you are pursuing your SOC 2 Type 2. You cannot receive a SOC 3 Report with a SOC 2 Type 1.

This is a great time to add a SOC 3 report to your upcoming SOC 2 Type 2 audit. As previously mentioned, both a SOC 2 Type 2 and a SOC 3 require the same information for an auditor so it is most efficient to achieve them simultaneously.

If your organization is looking for an easy way to share your compliance status publicly, a SOC 3 report will be a great add-on. A SOC 3 report is designed to instill confidence in your organization without sharing the same level of detail as a SOC 2 Type 2 report so there is no need to reserve its contents for customers or select prospects. This opens the door for your organization to use your SOC 3 in marketing materials and even publish the report on your website.

For more guidance, reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.