Can I post my SOC 2 report on my public website?

No, by industry convention. SOC 2 reports are confidential. Posting publicly would violate the auditor's report distribution clause and expose detailed control information. Post a trust center summary instead, with the full report available under NDA.

Do I need a separate NDA for each customer?

Yes, typically. Most companies use a standard mutual NDA template that takes 1 to 5 business days to execute. Some larger customers will want their own NDA. A trust center platform automates this for SaaS-style distribution.

Can I share just the auditor's opinion section without the full report?

Sometimes acceptable for SMB diligence; rarely for enterprise. Most enterprise security teams require the full report including the description of controls and the auditor's testing detail. Selective sharing is not standard practice.

Who owns the SOC 2 report — me or the auditor?

The report is issued to you, but the auditor retains intellectual property in the report format and language. You can share the report with permitted parties (typically defined as 'specified parties' in the engagement letter) but cannot republish or modify it.

DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

Can my customers see my SOC 2 report?

By Editorial team · Published 2026-04-26 · Last updated 2026-04-26

Yes, under NDA. SOC 2 reports are not public — they are shared one-to-one with customers and prospects after a signed mutual NDA.

Short answer: yes, but only under NDA. SOC 2 reports are confidential by industry convention. They contain detailed control descriptions, vendor names, and sometimes specific findings — information that would be sensitive in competitor or attacker hands. The standard distribution model is one-to-one sharing under a signed mutual NDA.

Who can see the full report

Existing customers with a signed master agreement that references SOC 2 reporting.
Active sales prospects who have signed a mutual NDA covering security documentation.
Channel partners, integrators, and service providers under partnership agreements.
Investors and acquirers in due-diligence processes under standard data-room NDAs.

What you can publish without an NDA

A trust center page summarizing your SOC 2 status (Type I or Type II), audit period, auditor, and last issuance date.
An auditor logo or seal — most CPA firms permit limited use of their name on customer trust centers.
A summary of the Trust Services Criteria you cover (Security only, or Security + Availability + Confidentiality, etc.).
Your management assertion if you wish — this is the cleaner public-facing artifact.

How the standard distribution flow works

Prospect requests SOC 2 report during procurement.
You send a mutual NDA template (or use the prospect's).
Both parties sign — typically through DocuSign or similar in 1 to 5 business days.
You share the PDF report through a secure delivery method: trust center download, encrypted email, or your data room.
The prospect's security team reviews and either signs off on procurement or sends follow-up questions.

Trust center platforms that streamline this

Most GRC platforms ship a trust center feature that automates NDA-gated report distribution. Vanta Trust, Drata Trust Center, and SafeBase are the most common. They handle the NDA acceptance, log who downloaded the report, and notify you on access. For startups, a free trust center page (Vanta or Drata) plus a manual NDA process is usually sufficient.

What happens if a SOC 2 report leaks

Practically, the auditor's reputation is at stake; yours is too. Most NDAs include damages clauses for unauthorized disclosure. The bigger downside is that detailed control descriptions become available to attackers and competitors, and your auditor may push you toward stricter distribution controls in subsequent cycles. Use a trust center with download tracking — manual emailing of the PDF is less defensible if a leak happens.