How to share a SOC 2 report securely
A SOC 2 Type 2 report contains detailed control descriptions you do not want forwarded around. Email is not the answer. Here is how to release it properly.
Why email attachments fail
Once the PDF is in someone's inbox you have no expiry, no watermark, no audit trail and no ability to revoke. The same PDF then ends up in their next vendor review pack.
The minimum bar for a release flow
A defensible flow has four ingredients: an NDA (or signed acceptance), a watermark per requester, a time-limited link, and an audit log of every download.
Set the SOC 2 to NDA-required
In VendorLens, mark the SOC 2 PDF as NDA-required. It still appears on the trust page so buyers can see it exists, but downloading requires a request and an approved NDA.
Configure NDA acceptance
Use the built-in template, your own NDA text, or a DocuSign / SignNow flow. Decide whether requests auto-approve on signature or wait for manual review.
Watermark the download
VendorLens injects a diagonal watermark with the requester's name and email on every page of the PDF on download. Even if the buyer forwards the file, the source is traceable.
Expire the link
Default token expiry is 24 hours. For longer access, configure a longer window, but most reviews do not need more than a day.
Keep the audit log
Every NDA signature, request, approval, view and download is logged with a timestamp. This is what you show to your own auditors when they ask how you control distribution.
Quick checklist
- SOC 2 PDF uploaded and marked NDA-required
- NDA template configured (or DocuSign / SignNow connected)
- Watermarking enabled
- Token expiry set to 24h (or your policy)
- Audit log accessible to your team