We use cookies and similar technologies to improve your experience and analyse usage. By continuing you agree to our Privacy Policy.

    VendorLens
    ← Guides

    SOC 2 report access — public, private or NDA-gated?

    7 min readLast updated

    The SOC 2 Type 2 report is the most powerful and the most dangerous document in your trust center. Powerful because it is the single piece of evidence that converts a skeptical procurement team into a buyer. Dangerous because it contains detailed control descriptions, system architecture notes, and exception lists that an attacker can use to map your environment. Every B2B vendor faces the same question: do we publish the report openly, gate it behind an NDA, or keep it private and share only on request? The answer depends on your stage, your buyer profile, and how tightly you can control distribution. This guide explains why the report is sensitive, what parts can safely be public, when withholding is the right call, and how to structure a buyer workflow that protects your security posture while closing deals faster.

    Why a SOC 2 report is sensitive

    A SOC 2 Type 2 report is not a marketing brochure. It is an auditor's detailed assessment of how your organisation manages the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — over a minimum six-month observation period. Inside the report you will find control descriptions that explain exactly how your infrastructure is segmented, how access is provisioned, how backups are scheduled, and how incidents are escalated. You will also find exception notes: controls that failed, findings that were not fully remediated by the observation period end date, and compensating controls that cover gaps.

    All of this is valuable to a buyer who wants to understand your risk profile. It is equally valuable to a threat actor who wants to understand your attack surface. A report that lists your Identity Provider, your endpoint detection vendor, your backup cadence, and your encryption key rotation schedule is essentially a roadmap. Publishing it without restrictions is the security equivalent of leaving your network diagram on a public bulletin board.

    The sensitivity does not mean you should hide the report. It means you should release it with controls: identity verification, a legal agreement, traceable downloads, and time-limited access. The goal is to give buyers enough confidence to sign while keeping the detailed control map out of unrestricted circulation.

    What can be public vs what should be gated

    Not everything in the SOC 2 package needs to be locked down. There are three tiers of SOC 2 content, and only the full report itself should be behind an NDA.

    Public tier: the SOC 2 badge, a one-paragraph summary of scope and criteria, and the observation period dates. A public badge tells buyers you have passed an independent audit without exposing control detail. Most serious vendors display this on their homepage or trust center landing page. The summary should be two to three sentences: "VendorLens has completed a SOC 2 Type 2 examination covering the Security, Availability, and Confidentiality Trust Services Criteria for the period January 1 to June 30, 2026, performed by [auditor name]." No more, no less.

    NDA-gated tier: the full SOC 2 Type 2 report, the bridge letter (if applicable), and the most recent letter of attestation. These contain the control matrix, the auditor's test results, the exception list, and the management response. Buyers who are in active procurement should have access, but only after they have identified themselves and agreed to confidentiality terms.

    Internal-only tier: the raw evidence collection logs, the auditor's working papers, and any pre-remediation drafts. These are never shared externally. They belong to your security and compliance team and are surfaced only under legal compulsion or during an acquisition due diligence room.

    When not to share the report at all

    There are legitimate situations where sharing the SOC 2 report is the wrong move, even under NDA.

    First, if the report contains unresolved exceptions or a qualified opinion. A qualified opinion means the auditor found material weaknesses that were not fully remediated by the end of the observation period. Sharing this with a buyer mid-deal is usually deal-fatal unless you can pair it with a clear remediation timeline and evidence of progress. In this case it is often better to share the previous clean report plus a bridge letter and a written update on remediation status.

    Second, if the report is expired. SOC 2 Type 2 reports cover a fixed observation period and are typically valid for twelve months from the report date. An expired report signals that your controls have not been re-examined recently. Some buyers will accept an expired report if a new one is in progress, but you should lead with the bridge letter and a commitment date rather than the stale report itself.

    Third, if the requester cannot be verified. A Gmail address, a competitor domain, or a request from an IP range associated with automated scraping are all reasons to pause and verify before releasing anything. A good NDA workflow captures company, work email, and intent. If any of those feel off, escalate to manual review.

    Fourth, during an active incident or a regulatory investigation. If you are currently responding to a breach, a ransomware event, or a regulatory inquiry, your legal team may advise you to pause external sharing of audit reports until the situation is resolved. The report could become discoverable in litigation if it is widely distributed.

    The buyer's perspective: what they actually need

    Understanding what buyers need helps you decide how much to share and how quickly to share it.

    A mid-market SaaS buyer typically needs three things: proof that an independent audit happened, proof that the scope covers the service they are buying, and proof that the report is current. A public badge and a short summary satisfy the first two. The third usually requires seeing the report itself, which is where the NDA-gated download comes in.

    An enterprise buyer or a financial-services buyer needs more. They want the full report, the bridge letter, the management response, and sometimes the right to contact the auditor directly. They may also want to see your exception list and how you handled findings. Enterprise procurement teams are trained to read SOC 2 reports in detail, and they will ask follow-up questions about specific controls. For these buyers, a smooth NDA workflow with fast approval is a competitive advantage.

    A small startup buyer often does not need the full report at all. They may not have a security team capable of reading it, and they are evaluating you on signals of maturity rather than control detail. For this segment, the public badge and a short FAQ are usually enough to unblock the deal. Offering the full report anyway is fine, but do not be surprised if they never request it.

    The seller workflow: from request to watermarked download

    A clean workflow protects your report, satisfies buyers, and keeps your audit trail intact. Here is the flow we see working consistently at SaaS startups & SMBs and small B2B teams.

    Step one: the buyer lands on your trust portal and sees that a SOC 2 report is available. The listing shows the report date, the criteria covered, and the auditor name, but the download button is replaced with a "Request access" call to action. This sets expectation without exposing content.

    Step two: the buyer fills in a short form — name, work email, company name, and reason for access. The form should reject personal email domains and flag requests from known competitors for manual review. This is your identity-verification checkpoint.

    Step three: the buyer reviews and accepts your NDA. The NDA can be a lightweight built-in template, your own legal text, or a DocuSign / SignNow flow if you need fully audited e-signatures. The acceptance is timestamped and stored against the request.

    Step four: your team approves the request. Manual approval is the right default for the first month so you can spot patterns and anomalies. Once you are comfortable, switch to auto-approval on signed NDA for known good domains.

    Step five: the buyer receives a time-limited signed URL. The downloaded PDF is watermarked with the requester's name and email diagonally across every page. The default expiry is twenty-four hours, which is enough for a procurement review without creating a permanent copy you no longer control.

    Step six: the audit log records every action. NDA signature, approval, download, and expiry are all timestamped with buyer identity. This is the evidence your own auditor will ask for under CC6.1 when they review how you control distribution of confidential customer information.

    Building an internal policy around SOC 2 sharing

    Ad-hoc sharing works until someone forwards the PDF to the wrong Slack channel. A short internal policy keeps everyone aligned.

    Assign an owner. One person on the security or compliance team should own the SOC 2 distribution policy, the NDA template, and the approval queue. They do not need to approve every request personally, but they own the rulebook.

    Define approval tiers. Self-serve for known good domains and repeat buyers. Manual review for new companies, competitors, personal emails, or requests with unusual patterns. Escalation to legal for government, law enforcement, or subpoena requests.

    Set a refresh cadence. Review the NDA template quarterly and the approval rules monthly. After each new audit cycle, replace the old report in the portal and update the public badge dates. A trust center with a report from two audits ago looks neglected.

    Train sales. The sales team should know the portal link by heart and should never email the SOC 2 PDF directly. Every direct email bypasses the NDA, the watermark, the expiry, and the audit log. One well-meaning attachment can undo months of controlled-release discipline.

    Quick checklist

    • Public badge and short SOC 2 summary on the trust center landing page
    • Full SOC 2 Type 2 report marked NDA-required in the document vault
    • Bridge letter and attestation letter uploaded with correct visibility
    • NDA template configured (built-in, custom text, or e-signature integration)
    • Request form captures name, work email, company, and access reason
    • Manual approval enabled for the first month, then auto-approval for trusted domains
    • Watermarking enabled with requester name and email on every page
    • Download links set to 24-hour expiry by default
    • Audit log accessible and exportable for internal reviews
    • Internal policy document assigns an owner, defines approval tiers, and sets a quarterly refresh cadence
    • Sales team trained to send the portal link, never the PDF directly

    Set up your trust portal

    Free to start. Branded portal in an afternoon.

    Related

    SOC 2 document portalHow to share a SOC 2 report securelySecurity document access controlTrust center launch checklist