A SOC 3 report is a general use report that can be made publicly available. A SOC 3 report does not include the full system description (section 3) or the description of service auditors' tests of controls and the results thereof (section 4). Distribution of a SOC 2 report for marketing purposes is ill-advised as section 3 and section 4 contains sensitive information about the system and results of control design or operating effectiveness. This is why SOC 2 reports are considered restricted-use reports. SOC 3 reports can be posted on the company website and include limited information about the system and results of the examination.

Did this answer your question?