SOC 3 · Public Trust Report
SOC 3
Public Trust Report
Public-facing SOC report for marketing and sales. Share your security posture with unlimited stakeholders.
Produced from the same examination as SOC 2 — one audit, two reports: the detailed report for due diligence, the public report for your website.
AICPA Trust Services Criteria · Licensed CPA attestation · Last reviewed June 2026
Direct Answer
What is a SOC 3 report?
A SOC 3 report is the public-facing, general-use version of a SOC 2 report. It is built from the same audit against the AICPA Trust Services Criteria, but omits the detailed control descriptions and test results — so it can be published freely as a trust seal on your website. Tranquility Cybersecurity (TCSA) typically delivers SOC 2 and SOC 3 from a single engagement.
Start with our SOC 2 attestation services, browse all compliance services, or review proof of our delivery track record.
The Benefits
Why SOC 3?
SOC 3 — Frequently Asked Questions
What is a SOC 3 report?
A SOC 3 report is the public-facing, general-use version of a SOC 2 report. It is based on the same AICPA Trust Services Criteria and the same audit, but presents the auditor's opinion without the detailed control descriptions and test results that make a SOC 2 confidential. That means a SOC 3 can be freely published — it works as a trust seal you can place on your website or share in marketing.
What is the difference between SOC 2 and SOC 3?
SOC 2 and SOC 3 cover the same Trust Services Criteria and stem from the same audit, but differ in audience. SOC 2 is a restricted-use report containing detailed control descriptions, tests, and results — shared under NDA with customers and auditors. SOC 3 is a general-use summary that contains the auditor's opinion and system overview but omits sensitive detail, so it can be distributed publicly. Most organizations obtain SOC 2 for due diligence and add SOC 3 for open marketing use.
Do I need a SOC 2 before getting a SOC 3?
In practice, yes. A SOC 3 is produced from the same examination as a SOC 2, so the underlying audit work (scoping, control design, and testing against the Trust Services Criteria) has to be completed regardless. Tranquility Cybersecurity typically delivers SOC 2 and SOC 3 from a single engagement, giving you the detailed report for prospects in due diligence and the public report for your website.
Can I put a SOC 3 seal on my website?
Yes — that is the primary purpose of SOC 3. Because it discloses no confidential control detail, you can publish the report and display the associated trust seal on your website, sales collateral, and security pages. It signals an independently examined security posture to prospects without requiring an NDA, shortening early-stage trust conversations.
Who issues a SOC 3 report?
Like SOC 1 and SOC 2, a SOC 3 examination results in an opinion issued by a licensed CPA firm under AICPA attestation standards. Tranquility Cybersecurity (TCSA) prepares your environment, designs and documents the controls, and runs the engagement to issuance, working with licensed CPAs for the formal attestation. TCSA has supported 250+ SOC 2 engagements, the basis from which SOC 3 reports are produced.
Written By Expert Auditors
Keep Exploring
Related Reading
SOC 2 Overview
The AICPA attestation US and global enterprise buyers ask for.
Read moreSOC 1 (ICFR)
Internal controls over financial reporting — SSAE 18/ISAE 3402.
Read moreSOC 2 Attestation
What the CPA firm attests to, and how it differs from certification.
Read moreSOC 2 Knowledge Hub
Type 1 vs Type 2, criteria, timelines and audit prep — all guides.
Read moreSoftware & SaaS
SOC 2 + ISO 27001 programs purpose-built for product companies.
Read moreProof & Track Record
Every number we publish — explained, sourced and verifiable.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours