SOC 3

SOC 3 is a public-facing summary of a SOC 2 report. It contains the auditor opinion and management assertion but omits the detailed control descriptions and test results.

What is in a SOC 3 report

A SOC 3 (Trust Services Report for General Use) is a publishable summary of a SOC 2 audit. It contains the auditor's opinion, management's assertion that the controls operated effectively, and a brief description of the system. It deliberately omits the detailed control matrix, the auditor's test procedures, and any exceptions found. Because there is no confidential customer or operational detail, SOC 3 can be downloaded from a vendor's trust portal without NDA — useful for marketing-tier validation but not sufficient for serious procurement diligence.

When to use SOC 3 vs ask for SOC 2

Treat SOC 3 as a signal that a vendor has completed a SOC 2 — nothing more. For real diligence, request the SOC 2 Type II under NDA and read the control descriptions, the CUECs (complementary user entity controls), and any exceptions or qualifications. If a vendor offers only SOC 3 and refuses to provide the underlying SOC 2 under NDA, that is itself a procurement signal worth questioning.

AI-specific gaps

Neither SOC 2 nor SOC 3 covers AI-specific risk: training data sources, model card disclosure, sub-processors that include third-party model providers, copyright indemnification, output filtering, or red-team results. A clean SOC 3 from an AI vendor is a useful signal about operational security maturity but does not substitute for AI-specific diligence (ISO 42001, NIST AI RMF alignment, model risk management documentation).