A public trust report

Publish a SOC 3 from your SOC 2 program

SOC 3 is the freely distributable, general-use version of SOC 2 — same Trust Services Criteria, summary form. Produce it from the control evidence you already maintain.
Start free trialBook a demo

What is SOC 3?

SOC 3 is a public, general-use report based on the AICPA's Trust Services Criteria — the same criteria that underpin SOC 2. The difference is the audience and the level of detail: a SOC 2 report is restricted and includes the auditor's detailed description of controls and test results, shared with customers under NDA, while a SOC 3 is a short, summary-level report you can freely distribute — post it on your website, hand it to any prospect, no NDA required.

How it relates to SOC 2

A SOC 3 is built on the same controls, evidence, and audit period as a SOC 2 Type 2 and is issued by the same CPA firm. In practice, organizations that already pursue SOC 2 add SOC 3 as a public-facing companion at little additional cost — it is not a separate program.

Why publish one

SOC 3 is a practical trust and marketing asset. It lets you demonstrate that an independent CPA firm examined your controls against the Trust Services Criteria without exposing the sensitive detail in your SOC 2. That makes it ideal for top-of-funnel sales, public trust pages, and buyers who want assurance early.

How episki helps

episki maintains your Trust Services Criteria controls and evidence once and supports both outputs — your restricted SOC 2 and your public SOC 3 — from the same program, with crosswalks to ISO 27001 and CSA STAR so the same work proves trust everywhere.

SOC 3 outcomes with episki

Quantify the impact security and compliance brings to your business.
General use
A public report you can post on your website — no NDA required.
Same TSC
Built on the same Trust Services Criteria as SOC 2.
One audit
Typically issued alongside a SOC 2 Type 2 by the same CPA firm.

Why teams choose episki for SOC 3

Framework-specific automation, collaboration, and reporting in one workspace.
SOC 2's public sibling
SOC 3 reports against the same criteria, in a shareable summary form.
  • Same Trust Services Criteria as SOC 2
  • Summary report without detailed test results
  • Freely distributable to anyone
A marketing-ready artifact
Hand prospects proof of your controls without the NDA dance.
  • Post it publicly on your trust page
  • Speeds up early sales conversations
  • Backs up your SOC 2 for buyers who can't see it
No extra program
SOC 3 reuses your SOC 2 work end to end.
  • Same controls and evidence as SOC 2
  • Issued by the same CPA firm
  • Crosswalk to ISO 27001 and CSA STAR

SOC 3 readiness inside episki

What you need to add a SOC 3 to your SOC 2.

Plug episki into your stack and work directly from this checklist during the free trial.

  • SOC 2 Type 2 program in place
  • Trust Services Criteria scoped (Security + any others)
  • Control evidence current and complete
  • CPA firm engaged for SOC 2 / SOC 3
  • Public trust-page placement for the report
  • Crosswalks to ISO 27001 and CSA STAR
SOC 3 accelerators

SOC 3 accelerators

Turn your SOC 2 work into a public trust asset.
TSC evidence library
The same control evidence that supports your SOC 2.
Trust-page publishing
Place the general-use SOC 3 where prospects can find it.
SOC 2 crosswalk
Reuse your SOC 2 program directly for SOC 3.

SOC 3 frequently asked questions

Other compliance frameworks

CCPA / CPRACIS ControlsCMMCCSA STARCyber EssentialsDORAEU AI ActFedRAMPFFIECGDPRGLBAHIPAAHITRUST CSFISO 22301ISO 27001ISO 27017ISO 27018ISO 27701ISO 42001LGPDNIS2NIST 800-171NIST 800-53NIST AI RMFNIST CSFNY DFS Part 500PCI DSSPIPEDAPOPIASOC 1 Type I/IISOC 2 Type I/IISOXStateRAMPTISAX

Add a SOC 3 in episki

Reuse your SOC 2 controls to publish a general-use trust report.
Start free trialBook a walkthrough