SOC 3

The System and Organization Controls (SOC) 3 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.

SOC 3 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to provide a publicly facing version of the SOC 2 attestation report for customers who need assurances about service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy, but do not require a full SOC 2 report. SOC 3 reports can be freely distributed because they are general use reports.

A SOC 3 report contains a written assertion by service organization management regarding control effectiveness to achieve commitments based on the applicable trust services criteria, as well as service auditor's opinion on whether management's assertion is stated fairly.

Both SOC 2 and SOC 3 reports are both attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is a SOC 2 is a restricted use report and a SOC 3 is a public-facing report.