How to Check If a Vendor Is SOC 2 Certified

SOC 2 reports are proprietary documents governed by the AICPA. Unlike regulatory certifications that require public disclosure, SOC 2 reports are restricted-use documents — the auditing firm issues them to the service organization, which then shares them selectively with customers and prospects under NDA. The AICPA does not maintain a list of companies that have completed SOC 2 examinations. Individual CPA firms do not publish their client lists. This creates a verification gap: vendors can claim SOC 2 compliance on their websites, in sales materials, and in security questionnaire responses, but there is no independent public authority to confirm or deny the claim. This is why independent verification matters — and why simply asking a vendor "are you SOC 2 certified?" is not due diligence.

Request the report directly. The most reliable method is asking the vendor for a copy of their SOC 2 report. Legitimate SOC 2 holders will have a process for sharing reports under NDA. Red flags include: vendor says the report is "in progress" for more than 6 months, vendor offers a "summary" instead of the full report, or vendor claims SOC 2 but cannot provide the auditing firm's name.

Check the vendor's trust page. Many SaaS vendors publish trust or security pages listing their certifications. Stripe maintains a comprehensive trust center, Okta publishes certification details, and AWS provides compliance reports through AWS Artifact. However, trust page claims are vendor-attested — they are marketing content, not independent evidence.

Use independent assessment tools. ThirdProof scans vendor trust pages and cross-references certification claims against independent evidence. The trust page scanner distinguishes between certifications that can be independently verified (like FedRAMP authorization) and those that are vendor-attested only (like SOC 2 claims). This gives you documented evidence of what the vendor claims and the verification level achievable.

Verify the auditing firm. If a vendor names their SOC 2 auditing firm, confirm it is a licensed CPA firm. Check the AICPA's firm directory. Non-CPA firms cannot issue SOC 2 reports.

When reviewing a SOC 2 report, the type matters significantly for your risk assessment. SOC 2 Type I evaluates the design of controls at a single point in time. It confirms that controls exist but does not test whether they work consistently. SOC 2 Type II evaluates both design and operating effectiveness over a period (typically 6-12 months). It confirms that controls not only exist but are functioning as intended over time.

For vendor due diligence, Type II reports provide substantially more assurance. A vendor with only a Type I report may have designed appropriate controls but never demonstrated they work in practice. When a vendor claims "SOC 2 certified," always ask: Type I or Type II? What was the observation period? When does it expire? SOC 2 reports are typically valid for 12 months — a report from 2024 may no longer reflect current controls. For more on reading these reports, see our guide to reading SOC reports.

If you are pursuing SOC 2 yourself, your auditor will ask how you verified vendor certifications. Simply stating "the vendor told us they have SOC 2" is insufficient for CC9.2 evidence. Document: (1) the date you requested the vendor's SOC 2 report, (2) whether you received the full report or a bridge letter, (3) the auditing firm and report period, (4) any qualified opinions or exceptions noted, and (5) your assessment of the vendor's control environment based on the report findings. ThirdProof assessments include certification verification as part of the standard report — each certification claim is tagged as independently verified, vendor-attested, or not found in evidence, giving your auditor clear documentation of your verification effort.