Vendor SOC 2 Report Request Checklist: What to Ask Before You Buy
A practical checklist and email template for requesting vendor SOC 2 reports, bridge letters, trust center access, subprocessor evidence, and security questionnaire answers.
Based on common vendor risk workflows, SOC 2 report review patterns, security questionnaire requirements, and SaaS procurement evidence requests.
Vendor SOC 2 Report Request Checklist: What to Ask Before You Buy
When a customer, auditor, or security team asks for a vendor SOC 2 report, the real task is not finding a random PDF. The task is confirming whether the vendor's report, trust center, bridge letter, subprocessors, and security evidence match your own risk review.
This page does not provide third-party SOC 2 report downloads for AWS, GitHub, Salesforce, Azure, Google Workspace, Slack, or any other vendor. Those reports are usually shared by the vendor through a trust center, NDA workflow, customer portal, or direct account team.
Use this checklist to request the right evidence from vendors and avoid weak vendor files before your own SOC 2 audit.
If you need to answer customer due diligence questions, use the security questionnaire generator. If you are preparing for your own audit, use the SOC 2 readiness checklist.
Generate customer-ready security questionnaire drafts
Use the free generator to draft answers for encryption, access control, incident response, backups, availability, vendor risk, and SOC 2 status.
This is a rule-based planning resource, not legal, accounting, audit, or compliance advice. Confirm scope, report period, exceptions, and vendor evidence requirements with your auditor and vendors.
Quick checklist: what to request from a vendor
| Evidence item | What to ask for | Why it matters |
|---|---|---|
| SOC 2 report | Type I or Type II report, report period, scope, and Trust Services Criteria | Confirms whether the report covers the vendor service you use |
| Bridge letter | Letter covering the gap between report end date and today | Reduces stale-report risk |
| Trust center access | Current security documentation and report request workflow | Centralizes updated evidence |
| Subprocessor list | Vendors that process customer data for the vendor | Helps your own vendor risk and privacy review |
| Pen test summary | Executive summary or attestation if available | Supports application and infrastructure risk review |
| ISO 27001 or other certifications | Current certificates and scope statement | Useful when SOC 2 is unavailable or incomplete |
| Data processing addendum | Privacy and contractual processing terms | Supports legal and privacy review |
| Incident and breach notice process | Notice timelines and contact path | Helps incident response planning |
| Business continuity evidence | Backup, disaster recovery, and availability summary | Important for critical vendors |
| Security questionnaire answers | Standard security responses for encryption, access, logging, and incident response | Speeds customer or audit evidence collection |
SOC 2 report vs bridge letter vs trust center
These terms are often mixed together during procurement.
| Item | What it means | Common watchout |
|---|---|---|
| SOC 2 Type I report | Point-in-time report on control design and implementation | May not prove controls operated over time |
| SOC 2 Type II report | Report on operating effectiveness over an observation period | Period may be stale or may not cover the product you use |
| Bridge letter | Vendor statement covering the period after the SOC 2 report ended | It is not a replacement for the SOC 2 report |
| Trust center | Vendor portal for reports, policies, certificates, and security docs | Some evidence may require NDA or customer status |
| Subprocessor list | List of third parties used to deliver the service | Must match your data processing and risk assumptions |
| Pen test summary | High-level security test evidence | Usually not a full technical report |
For your own audit, the key question is whether the vendor evidence supports your vendor management control. A report from the wrong product line, wrong period, or wrong scope may not satisfy your auditor.
Vendor SOC 2 report request email template
Use this template when requesting evidence from a vendor account team or security contact.
Subject: Security evidence request for vendor review
Hi [Vendor team],
We are completing a security and vendor risk review for [Company name]. Could you share the current security evidence available for [Product/service name]?
Specifically, we are looking for:
1. Current SOC 2 Type II report, including report period, scope, and Trust Services Criteria
2. Bridge letter if the SOC 2 report period has ended
3. Trust center access or security documentation portal
4. Current subprocessor list
5. Penetration test summary or executive attestation, if available
6. ISO 27001, PCI, HIPAA, or other security certifications, if applicable
7. Data processing addendum and breach notification terms
8. Standard security questionnaire or security overview
If any item requires an NDA or customer portal request, please send the next step.
Thanks,
[Your name]
Do not ask only for "SOC 2." Ask for report type, scope, period, and evidence path. That is what prevents back-and-forth later.
What to ask common SaaS vendors for
Use this as a generic request pattern. Always verify directly with the vendor because report availability, portal access, and scope can change.
| Vendor category | Examples | What to request |
|---|---|---|
| Cloud provider | AWS, Azure, Google Cloud | SOC 2 report scope, shared responsibility documentation, data center certifications, service-specific security docs |
| Code and DevOps | GitHub, GitLab, Bitbucket, CI/CD tools | SOC 2 report, access control docs, encryption docs, incident process, subprocessor list |
| CRM and sales | Salesforce, HubSpot, sales engagement tools | SOC 2 report, DPA, subprocessor list, role-based access docs, data residency notes |
| Identity and productivity | Google Workspace, Microsoft 365, Okta | SOC 2 or ISO evidence, admin control docs, MFA and logging docs, breach notice terms |
| Collaboration | Slack, Atlassian, Notion | SOC 2 report, security overview, retention controls, access management docs |
| Payments and billing | Stripe, billing platforms | SOC 2, PCI evidence, DPA, subprocessor list, incident process |
| HRIS and payroll | Gusto, Rippling, BambooHR, Deel | SOC 2 or security evidence, employee data controls, subprocessors, access controls |
This page should not be used as a claim that any named vendor currently has a specific SOC 2 report available. Request evidence from the vendor directly and confirm the report covers the service, geography, and period relevant to your review.
How to review a vendor SOC 2 report
Once the vendor grants access, review these items first:
| Review area | What to check |
|---|---|
| Report type | Type I or Type II |
| Report period | Whether the period is current enough for your review |
| System description | Whether the report covers the product or service you use |
| Trust Services Criteria | Security, Availability, Confidentiality, Processing Integrity, Privacy |
| Subservice organizations | Whether important subprocessors are carved out or included |
| Complementary user entity controls | Controls your company must operate for the vendor control to work |
| Exceptions | Any control failures, qualifications, or repeat findings |
| Auditor | Whether the report was issued by a licensed CPA firm |
The most commonly missed item is complementary user entity controls. A vendor's SOC 2 report often assumes you will configure MFA, restrict admins, review access, manage API keys, or monitor activity inside your own account.
Red flags in vendor evidence
Slow down when you see these patterns:
- the vendor shares a badge but no report access path
- the SOC 2 report is Type I when your risk level requires operating evidence
- the report period ended long ago and no bridge letter is available
- the report covers a different product than the one you use
- many important subprocessors are carved out with no additional evidence
- exceptions appear in areas relevant to your use case
- the vendor refuses to share a subprocessor list
- the vendor cannot explain breach notification or incident process
- the account team treats a marketing security page as equivalent to audit evidence
Not every red flag means you must reject the vendor. It means the risk needs an owner, mitigation, or documented acceptance.
How this connects to your own SOC 2 audit
Vendor evidence usually supports your vendor management and risk assessment controls. Auditors may ask whether you:
- maintain a vendor inventory
- classify critical vendors
- review security evidence before onboarding high-risk vendors
- keep SOC 2 reports or equivalent evidence for subprocessors
- track exceptions and follow-up dates
- review critical vendors on a recurring schedule
- understand your own responsibilities under vendor shared responsibility models
If you are still building this process, start with the SOC 2 readiness checklist and the SOC 2 evidence list.
Security questionnaire path
Vendor evidence flows both ways. You ask vendors for security evidence, and your customers ask you for evidence.
Use the security questionnaire generator to draft answer packs for common questions about:
- encryption
- access control
- incident response
- backups and availability
- vendor risk
- SOC 2 status
- data retention
- subprocessors
Then use the SOC 2 vendor comparison tool if you need help choosing compliance automation software for your own evidence workflow.
Bottom line
Do not treat "vendor SOC 2 report" as a simple download query. Treat it as a structured evidence request: report type, scope, period, bridge letter, trust center access, subprocessors, exceptions, and your own user controls.
For customer-facing answers, use the security questionnaire generator. For your own audit readiness, use the SOC 2 readiness checklist.
Free SOC 2 tool
Not sure what to do next?
Use the soc 2 vendor comparison tool: vanta vs drata vs secureframe to get an instant result before booking vendor demos or audit calls.
Related Articles
