We often get asked by prospects and customers whether they should get a SOC 2 or SOC 3 certification, and what their similarities and differences are. So, we decided to get you the right answers straight from our kickass CISO Jose Costa (and if you've never met him before, he's a real security and compliance OG having been a former partner at PwC):
According to Jose, SOC 3 is "pretty much the same as a SOC 2 in terms of controls". Auditors perform the same work for both SOC 2 and SOC 3, so you might as well get just the SOC 2.
Compared to a SOC 2, a SOC 3 certification for B2B companies is "not very useful" according to Jose because SOC 3 doesn't share any of the details and results of the controls your auditor tested. A SOC 3 report only shows your auditor's opinion of how you did during the audit.
In turn, during your customers' due diligence on you, they most likely won't accept a SOC 3 report. But if you're at a B2C company, then a SOC 3 might be good enough proof showing your org follows good security practices at a high level.
Note that we don't want to dissuade you from getting a SOC 3 cert if you want it. But, as part of our mission to demystify and automate security, we want to make sure you get the candid truth.