When a customer asks for your SOC report, they do not always know which one they need, and neither do many vendors. The three reports serve different purposes. Getting the distinction right saves you from paying for the wrong audit.
SOC 1 covers controls relevant to your customers' financial reporting. It matters when your service could affect their books, for example a payroll processor or a billing platform. The audience is your customers' auditors, not their security teams.
SOC 2 covers security and the related Trust Services Criteria: availability, processing integrity, confidentiality, and privacy. It is what a security or procurement team means when they ask whether you are a safe place for their data. This is the report most SaaS vendors need. See the SOC 2 readiness guide.
SOC 3 is a short, public version of a SOC 2, designed to be shared openly on a website. It confirms you hold a SOC 2 without exposing the detailed control descriptions. It is a marketing artifact, not a substitute for the full report.
SOC 1 and SOC 2 each come in two types. Type I assesses control design at a point in time. Type II tests that controls operated over a period, usually three to twelve months. Customers take Type II far more seriously, because operating a control for a year is the real proof.
If a customer asks for a SOC report and means security, they want SOC 2 Type II. The rest is detail.
See SOC 2 readiness, or book a scoping call.