A potential customer is requesting a SOC 2 audit and report as a criteria for vendors that they will work with. We provide mobile app and web products and use third party vendors (like AWS) for hosting and data storage. The quality consultants we are using insist that we do not need a SOC 2 audit and if anything, to write a letter attesting to the controls that we do have in place. Based on what I've read, more and more companies are requesting this type of report even if they are not the data center operator. Does anyone have experience with this and what are your thoughts?