SOC reports are required to include a statement restricting the use of the report to management (vendor), user entities (you), and your auditors. User entities should know that when they’re a “potential” client of a vendor; this statement relieves the auditor of responsibility of the suitability of the report for the product or services that are being contemplated.