I'm curious why you need the SOC2 report itself instead of some sort of signed statement of compliance. The details of the SOC2 don't seem like they should be important?

When you're going through SOC-2, your auditor will ask for the SOC-2 report of each critical vendor.

If you're at that level of auditing I'd expect your company has enough cash to fork over for GHE.