Comment by Freak_NL

You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.

Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.

If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.