soc2 vendor due diligence need

Hi there. We are in the process of getting our SOC2 Type 2 certification. One of the policies being put in place by our infosec has to do with vendor due diligence, meaning that if a vendor or product we use comes into contact with anything we deem as 'protected' data, we need to have something on file that gives us some assurance as to the security due diligence that the vendor follows. Typically and ideally we would ask them for a copy of their own SOC2 Type 2 certification (or equivalent), and if they have none, ask them to please fill in a vendor security questionnaire. Since we use WinSCP to handle our protected data transfers, I have been tasked with providing something that will satisfy this vendor policy.
I didn't see anything on the WinSCP site on the subject. Has anyone else out there who uses WinSCP had to satisfy such a need for SOC2 compliance? I very much appreciate any ideas or artifacts that will help me comply with my Infosec officers' request. I would hate to have to replace WinSCP in our projects, as it truly is the best transfer utility out there.
Thank you!

We do not have any SOC2 document. Though we do not have any data of any customers (we actually have no customers). We just provide WinSCP software (for free). WinSCP does not collect any customer data, apart from anonymous usage statistics (which can be turned off – and they typically does not make it past corporate firewalls anyway).