We reached out and were told we would need to upgrade to the enterprise version. (This was probably 5 months ago before they announced a few startup friendly offerings)

I'm curious why you need the SOC2 report itself instead of some sort of signed statement of compliance. The details of the SOC2 don't seem like they should be important?

When you're going through SOC-2, your auditor will ask for the SOC-2 report of each critical vendor.

If you're at that level of auditing I'd expect your company has enough cash to fork over for GHE.