What kind of documents should I show customers to make them trust me that I follow best security practices? They trust Soc2 Type2, what else could work?

If they don't have a strict requirement on SOC2, then either PCI compliance or NSA CISA are more easily done without needing tons of money.

Edit: PCI would only apply if you are processing customer funds Iirc, it's been a few years since I went through one but thereay be some caveats for that to apply.