Texas 1 at Twilight

SSAE 16 Type II Data Center Compliance

Data Foundry’s Austin data centers – Texas 1 and ADC – are SSAE 16 Type II compliant, having successfully completed the rigorous independent audit required of the newer SSAE 16 standard. This means you can have complete confidence that your critical data and infrastructure is in a facility which employs stringent internal business processes and IT controls for the services provided.

What is SSAE 16?

The Statements on Standards for Attestation Engagements (SSAE 16) is an attestation standard established by the AICPA to report on the controls and services provided to customers. As opposed to the SAS 70 audit standard, compliance with the SSAE 16 attestation standard requires the data center’s management to provide a written assertion about the fair presentation of the system’s design, controls, and operational effectiveness. This statement, along with an independent auditor’s evaluation of controls like Data Foundry’s organization, security and change management systems, are considered when determining SSAE 16 compliance.

What are the differences between SAS 70 and SSAE 16?

Effective June 2011, SSAE 16 has replaced the SAS 70 audit standard. SSAE 16 was implemented to update the reporting standards in the United States to comply with international reporting standards. Key differences impose additional responsibility upon the auditor and management. Service auditors first must obtain management’s written assertion and then express an opinion on the fair presentation of each facility’s system and the suitability of its design for the period covered by the report, not a point in time.

What is the difference between Type I and Type II?

Similar to SAS 70, an SSAE 16 audit is available in two types, Type I or Type II. Type I requires the auditor to write an opinion about the accuracy and completeness of the data center management’s description of the systems, as well as the suitability of the controls on a specific date. Type II includes the same requirements as Type I, but also audits the operational effectiveness over a period of six months or more. Data Foundry’s auditors completed an SSAE 16 Type II audit of design and effectiveness.

One common misconception is that when an audit is complete, a company becomes “certified.” As with SAS 70, this is not true. An SSAE 16 audit simply results in a Service Organization Control (SOC) 1 report which customers can use to understand and be assured of the data center’s internal controls. This report is important for customers particularly in highly regulated industries dealing with highly sensitive data, like finance, healthcare, government, who need written documentation of the controls being taken in handling their information.