What is SSAE 16?

SSAE stands for Statements on Standards for Attestation Engagements, and SSAE 16 is an attestation standard established by the American Institute of Certified Public Accountants (AICPA) to report on the controls and services provided to customers by service organizations. SSAE 16 replaced the SAS 70 audit standard. SSAE 16 compliance requires the service organization’s management to provide a written assertion about the fair presentation of the information system’s design, controls, and operational effectiveness in addition to previous requirements. This new standard was developed to mirror and comply with the ISO reporting standard – ISAE 3402. The report resulting from compliance with these standards is referred to as the Service Organization Controls report or a SOC report. Data centers will receive a SOC 1 type 2 report.

In order for a data center to comply with SSAE 16, it must provide a written assessment of the information system’s controls and effectiveness. This statement, along with an independent service auditor’s evaluation of controls like Data Foundry’s organization, security and change management systems, are considered when determining SSAE 16 compliance. Organizations that are evaluated and successfully meet SSAE requirements in 2017 and later will be compliant with SSAE 18. SSAE 18 compliance requires more robust risk assessment for examination engagements.

Data Foundry’s data centers are SSAE 18 compliant.