SOC 3 – Service Organization Control Reports

HOSTING has completed the 2012 SOC audit for which both a SOC 2 Type II and SOC 3 audit report is available.Through the assistance of the independent auditing firm of Mountjoy Chilton Medley, HOSTING completed these audits to ensure the most rigorous requirements and internal controls in our cloud, dedicated and colocation hosting along with our data center operation practices. Our 2012 SOC 2 and SOC 3 audit results are available for all six HOSTING data centers.

Why the SOC?

Prior to 2011, HOSTING completed a yearly SAS 70 audit, the last of which was completed for the 2010 audit. However, the SAS 70, while designed for service organizations, was never truly designed for the data center and hosting environment for which it became the de facto standard in recent years.

As a result, the American Institute of Certified Public Accountants (AICPA) developed a new reporting framework that replaced SAS 70 in June of 2011. The SSAE 16 and SOC framework is a new benchmark for service organizations. 

Three different reports were developed to address the various needs of service organizations previously using the SAS 70:

SOC 1

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) Reporting on Controls at a Service Organization was drafted with the intention of updating US service organization reporting standards to mirror the new international service organization reporting standard (ISAE 3402).

The SOC 1 is most appropriate for organizations that provide financial services and wish to demonstrate compliance with internal financial reporting controls. Generally this applies to companies required to meet regulatory financial reporting requirements such as Sarbanes-Oxley (SOX). Because HOSTING is a privately held company that does not provide financial services, the SOC 1 audit is not presently applicable to the services we provide.

SOC 1 vs. SOC 2 and SOC 3

In contrast to the audit that results in a SOC 1 report, where criteria are self-defined by the service organization, the audit required for the SOC 2 and SOC 3 report is more stringent, assuring the reader that identical criteria was used to evaluate disparate data centers. SOC 2 and SOC 3 reports include predefined control criteria based on the Trust Service Principles of security, availability, processing integrity, confidentiality, and/or privacy. Both the SOC 2 and SOC 3 reports use the AT Section 101 standard instead of the SSAE 16 standard.

SOC 2

The HOSTING SOC 2 is a Type II report which reports on the suitability of design and effectiveness of the controls evaluated. Because the SOC 2 contains specific control data, it is considered confidential and is provided only under NDA. Most companies will not require this level of information unless they have a security questionnaire to complete or are also completing a SOC audit where HOSTING controls would overlap.

SOC 3

SOC 3 is based on the same audit standards as the SOC 2. However, while the SOC 2 is a confidential report, the SOC 3 report is publicly available. The SOC 3 report contains:

• The auditor’s letter and summary opinion on the effectiveness of data center controls
• A management attestation letter
• A system description of the services provided and under the scope of the audit

What this means for HOSTING

We embrace the SOC standard as a testament to our commitment to one of the largest production workloads in North America – the HOSTING leading enterprise-class cloud platform. Our Always On™ design framework necessitates the highest standards for data center operations. The SOC 3: SysTrust for Service Organizations seal proudly validates this achievement.  

 What this means for our customers

Completing a SOC audit assures our customers, partners, suppliers, and regulators that HOSTING is committed to excellence in quality and compliance for data center operations. HOSTING can provide customers and prospective clients a copy of the SOC 3 audit report to verify our controls meet or exceed their cloud, dedicated and colocation hosting needs. Because these audits are performed by independent auditors, any potential bias is removed from the reports.

The results of our audit are hosted publicly in the SOC 3 report which may be accessed by clicking on the SOC seal below. Upon clicking the seal you will be taken to an outside page which hosts our SOC 3 audit report and further explains the Trust Service Principles we were audited against. As the SOC 3 is a public report, you are encouraged to share this with your auditors and customers as needed.