SSAE SOC2 – What is it and why should you care?

When you outsource elements of your IT support and environment, how do you know the partner you have chosen is operating soundly, efficiently and not exposing your data and systems to unwanted risk? It’s a bit like choosing to go on a trip with someone that has passed their driving test versus someone that just tells you they are a good driver, with no valid license. It sure is comforting to know the driver has demonstrated to an independent 3rd party that they know what they’re doing.

To solve this problem in the IT space, the American Institute of Certified Public Accountants (AICPA) developed an auditing standard SSAE (Statement on Standards for Attestation Engagements) SOC2 (Service Organization Control 2) through which organizations such as Datotel could demonstrate through an independent CPA auditing and attesting that not only do they have the necessary controls and processes in place, but that they are adequate, sound and being adhered to. The result is an annual report that you as the client can request that give assurances that you and your IT systems are in good hands.

This level of auditing shows a high level of discipline in the IT organization and means real and tangible positive differences for you and your organization versus working with a vendor that doesn’t subject themselves to these higher standards. It demonstrates the ability to mitigate security, reliability and availability risks, lowers your risk of outages, system performance issues, data loss and leads to an overall improved quality of operation. Armed with this information why would you choose a partner without this level of audit?

As I mentioned earlier an important distinction to look for in the report is to ensure the partner has gone through the Type 2 audit and not stopped after completing the initial Type 1 requirements. The former simply lets you know what controls are in place in the organization whereas the Type 2 audit not only examines what the controls are, but ensures that they are being followed. A big difference. Secondly make sure the report has covered all areas of the business and not been limited to just one service offering such as colocation space.

Datotel’s SSAE SOC2 Type 2 certification indicates that processes, procedures and controls adopted by Datotel have been formally evaluated and tested by an independent accounting and auditing firm. Datotel has been SAS70 certified since 2007 and subsequently SSAE16 certified since 2012 across all lines of business from Colocation to Managed Services, Cloud Services and Service Desk.