Infrastructure Certifications

Certifications held by Convesio data centers include:

Explanations

Below, you’ll find longer explanations of what these certifications are used for.
  • SSAE 18/ ISAE 3402 SOC 1 TYPE 2
    • The SSAE 18 SOC 1, sometimes just stated as SOC 1, is the report you get when you are audited for SSAE 18.  The SOC 1 Type 1 report focuses on a service provider’s processes and controls that could impact their client’s internal control over their financial reporting (ICFR). The examination helps ensure that both the system and personnel responsible for these controls at the third-party provider are doing their job in a manner that will not adversely affect their client’s ICFR. This report is key with respect to services such as payroll and taxation since when performed by a third-party provider, such services will have a direct impact on a client’s ICFR. For example, if you outsource payroll management to a provider that doesn’t have the proper controls in place, you risk payroll errors in your internal data. This will come with problematic consequences since, in the end, you will be held accountable for those errors.
    • It provides assurance to your customers that the service organization has adequate internal controls.
    • An ISAE 3402 attestation including an audit report is regarded as a quality criterion for service providers that distinguishes them from competitors.
  • SSAE 18/ ISAE 3000 SOC 2 TYPE 2
    • The SOC 2 is a separate report that focuses on controls at a service provider relevant to security, availability, processing integrity, confidentiality, and privacy of a system. It ensures that your data is kept private and secure while in storage and in transit and that it is available for you to access at any time. This is a crucial report for any type of data that you entrust with a third-party provider, whether it includes large video files or confidential medical records. The latter case falls under strict compliance rules that require extensive controls.  If you use a third-party CRM software, for instance, the SOC 2 report will verify the provider’s ability to keep the records online and the identity of your customers secure and in line with your own Privacy Policy.
    • The SOC 2 report examines the areas of security, availability, processing integrity and confidentiality. A secure organization:
      • Protects data from unauthorized access
      • Makes information and services readily available
      • Runs systems that perform their functions correctly
      • Keeps confidential information confidential
  • ISO27001
  • PCI DSS 3.2.1
    • PCI compliance is compliance with The Payment Card Industry Data Security Standard (PCI DSS), a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
    • PCI compliance means that your systems are secure, reducing the chances of data breaches. It only takes one high-profile security breach to cost your customers’ loyalty, sink your reputation as a brand and erode the public’s trust in your ability to keep sensitive credit card information safe.
  • NIST 800-53
    • NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.
    • Although any private organization can adopt the use of NIST 800-53 as a guiding framework for their security practice, all U.S. federal government agencies and contractors are required to comply with the framework in order to protect their critical data.
    • Agencies are expected to be compliant with NIST security standards and guidelines within one year of the publication date (February 2005) unless otherwise directed. Information systems that are under development are expected to be compliant upon deployment.
  • HIPAA
    • The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
  • ISO 22301
    • ISO 22301 provides a robust framework for developing effective incident response and recovery procedures to ensure your organization can recover quickly in the event of a disruption.
    • ISO 22301 defines business continuity management as a part of overall risk management in a company, partially overlapping with information security management and IT management. Implementation and certification are useful to prove your company’s compliance to your partners, owners, and other stakeholders. ISO 22301 also helps you get new customers, by making it easier to demonstrate that you are among the best in the industry.
  • ISO 27001
    • The primary goal of the ISO 27001 regulation is to guide organizations into creating, implementing, and enforcing an ISMS. This ISMS describes the controls, processes, and procedures that the company has put in place to ensure the confidentiality, integrity, and availability of the data in its possession.
    • ISO 27001 is the global standard for effective information management. It helps organizations avoid potentially costly security breaches.
    • ISO 27001-certified organizations can show customers, partners and shareholders that they have taken steps to protect data in the event of a breach. This can help minimize the financial and reputational damage caused by a data breach.