Compliance: AICPA SSAE 18
Service Organization Control (SOC)
SSAE18 Type 2 SOC 1, SOC 2, and SOC 3 Attestations
According to the American Institute of Certified Public Accountants (AICPA), SOC reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
In other words, Statement on Standards for Attestation Engagements (SSAE) 18 is used to regulate how companies conduct business, and more specifically it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.
- SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.
- SOC 2 is a report that evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy. OVHcloud's scope is security and availability for our service offerings.
- SOC 3 is a general use report and does not provide the examination details that SOC 1 and SOC 2 include. The SOC 3 report is primarily used as marketing material.
The scope of the SSAE18 Type 2 SOC 1, 2, & 3 examinations are OVHcloud services and US Data Centers:
- Dedicated Servers
- Virtual Private Servers
- Hosted Private Cloud
- Public Cloud Services
US Data Centers:
- Vint Hill, Virginia (East Coast)
- Hillsboro, Oregon (West Coast)
The two Trust Service Categories in scope for the OVHcloud Type 2 SOC 2 are the following:
- Security - Information systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information systems and affect the entity's ability to meet its objectives.
- Availability - The availability principle refers to the accessibility of systems, products, or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
US customers utilizing international OVHcloud Data Centers and Services requiring SOC attestation reports should contact their sales representative or email firstname.lastname@example.org.