Compliance: AICPA SSAE 18
Service Organization Control (SOC)
SSAE18 Type 2 SOC 1, SOC 2, and SOC 3 Attestations
According to the American Institute of Certified Public Accountants (AICPA), SOC reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
In other words, Statement on Standards for Attestation Engagements (SSAE) 18 is used to regulate how companies conduct business, and more specifically it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.
- SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.
- SOC 2 is a report that evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy. OVHcloud's scope is security and availability for our service offerings.
- SOC 3 is a general use report and does not provide the examination details that SOC 1 and SOC 2 include. The SOC 3 report is primarily used as marketing material.
The scope of the SSAE 18 Type 2 SOC 1, 2, & 3 examinations is the OVHcloud Services and US Data Centers:
- Bare Metal Cloud
- Virtual Private Cloud
- Hosted Private Cloud
- Public Cloud
US Data Centers:
- Vint Hill, Virginia (East Coast)
- Hillsboro, Oregon (West Coast)
The two Trust Service Categories in scope for the OVHcloud Type 2 SOC 2 are the following:
- Security - Information systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information systems and affect the entity's ability to meet its objectives.
- Availability - The availability principle refers to the accessibility of systems, products, or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.
US customers utilizing international OVHcloud Data Centers requiring SOC attestation reports should contact their sales representative.