Compliance: AICPA SSAE 18

Service Organization Control (SOC)

SOC 1 Type II and SOC 2 Type II Certifications

SSAE18 Type 2 SOC 1 & SOC 2 & SOC 3 Attestations

According to the American Institute of Certified Public Accountants (AICPA), SOC reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.

 

In other words, Statement on Standards for Attestation Engagements (SSAE) 18 is used to regulate how companies conduct business, and more specifically it defines how companies report on compliance controls. These reports are called SOC 1, SOC 2, and SOC 3.

  • SOC 1 is a control report for service organizations, which pertains to internal control over financial reports.
  • SOC 2 is a report that evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy. OVHcloud's scope is security and availability for our service offerings.
  • SOC 3 is a general use report and does not provide the examination details as the SOC 1 and SOC 2. The SOC 3 report is primarily used as marketing material.

 

The scope of the SSAE18 Type 2 SOC 1, 2, & 3 examinations are OVHcloud services and US Data Centers:

 

Services:

  • Dedicated Servers
  • Virtual Private Servers
  • Hosted Private Cloud
  • Public Cloud Services

US Data Centers:

  • Vint Hill, Virginia (East Coast)
  • Hillsboro, Oregon (West Coast)

 

There are Two Trust Service Categories in scope for the OVHcloud Type 2 SOC 2 being the following:

  • Security - Information and Systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity's ability to meet its objectives.
  • Availability - The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.

 

US customers utilizing international OVHcloud Data Centers and requiring SOC attestation reports for these Data Centers should contact their sales representative or email legal@corp.ovh.us.

Contact us