By Jeremiah Morrow
OVHcloud has obtained several new attestations and the ISO certification for its product offerings in the east and west coast Data Centers. Hosted Private Cloud, Dedicated Servers and Public Cloud services within the US Data Centers are now officially compliant with ISO 27001, Type 2 SSAE 18 SOC 1&2 I, and Type 1 HIPAA frameworks. This is great news for any customers who are hosting financial or sensitive/ critical data on our servers, and particularly for customers in regulated industries like healthcare.
Our legal, security & compliance, and Data Center teams have been hard at work ensuring that we meet the standards to protect our customers’ data, but they took some time to share a few quick facts about these attestations and the ISO certification and the process for obtaining them.
What are all of those certifications?
ISO/IEC 27001 is an international standard that describes the “requirements for establishing, implementing, maintaining and continuously improving an information security management system.” It describes the organizational method which ensures confidentiality, integrity, availability and traceability of an information system.
American Institute of Certified Public Accountants (AICPA) SSAE 18 “Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.”
In other words, SSAE is used to regulate how companies conduct business, and it defines how companies report on compliance controls. There are 3 different reports:
- SOC 1 is a control report for service organizations which pertains to internal control over financial reports
- SOC 2 is a report that evaluates the business information system that relates to security, availability, processing integrity, confidentiality, and privacy.
- SOC 3 is a report that is mainly used as marketing material. It doesn’t go as in-depth as SOC 2.
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is is a US federal mandate that requires protections regarding security and privacy on Protected Health Information. OVH US’ HIPAA clients will have additional trust for its customers via a signed Business Associate Agreement (BAA) validating that OVH US will appropriately safeguard protected health information.
The purpose of the Type 1 HIPAA examination is assurance OVH US conforms with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Standards for the Protection of Electronic Protected Health Information (“HIPAA Security Rule”), and the Notification in the Case of Breach of Unsecured Protected Health Information enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITECH Breach Notification Requirements”), as described in Part 164 of CFR 45.
What was the process for obtaining these certifications?
This was truly a team effort for OVHcloud. A team of security experts worked with teams in charge of the design and operation of the service, customer support, sales teams and management to prioritize improvements to meet and exceed compliance standards. We chose Schellman & Company LLC to perform a third-party audit, which included onsite interviews, data center visits, documentation reviews and systems observation over a period of months..
What does this mean for customers?
Data is the most important asset our customers possess today, and it will be even more important going forward. We take our role in the protection of our customer’s infrastructure and data seriously, and we are constantly looking for ways to improve.
Meeting these standards is a testament to how important information security and availability is to OVHcloud. Regardless of which infrastructure services you are consuming, your data is safe in our data centers.
For more information about our certifications, visit our compliance and certifications page. If you want to learn more about how OVHcloud manages data security in general, visit our data security page.