What’s the SSAE 18 Type 2?
SSAE (Statement on Standards for Attestation Engagements) and No. 16 (now 18) Reporting on Controls at a Service Organization finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010.
It’s a mouthful, and a complicated way of saying something important: we’re careful with your data.
The more recent version (SAE18) requires that service organizations carefully manage vendors by implementing processes that monitor the controls at subservice organizations. It recommends that service organizations:
- Review and reconcile output reports.
- Hold periodic discussions with subservice organizations.
- Make regular site visits to subservice organizations.
- Test controls at subservice organizations by members of their internal audit functions.
- Review Type I or Type II reports on subservice organization systems.
- Monitor external communications, such as customer complaints relevant to the services of subservice organizations.
Since 2013, we’ve also employed Deloitte SA to perform comprehensive penetration tests which cover two areas: blind external penetration testing and web application penetration testing. The results of these tests are referred to in the SSAE 18 audit report also performed by Deloitte. We’re happy to report that we’ve found no high-priority risk issues with the penetration testing. External penetration testing is performed as part of the yearly audit process and ad hoc during the year. We also run our own penetration testing regularly using specialist software.
Our SaaS and dedicated cloud environments are monitored 24/7 using PRTG with over 300 sensors. Warnings and alerts are sent to the hosting team. Uptime statistics and reports are published on the Coprocess Forum, available to clients.