Data Security Document

SSAE 16 SOC 2 Type 2 Certification for Giva's Asia Pacific Data Centres

SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centres report on compliance controls.

All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 16 SOC 2 Type 2 compliance report is issued and shared with all Giva customers upon request. The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles that are composed of the following five sections:

  • Security of a service organisation's system.
  • Availability of a service organisation's system.
  • Processing integrity of a service organisation's system.
  • Confidentiality of the information that the service organisation's system processes or maintains for user entities.
  • Privacy of personal information that the service organisation collects, uses, retains, discloses, and disposes of for user entities.

It is important to be aware of the differences between a Type 1 and Type 2 SSAE 16 report.

The Type 1 SSAE certification performed for many data centres uses the following criteria:

  1. The description of the service organisation's system was designed and implemented as of only a single specified report date which is typically 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance as of only a single specified report date which is typically 12/31/xx.

In other words, a Type 1 report is just a snapshot in time at a particular date which is typically 12/31/xx.

In sharp contrast, the Type 2 SSAE certification performed for Giva's data centres uses the following criteria which are more rigorous, difficult to pass and a higher overall standard:

  1. The description of the service organisation's system was designed and implemented over the period of examination which is typically a one year period such as 1/1/xx – 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance over the period of examination which is typically a one year period such as 1/1/xx – 12/31/xx.