January 13, 2020

DataBank Receives “Exception Free” SSAE-18 and HIPAA Audit and Recertification for 6th Consecutive Year

All service providers who maintain compliance certifications for SSAE-18 and HIPAA-Hitec are required to undergo an annual audit of their compliance controls to ensure they meet the standards.

DataBank recently completed its annual audit and received an “Exception Free” rating, a fairly rare occurrence, but in our case, it was the 6th year in a row. (dating back to our acquisition of Edge Hosting).

We caught up with DataBank’s CISO, Mark Houpt, to better understand the audit process and what it means for us and our customers.

Mark, what does it mean to be “recertified” for HIPAA and SSAE-18 Compliance?
Audits are conducted on an annual basis. During these procedures, the auditors evaluate the effectiveness of service provider’s compliance controls, how suitable the design of the those controls are, and how fairly they are represented or presented to customers. Our recertification means that for the period of the examination (in this case, 10/1/18-9/30/19), DataBank had properly designed security controls, we fairly told our customers what we do with those security controls, and – by the auditors actually testing the controls – that we were operating those controls effectively.

What authority conducts these audits and re-certifications?
The audits we most recently completed were in accordance with the American Institute of Certified Public Accountants (AICPA) standards and completed by 360 Advanced.

What DataBank services or facilities does it apply to?
The recent audit and recertifications apply to all of DataBank’s colocation and managed services in all of our data centers. The PCI attestations, apply just to our colocation services in all data centers.

What process was required to achieve this re-certification?
Each year DataBank undergoes an extensive, 4-month audit process where auditors review approximately 300 artifacts and sources of evidence, interview our personnel, and visit our data centers for visual examination.

What does “exception free” mean and how common is that?
Exception free means that for each security control listed, the auditors could not find deviations or faults in how we design and operate our controls. This is rare in the industry, although this is DataBank’s second year in row and “legacy Edge Hosting’s” 6th year in a row of exception free examinations.

How does this benefit our customers?
An exception free audit and recertification provides assurances to our customers that the design of our security environment is in line with industry best practices. You can think of it as a measure of technical excellence. But it’s also a measure of operational excellence. The auditor’s test results demonstrate that our security design doesn’t just work on paper, it works in practice. Achieving this standard six years in a row demonstrates consistency in that practice. It’s part of our operational DNA. And that’s critical to any customer looking for a reliable partner for mission-critical colocation, security and compliance.

If you are looking into learning about how we can help you in your FedRAMP, HIPAA/HITECH, PCI-DSS, and GDPR needs give DataBank a call at 800.840.7533.