HIPAA Document

SSAE 16 SOC 2 Type 2 Certification for Giva's Cloud Help Desk Software

SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centres report on compliance controls.

 

Technology

HIPAA Green Arrow

People

HIPAA Green Arrow

Process

Enterprise and service provider class technology from Dell, Cisco, F5, VMware, EMC, Netapp, Tripwire, Trustwave, Microsoft and Red Hat.
Skilled HIPAA-certified engineers available 24/7/365.
All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 16 SOC 2 Type 2 compliance reports is issued and shared with all Giva customers upon request.

The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles that are composed of the following five sections:

  • Security of a service organisation's system.
  • Availability of a service organisation's system.
  • Processing integrity of a service organisation's system.
  • Confidentiality of the information that the service organisation's system processes or maintains for user entities.
  • Privacy of personal information that the service organisation collects, uses, retains, discloses, and disposes of for user entities.

It is important to be aware of the differences between a Type 1 and Type 2 SSAE 16 report.

The Type 1 SSAE certification performed for many data centres uses the following criteria:

  1. The description of the service organisation's system was designed and implemented as of only a single specified report date which is typically 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance as of only a single specified report date which is typically 12/31/xx.

In other words, a Type 1 report is just a snapshot in time at a particular date which is typically 12/31/xx.

In sharp contrast, the Type 2 SSAE certification performed for Giva's data centres uses the following criteria which are more rigorous, difficult to pass and a higher overall standard:

  1. The description of the service organisation's system was designed and implemented over the period of examination which is typically a one year period such as 1/1/xx – 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance over the period of examination which is typically a one year period such as 1/1/xx – 12/31/xx.

Datacentre Specifications

  • Power
    • Direct connection to power grid at 13.2 kV
    • 2N electrical design
    • Dual Redundant UPS / Battery Strings
    • Automatic Transfer Switch
    • 750 kW back-up generator
    • 2300 Gallons of fuel onsite
    • Enough capacity for up to 7 days
  • Cooling
    • n+1 Design
    • Redundant CRAC Cooling
    • Temperature of 70 degrees F / 50% Hum
    • Hot Aisle/Cold Aisle Design
    • Redundant Glycol Pumps
  • Fire
    • Dry-piped pre-action fire protection system
    • FM200 Gas Fire Suppression System
  • Connectivity
    • 3 Tier 1 Network Carriers
    • 30 Gbps Bandwidth
    • 4 Fiber Paths
    • 2N Network Design