See the vXchnge Difference at Our National Colocation Data Centers

Schedule a Tour

The 5 Data Center Certificates/Attestations to Look for in a Colocation Provider

By: Kaylie Gyarmathy on January 7, 2019

When comparing colocation data centers, it’s easy to become lost in discussions about complicated regulatory compliance. With so many types of data that need to be secured, regulatory requirements have proliferated over the years, creating a veritable alphabet soup of standards for data center customers to keep in mind.

Fortunately, quality data center providers are all too happy to provide information about their strategies for meeting compliance standards. Even so, it’s a good idea to know what to look for before engaging in negotiations with a facility.

Here are 5 data center certificates/attestations that are absolutely essential in a colocation partner:


The main auditing standard for service organizations, the Statement on Standards for Attestation Engagements (SSAE) 18 is overseen by the American Institute of Certified Public Accountants and regulates how companies conduct business and report on compliance controls. SSAE 18 provides customers with assurances that a company is being forthright in all its interactions. In 2017, the new SSAE 18 standard replaced the old SSAE 16 standard, which had been in effect for the previous seven years.

For data centers seeking an attestation of compliance, they must pass an annual SSAE 18 audit that verifies the facility’s system controls, design, and operating effectiveness match its attestations. The new SSAE 18 standards are particularly thorough when it comes to evaluating not just the data center, but also any third-party vendors it uses to deliver services (and their subcontractors). An attestation of compliance provides customers with assurance and peace of mind that their data and critical assets will be safe and secure in a data center facility.

SOC 2 Type II

A System and Organization Controls (SOC) audit focuses specifically on information security, especially for cloud storage. SOC 2 evaluates proficiency across five criteria: security, availability, processing integrity, confidentiality, and privacy. While an SOC 2 Type I report reviews policies and procedures, Type II audits are conducted afterward to collect evidence that those policies are actually being followed.

Type II audits are performed within a six-month window following the Type I report. They must be carried out by an independent third party. When completed, SOC 2 Type II data center attestation provides full transparency into how well the facility follows through on rigorous data handling standards to meet customer requirements.

ISO/IEC 27001: 2013

This Information Security Standard tests the overall effectiveness of a facility’s Information Security Management System (ISMS) to ensure that they conform to international standards. An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes, providing a systematic approach to managing private and sensitive information so that it remains secure. In order to obtain a certificate, data centers must demonstrate that the appropriate people, processes, policies, and technologies are in place to address any data system vulnerabilities.

Possessing an ISO/IEC 27001: 2013 Certificate of Registration is vital to protecting data center customers’ businesses and brands, ensuring a safe and secure environment for their technology and application deployments. To maintain their Certificate of Registration, data centers engage in continuous improvement on policies as well as engage in proactive risk identification and ongoing employee training.


The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) set the national standards for privacy and security of electronically protected health information (PHI). Imposing some of the strictest compliance standards in existence, HIPAA/HITECH ensures that all personal health data is protected and remains private. This data includes things like medical histories, insurance information, test results, and demographic information.

Failure to comply with these regulations carries significant financial and legal penalties. An Attestation of Compliance ensures that a data center implements and adheres to all physical, network, and process security measures required of all organizations handling protected health information. For customers that have any contact with the healthcare industry, HIPAA/HITECH compliance is an absolute necessity.


The Payment Card Industry Data Security Standard (PCI DSS) 3.2 is a worldwide security standard used to protect personal financial data when credit card payments are processed electronically. By creating strict controls around the handling of data to limit its exposure to risk, PCI DSS 3.2 is absolutely vital to combating credit card fraud and, more broadly, information theft. Validated by a qualified security assessor, the Attestation of Compliance standard specifies twelve high-level requirements deemed necessary for building and maintaining secure networks.

This attestation is vital for any company that intends to process credit card payments or store financial data of any kind. With their extensive security protocols, data centers are often in a much better position to meet these strict standards than many small companies. By obtaining a PCI DSS 3.2 Attestation of Compliance, a data center can assure its customers that any sensitive financial information they handle will be well-protected in accordance with the law.

These are the key Attestations of Compliance and certificate of registration standards that every colocation provider should possess. As a general rule, data centers are quite forthcoming about what certificates they’ve acquired. If they lack such attestations or are hesitant to provide information about their compliance standards, it’s time to start looking for another colocation site. Regulatory compliance is something every facility should be proud to discuss rather than attempt to avoid.

Hi there! Speak to an Expert About Your Company's Specific Data Center Needs