copy of Certifications / Compliance copy of
Virtacore is currently SSAE 16 Type II SOC1 and SOC2 accredited, as well as PCI DSS compliant and Health Industry Portability and Accountability Act (HIPAA)-ready.
About SSAE 16 Type II SOC1 and SOC2
SSAE 16 Type II SOC1 and SOC2 compliance differentiates Virtacore from its peers by demonstrating our achievement of a defined set of effectively designed control objectives that are relevant to the cloud services industry and, in the case of a Type II report, that such controls have been operating effectively over a period of time. All reports are backed by an opinion issued by an independent CPA firm.
SSAE 16 Type II SOC1 and SOC2 reports ensure that all Virtacore clients and their auditors have access to the same information, thereby effectively replacing the need for Virtacore to be subject to multiple audits from clients or their audit firms. This accreditation allows Virtacore and our clients to recognize significant business process efficiencies, while also ensuring a solid control environment and continuous adherence to ever higher regulatory standards and best practices by implementing recommendations from the service auditor.
The SSAE audit process takes 4 months and 110 hours from start to finish, requiring collaboration between the independent CPA firm and Virtacore’s expert team. The CPA firm performs rigorous tests of Virtacore’s controls and security, including the following:
- Control Environment: Integrity and Ethics, Commitment to Competence
- Management’s Philosophy and Operating Style, Organizational Structure and Assignment of Authority and Responsibility, and Human Resource Policies and Practice
- Physical Security
- Environmental Security
- Computer Operations – Backup and Storage
- Computer Operations – System Maintenance and Uptime
- Information Security
- Data Communications
- Other Controls related to the AICPA Trust Services Principles of Security and Availability (SOC 2)
About Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a proprietary information security standard for organizations handling cardholder information for major credit card, debit card and related payment transactions. PCI DSS provides an actionable framework for developing a robust payment card data security process – including prevention, detection and appropriate reaction to security incidents.
Defined by the Payment Card Industry Security Standards Council, PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually and required control objectives include:
- Building and Maintaining a Secure Network (including a firewall configuration)
- Protecting Cardholder Data (via encrypted transmission over open networks)
- Maintaining a Vulnerability Management Program (secure systems, anti-virus and related protections)
- Implementing Strong Access Control Measures (restricted physical and logical access with unique ID)
- Regularly Monitoring and Testing Networks (track and monitor access to network resources and data)
- Maintaining an Information Security Policy