XMission is SOC 1 certified
XMission maintains its SOC 1 audit opinion pertaining to our colocation, Cloud services, network administration, and support services. CPA firm A-lign, who specializes in these audits for IT firms, conducts this audit annually.
What is an SOC 1 Audit?
SOC 1 replaces the previous industry standard, SAS 70 and brings the US closer to the international standard, ISAE 3402. Also known as SSAE 18 (Service Organization Controls 1), the audit is "a report on management's description of a service organization's system and the suitability of the design of controls." In other words, it is a report by an external auditor that verifies a company has policies and procedures in place to mitigate the risk of financial misstatement to our clients. Note that a type 2 audit verifies that controls were in place over the entire period of the audit, instead of just one moment in time. As well, this audit report is signed and dated at the end of an annual audit to verify that controls were in place during the time period of the audit.
Why get an SOC 1 audit?
In recent years, XMission has greatly expanded its focus on business products, including colocation, Cloud services, email hosting (with Zimbra), and business telephony. As those products matured, it was only a matter of time before we saw the need to get this audit, especially as enterprise clients started to look more closely at XMission as a vendor. While we are a privately held company, and therefore have no Sarbanes Oxley compliancy concerns ourselves, we recognized that compliance sensitive companies often require SOC 1 reports, which include publicly-traded enterprises, financial firms, and healthcare organizations.
What was required?
In order to complete the audit, XMission management developed rigorous internal control objectives to support first-class data center, hosting and networking management services. You can think of internal controls as the processes by which an organization manages its people and systems. It is how a company conducts business, day to day. These controls should be closely aligned with the entity's goals and objectives. When an outside auditor comes in, they first review the organization's control objectives to determine if they appear to be reasonable and then secondly test their processes and see if the entity reliably meets those objectives. Professing best practices isn't enough; the proof is in the pudding. XMission chose to have a type 2 audit, which requires an organization to prove the operating effectiveness of its internal controls throughout the audit period. Abiding by new requirements under SOC 1, the report also contains a written assertion from management regarding the systems and a services auditor’s opinion letter.
What does this mean for XMission customers?
An SOC 1 audit report provides a framework for a service organization to have an outside entity examine their internal controls, which can then be provided to its enterprise clients. Therefore, an SOC 1 report assures potential and existing customers that XMission's policies and procedures are sound and that their critical Internet services and data are secure. Colocation and Cloud Services customers can request a copy of our audit report, which should make it easier for them to pass their own SOC 1 audit. If anything is missing which could help them with their own audit, or better set them at ease regarding the products they purchase from XMission, we gladly welcome such requests. We have already started to evaluate how we will expand the scope in next year's audit.
Read XMission's security statement (0.5MB PDF).