XMission is SOC 2 Certified

Each year XMission hires a third party auditor to perform a SOC 2 (Service Organization Controls) audit opinion pertaining to our colocation, cloud hosting, network administration, and support services with a focus on on security, availability, and confidentiality.

What is a SOC 2 Audit?

A Service Organization Control (SOC) 2 Report is performed in accordance with AT 101 and based upon the Trust Services Principles, with the ability to test and report on the design and operating effectiveness of a service organization’s controls. The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to the trust principles of security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. It is a report by an external auditor that verifies a company has policies and procedures in place to mitigate various common risks. Note that a type 2 audit verifies that controls were in place over the entire period of the audit, instead of just one moment in time. As well, this audit report is signed and dated at the end of an annual audit to verify that controls were in place during the time period of the audit.

Why get a SOC 2 audit?

In recent years, XMission has greatly expanded its focus on business products, including colocation, advanced web hosting (with our cloud product), email hosting (with Zimbra), and business telephony. As those products matured, it was only a matter of time before we saw the need to get this audit, especially as enterprise clients started to look more closely at XMission as a vendor. With the ubiquity of the Internet and businesses relying so heavily on it, extending our certifications to include the more rigorous and prescriptive SOC 2 audit made logical sense and should further increase customer confidence in XMission’s stewardship of their data.

What was required?

In order to complete the audit, XMission management developed rigorous internal control objectives to support first-class data center, hosting, and networking management services. You can think of internal controls as the processes by which an organization manages its people and systems. It is how a company conducts business, day to day. These controls should be closely aligned with the entity’s goals and objectives. When an outside auditor comes in, they first review the organization’s control objectives to determine if they appear to be reasonable and then secondly test their processes and see if the entity reliably meets those objectives. Professing best practices isn’t enough—the proof is in the pudding. XMission chose to have a type 2 audit, which requires an organization to prove the operating effectiveness of its internal controls throughout the audit period.

What does this mean for XMission customers?

A SOC 2 audit report provides a framework for a service organization to have an outside entity examine their internal controls, which can then be provided to its enterprise clients. Therefore, a SOC 2 report assures potential and existing customers that XMission’s policies and procedures are sound and that their critical Internet services and data are secure. Colocation and hosting customers can request a copy of our audit report, which should make it easier for them to pass their own security audits. If anything is missing which could help customers with their own audit, or better set them at ease regarding the products they purchase from XMission, we gladly welcome such requests.