What is SSAE 16, and What Does the Certification Mean?

two women standing in security room

It’s a claim that’s right up there with a 99% service-level agreement in that it’s one made by nearly every single data center host. We’re speaking, of course, about SSAE 16 Certification. At first glance and on paper, it certainly sounds impressive, at least.

It’s an abbreviation, and most first-time clients aren’t even sure what it means! That means it’s probably official and professional. Which makes it all the more impressive, right? 

Not exactly. 

The truth is that SSAE 16 is more or less table stakes for any data center worth its salt. The presence of it shouldn’t be terribly impressive to you as a prospective client. Quite the contrary, it should actually be a little concerning—as of 2017, SSAE 16 has been replaced by SSAE 18. 

Before you start drowning in abbreviations, let’s explain a little bit about what SSAE actually means.  It’s the abbreviated form of Statements on Standards for Attestation Engagements, a set of auditing rules and standards established by the American Institute of Certified Public Accountants specifically for service organizations. Given that we’ve probably only made things more confusing, let’s clear the air a bit.

In plain English, SSAE 18: 

  • Is a set of standards and controls that regulate how companies report on internal compliance controls.
  • Is divided into three separate reports: 
    • SOC 1 is essentially an audit of the internal controls a service organization—such as a data center—has in place to safeguard its financial reports. 
    • SOC 2 evaluates the organization’s data and information management with regards to security, availability, processing integrity, privacy, and confidentiality. It’s based on two core principles known as Systrust and WebTrust. 
    • SOC 3 is essentially a ‘lower-level’ version of SOC 2, which doesn’t go into as much detail, and generally doesn’t have much merit beyond marketing.
  • Requires a risk assessment and full audit before an organization can declare itself as compliant. 
  • Differentiates itself from SSAE 16 primarily by establishing the existence of subservice organizations, which are used by service organizations to support clients. 

So basically, SSAE 16 is obsolete, and its replacement, SSAE 18, is effectively a fancy way of telling clients that an organization has performed a risk assessment and a thorough audit of its security controls. Important details to be certain, but hardly the competitive differentiator that some hosts would have you believe. 

There’s one final, critical detail that needs to be established before we wrap up. Namely, that neither SSAE 16 nor SSAE 18 are actual certifications. A data center that claims it’s ‘certified’ in either is simply using misleading terminology to inform prospective clients that it’s done the bare minimum. 

While you likely want to avoid doing business with a data center that doesn’t bother with SSAE 18 at all, you should also be leery of one that makes any claims with regards to ‘certifications’—because if they mislead you about that, what else might they be misleading you about? 

If you’re looking for a reputable SSAE 16 certified host, give us a shot!

liberty center one on stone wall