< compliance
CenturyLink Cloud's data centers comply with SOC 2 and 3 Reports

CenturyLink and SOC 2 & 3 Reports

CenturyLink publishes a SOC 2, Type 2 report, providing an auditor’s detailed evaluation of the design suitability and effectiveness of the controls

Service Organization Controls 2 (SOC 2) is another mechanism for improving security and availability of customer data. It is a set of standards for system design to meet the criteria for the security and availability principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

n addition to individual data center audits, CenturyLink also publishes a SOC 2, Type 2 report. The SOC 2 report provides the auditor’s detailed evaluation of the design suitability and effectiveness of the controls. This report demonstrates CenturyLink’s commitment to protecting the security and availability of customer data and provides evidence that our controls have been independently evaluated against a leading industry standard.

Benefits

SOC 2 Reports are intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization. These controls affect the security, availability and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. Similar to a SOC 1 Report, there are two types of SOC 2 reports:

Type 1

Report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is generally restricted.

Type 2

Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

Scope of SOC 2 Reports

SOC 2 Reports are examination engagements performed by an auditor in accordance with AT Section 101, Attest Engagements, of SSAEs (Statement on Standards for Attestation Engagements) using the predefined criteria as outlined in TSP section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. A system is designed, implemented, and operated to achieve specific business objectives in accordance with management-specified requirements.

The purpose of the system description is to delineate the boundaries of the system, which includes the services outlined above and the five components described below:

  • Infrastructure — The physical and hardware components of a system.
  • Software — The programs and operating software of a system.
  • People — The personnel involved in the operation and use of a system.
  • Procedures — The automated and manual procedures involved in the operation of a system.
  • Data — The information used and supported by a system.

SOC 2 Reports specifically address one or more of the following five key system attributes:

  • Security — The system is protected against unauthorized access (both physical and logical).
  • Availability — The system is available for operation and use as committed or agreed.
  • Processing Integrity — System processing is complete, accurate, timely and authorized.
  • Confidentiality — Information designated as confidential is protected as committed or agreed.
  • Privacy — Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.

CenturyLink and SOC 3

CenturyLink's SOC 3 report provides the highest level of certification and assurance of operational excellence that a data center can receive and is available for public use. In addition to the SOC 2 report which includes auditor testing and results, the SOC 3 provides a system description and supplemental information provided by the auditor.

Download the CenturyLink Cloud SOC 3 Report

Frequently Asked Questions

What is the difference between a SOC 1, SOC 2 and SOC 3 report?

A SOC 1 report is the SSAE 16 or equivalent standard (i.e. ISAE 3402 or the former SAS70)) examination and is used by customers when performing their SOX audits. A SOC 2 is a report on Security, Availability, Processing Integrity, Confidentiality or Privacy and is based on the Trust Services principles. A SOC3 is Trust Services Certificate using the information from a SOC 2.

What are the differences between a Type-1 and Type-2 report?

A Type 1 report describes the service organizations controls at a point in time. This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor’s opinion, management’s assertion, and the description of the system.

A Type 2 report focuses on both the design and operating effectiveness of controls over a period of time of at least six months. It includes all of the information in a Type-1 report with the addition of the service auditor’s testing performed for each control.

Which organizations need a SOC report?

Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.

Can a SOC 2 substitute for SOC 1?

No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “…controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “…report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.

Are SOC 2 Examinations “Better” or “More Appropriate” than SOC 1 for Data Centers?

No. There is absolutely nothing in the current guidance that supports the position that SOC 2 is “better” or “more appropriate” than SOC 1 for data center examinations. Both guides contain unambiguous applicability requirements. Data centers either meet the requirements for SOC 1 and/or SOC 2, or they do not. In the absence of new AICPA guidance, all claims to the contrary are personal opinion and should be treated as such.

  • Albuquerque, NM (AB3)
  • Atlanta, GA (AT1)
  • Bangalore, India (BLR2)
  • Boston, MA (B01, B02, B03)
  • Burbank, CA (BR1)
  • Chicago, IL (IL1, CH2, CH3, CH4)
  • Columbus, OH (CL1)
  • Dallas, TX (DL 1, DL2)
  • Denver, CO (DN1, DN2, DN3)
  • Frankfurt, Germany (DE1, FR6)
  • Hong Kong (HK2)
  • Jersey City, NJ (NJ1)
  • London, United Kingdom (GB1, L01, L03, L04, L05, L06)
  • Los Angeles, CA (LA1)
  • Minneapolis, MN (MP1, MP2)
  • Montreal, Canada (MR1)
  • Newark, NJ (NJ5)
  • Orange County, CA (OC2)
  • Piscataway, NJ (NJ3, NJ4)
  • Santa Clara, CA (UC1, SC4, SC5, SC8, SC9)
  • Salt Lake City, UT (UT1)
  • Seattle, WA (WA1, SE2, SE3, SE4)
  • Secaucus, NJ (NY1)
  • Singapore (SG2, SG8)
  • St. Louis, MO (SL1)
  • Sterling, VA (VA1, DC2, DC3, DC4, DC5, DC6, DC7)
  • Sunnyvale, CA (SN1, SN2)
  • Tampa, FL (TP1)
  • Tokyo, Japan (TY6)
  • Toronto, Canada (CA2, TR1)
  • Vancouver, Canada (CA1, VC1)
  • Weehauken, NJ (NJ2)

Map of SOC 2 compliant center locations.

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.