< Compliance
CenturyLink Cloud's data centers comply with SOC 2 Report

CenturyLink and SOC 2 Report

The Service Organization Controls 2 (SOC 2) report is intended to support a board range of customers and provides assurance related to the service organization’s controls supporting achievement of the American Institute Certified Public Accountants (AICPA’s) Trust Services Categories – Security, Availability and Confidentiality (as applicable). CenturyLink (the “service organization”) undergoes annual Type 2 SOC 2 assessments.

SOC 2 Reports are intended to meet the needs of a broad range of users that need information and assurance of the controls at a service organization using the five categories (as applicable). SOC 2 reports are an alternative to SOC 1 examinations which may only opine on service organization’s controls that are likely to be relevant to user entities’ internal controls over financial reporting.

There are two types of SOC 2 reports:

Type 1

Report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports is generally restricted.

Type 2

Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. Use of these reports is generally restricted..

SOC 2 Categories

SOC 2 Reports address one or more of the following five categories:

  • Security — The system is protected against unauthorized access (both physical and logical)
  • Availability — The system is available for operation and use as committed or agreed
  • Processing Integrity — System processing is complete, accurate, timely and authorized
  • Confidentiality — Information designated as confidential is protected as committed or agreed
  • Privacy — Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants

Frequently Asked Questions

What is the difference between a SOC 1, SOC 2 and SOC 3 report?

SOC 1 provides customers assurance of controls at the service organization relevant to customers’ internal control over financial reporting.

SOC 2 provides customers assurance of controls at the service organization relevant to the achievement of the AICPA Trust Services Categories and related criteria. The AICPA Trust Services Categories include Security, Availability, Confidentiality, Processing Integrity, and Privacy.

SOC 3 is a general-use report based on the AICPA’s Trust Services Categories and related criteria. A SOC 3 report can be made publicly available as it does not contain all of the details of the SOC 2 report.

What are the differences between a Type-1 and Type-2 report?

A Type 1 report describes the service organization’s controls as of the specified report date (point in time). This report focuses on the design of the controls to achieve the related control objectives. It includes the service auditor’s opinion, management’s assertion, and the description of the system, including the controls specified by the service organization to meet the intended control objectives (SOC 1) or Trust Services Criteria (SOC 2)

A Type 2 report focuses on both the design and operating effectiveness of controls throughout the specified review period (recommended as a minimum of six months or greater). Type 2 reports include all of the information in a Type 1 report along with the testing performed by the service auditor and corresponding test results for each control activity.

Which organizations need a SOC report?

Any service organization that needs an independent validation of controls relevant to how it transmits, processes, or stores client data may require a SOC report. Additionally, as a result of various legislative requirements, like the Sarbanes-Oxley Act, as well as increased scrutiny over third-party controls, clients are increasingly requiring SOC reports from their service organizations.

Can a SOC 2 substitute for SOC 1?

No. The first paragraph of the SSAE 16 standard states that the purpose of SOC 1 examinations is to report on “…controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting.” Paragraph 1.10 in the SOC 2 guide states that the purpose of SOC 2 is to “…report on a service organization’s controls other than those that are likely to be relevant to user entities’ internal control over financial reporting.” This purposeful “poison pill” confirms that hosting providers cannot use SOC 2 examinations as a substitute for SOC 1 examinations.

Data Center Locations
  • Chicago, IL (IL1)
  • Frankfurt, Germany (DE1, DE3)
  • Ireland (AWS EU West-Ireland)
  • London, United Kingdom (AWS EU West-London)
  • Porstmouth, United Kingdom (GB1)
  • Oregon (AWS West-Oregon)
  • Santa Clara, CA (UC1)
  • Seattle, WA (WA1)
  • Secaucus, NJ (NY1)
  • Singapore (SG1, AWS AP West-Singapore)
  • Slough, United Kingdom (GB3)
  • Sydney, Australia (AU1, AWS AP West-Sydney)
  • Sterling, VA (VA1)
  • Toronto, Canada (CA2, CA3)
  • Vancouver, Canada (CA1)
  • Virginia (AWS East-NoVa)

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.