Compliance Certifications and Standards

Each year, an external auditing firm completes System and Organization Controls (SOC) 1 Type 2 and SOC 2 Type 2 reviews of our data center facilities. The reports provide our customers with the assurance of corporate controls, including security and environmental compliance, and validation of CoreSite's commitment to the most stringent standards of excellence in our data center operations.SOC 1 and SOC 2 are attestation standards issued by the American Institute of Certified Public Accountants (AICPA). The SOC 1 report is intended to meet the needs of user entities’ management and auditors as they evaluate the effect of a service organization’s controls on the user entity’s financial statement assertions. The SOC 2 report is intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. CoreSite’s SOC 2 reports include the security and availability Trust Services categories.

CoreSite has achieved the International Organization for Standardization certification (ISO 27001) covering both corporate policies and procedures, as well as those of all our operating data centers. The ISO/IEC 27001:2013 certification is one of the most stringent certifications for information security controls, and confirms the information security controls and other forms of risk treatment are in place to detect and defend against potential data system vulnerabilities. This prestigious, internationally recognized certification reflects our commitment to provide CoreSite customers around the globe with secure, reliable and high-performance data center colocation hosting solutions.

Each year, an external auditing firm completes an assessment to validate CoreSite’s strict adherence to the National Institute of Standards and Technology Publication Series 800-53 (NIST 800-53) high-impact baseline controls and additional Federal Risk and Authorization Management Program (FedRAMP) requirements. The scope of CoreSite’s assessment includes a subset of control families applicable to colocation services at our data center facilities. The utilization of the high-impact baseline controls for NIST 800-53 reflects CoreSite’s commitment to successfully delivering the most rigorous compliance standards to support our customers’ Federal Information Security Management Act (FISMA) and FedRAMP compliance efforts. NIST 800-53 is a publication that recommends security controls for federal information systems and organizations. NIST 800-53 is published by the National Institute of Standards and Technology, which creates and promotes the standards used by federal agencies to implement FISMA and manage other programs designed to protect information and promote information security.

Each year, a Quality Service Assessor (QSA) completes an external assessment to validate CoreSite’s compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) as a “Level 1” service provider for our colocation services. The scope of CoreSite’s assessment includes physical security and related policies at our data center facilities.The PCI DSS is a comprehensive set of standards that require merchants and service providers that store, process or transmit customer payment card data to adhere to strict information security controls and processes. As a provider of data center colocation services, CoreSite has proactively met the relevant requirements for its business in support of the PCI compliance needs of its customers.

HIPAA requires that covered entities take strong measures to protect the privacy and security of electronic protected health information (ePHI). By attaining HIPAA validation through an external attestation, CoreSite provides assurance to healthcare providers and other related enterprises that its national platform of multi-tenant data centers conforms to a high standard of data security and provides a secure environment for customers’ sensitive and confidential data. The validation asserts that the information security program governing the colocation services implements applicable control guidance in the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.