Cloud Services

vCloud Air Network Compliance Spotlight – SSAE 16

In our vCloud Air Network Compliance Spotlight series, we break down various compliance and VSP (2)certifications to make your search for a cloud provider easier. Previously, we have covered PCI-DSS, HIPAA, and ISO 27001. This edition of the vCloud Air Network Compliance Spotlight focuses on Statement on Standards for Attestation Number 16, or SSAE 16.

SSAE 16 is an attestation standard, as the name indicates, that is validated during the audit process by a third party, certified auditor. Namely, this standard attests that a company has:

  • Sufficient controls over its IT and associated processes
  • A description of its [IT] system
  • A written statement of assertion

The determination of sufficient controls of the IT and associated processes can take place in one of two ways. SSAE Type 1 indicates that these systems were audited at a single point in time, so that the audit demonstrates what is currently in place. SSAE Type 2 indicates that these systems were audited over a given period of time, generally six months, so that the audit demonstrates the effectiveness of these systems. Normally, a Type 1 audit is performed as a way to then move on to a Type 2.

Nevertheless, the SSAE 16 does not only have a Type 1 and Type 2, it also has SOCs, or service organization control reports. There are three kinds of SOCs:

  • SOC 1 reports on controls that are relevant to internal control over financial reporting (ICFR).
  • SOC 2 reports on controls according to trust service principles, which are:
    • Security: the system is protected against unauthorized access, both physically and logically
    • Availability: the system is available for operation and use as committed or agreed
    • Processing Integrity: the system processing is complete, accurate, timely, and authorized
    • Confidentiality: the information held by an organization is securely protected
    • Privacy: Personal information is protected
  • SOC 3 is similar to SOC 2 in that it reports on specified controls. However, these controls are either specified according to Systrust or Webtrust standards rather than Trust Service. Webtrust is designed moreso for evaluating trust service principles for ecommerce. Meanwhile, Systrust is intended for IT-based systems.

Below is a table for quick reference:

Summary table


In your search to find a cloud provider that meets your business requirements, our “Find a Provider” page makes things easy to find a compliant provider. There are filters readily available for you to search for our partners in the vCloud Air Network that meet standards related to SSAE 16. On this page, you can find providers who comply with the following:

  • SSAE 16 SOC 2 Type II
  • SSAE 16 Type I
  • SSAE 16 Type II
  • SOC 3 SysTrust
  • SOC 2 Type II
  • SSAE SOC 1 Type II
  • SOC 1 Type II
  • SSAE 16 SOC 3

Ready to get started on your hybrid cloud journey? Find a compliant provider today by visiting

If you want to delve deeper into SSAE16, visit

For more updates around the vCloud Air Network and our service providers, be sure to follow us on Twitter @VMwareSP, and ‘like’ us on Facebook at


3 comments have been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *