SSAE-16 (S0C-2) Accreditation

Customer Testimonial

SSAE-16 (SOC-2)

Sify Technologies becomes India's first cloud service provider to receive SSAE-16 (SOC-2) accreditation.


Sify Technologies Limited is a leading network, hosting and cloud service provider in India and has been pioneering the innovations in the ICT industry. To leverage technology innovation and IT transformation practices, Sify has built strong expertise in Cloud and IT transformation space. Service portfolio includes end to end spectrum from Consulting, assessment to plan-design-implement and operate Cloud platform across Infrastructure (IaaS), Platforms (PaaS) and Applications (SaaS).

SSAE-16 (SOC-2) certification is to further strengthen the compliance and security framework of Sify services and delivery processes. It compliments other certifications Sify has undertaken for processes and services such as ISO 9001:2008 (QMS), ISO 27001:2008 (ISMS), ISO 20000-1:2005 (ITSM). It reflects our commitment towards continual improvement and be the trusted secured business partner to our customers.


Building Trust and Confidence in Service Provider Space

Outsourcing engagement for Managed Services, IaaS, PaaS and SaaS, mandates customer organizations to outsource to a service provider certain tasks or functions related to their business, even those that are core to their operations. This implies that many of the risks of the service organization become risks of the customer user entities. In light of several prominent internal-control breakdowns (e.g., security and privacy breaches, and frauds) and increasing regulatory focus on internal control (e.g., Sarbanes-Oxley Act, Basel II, HITECH and HIPAA), customer management is increasing its due diligence for prospective service providers and as a control mechanism to check governance for oversight of current service provider.

Sify India's leading enterprise cloud provider, has undertaken SSAE-16 (SOC-2) Audit and Certification to ensure controls related to operations and compliance. Technological, regulatory and other changes have heightened the need for information and assurance that enable management to demonstrate it has addressed stakeholder concerns related to the security, availability and processing integrity of the systems, Sify uses to process customers' data, the confidentiality and privacy of the information these systems process.


What is SSAE-16?

SSAE-16 (SOC-2) is an attestation/ accreditation that describes the evaluation of controls and criteria set forth by American Institute of Certified Public Accountant's Trust services principles. These principles and controls define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations.

The examination and report is conducted by an independent CPA/ auditor on a service organization's controls, service organizations can respond to meet the needs of their user entities and obtain an objective evaluation of the effectiveness of controls that address operations and compliance, as well as financial reporting at those user entities. To provide the framework for CPAs to examine controls and to help management understand the related risks, the AICPA has established three Service Organization Control (SOC) reporting options (SOC 1, SOC 2 and SOC 3 reports).

SOC 1 engagements are performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. SOC 1 reports focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity's financial statements. SOC 2 and SOC 3 engagements address controls at the service organization that relate to operations and compliance. SOC 1, 2 and 3 reports represent significant changes in service organization reporting approaches brought about as a result of several important changes.


SSAE-16 Scope Coverage at Sify

SSAE-16 (SOC-2) compliance reports on Controls at Sify Technologies covers Security, Availability, Processing Integrity, Confidentiality and Privacy. The controls are applicable for attributes that operate, collect, process, transmit, store, organize, maintain and dispose of information for customer entities. This applies to all Enterprise customers, who outsource IaaS, PaaS, Managed services, or entire functions built on Sify Cloud Platform across data centers covered under certification.

SOC 2 engagements use the predefined criteria in Trust Services Principles, Criteria and Illustrations, as well as the requirements and guidance in AT Section 101, Attest Engagements (AICPA, Professional Standards, Vol. 1). The controls stated in the description were suitably designed and operated effectively throughout the period of Audit to meet the criteria for Security, Availability, Processing Integrity and Confidentiality principles set forth in TSP section.

The scope of SSAE-16 (Soc 2) accreditation at Sify Technologies specifically address following five key system attributes: (A) Infrastructure: The physical and hardware components of the system (facilities, equipment and networks). (B) Software: The programs and the operating systems of the (Systems, applications and utilities). (C) Procedures: The automated and manual processes involved in the operation of the system. (D) People: The personnel involved in the operation and use of system (developers, operators, users and managers). (E) Data: The information used and supported by the system (transaction streams, files databases and tables)


Advantages of SSAE-16 (SOC-2) certification

SSAE-16 (SOC-2) certification by Sify assure its customers that Sify maintains the confidentiality of its customers' information in a secure manner and that the information will be available when it is needed. A SOC 2 report addressing security, availability and confidentiality provides customer entities with a description of the service organization's system and the controls that help achieve those objectives. A type 2 report also helps customer entities perform their evaluation of the effectiveness of controls that may be required by their governance process. Key areas and advantages of SSAE-16 coverage are:

  • Security - The system is protected against unauthorized access (both physical and logical).
  • Availability - The system is available for operation and use as committed or agreed.
  • Processing integrity - System processing is complete, accurate, timely and authorized.
  • Confidentiality - Information designated as confidential is protected as committed or agreed.
  • Privacy - Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the Sify's privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants.
  • Customer Compliance - Enterprises running compliance driven environment would have advantage of running their setup on SSAE Certified environment.
  • Other Certifications and Continues improvement - Sify currently has certification for key industry compliance and processes which include QMS (ISO 9001:2008), ISMS (ISO 27001:2005), ITSM (ISO 20000-1:2005). SSAE-16 (SOC-2) accreditation is an achievement as a process of continues improvement in our practices to meet the global benchmarks.


Sify's Cloud Environment brief (covered under SSAE-16: SOC-2)

Sify's IaaS offers IT infrastructure components such as servers, storage, network, security and other fundamental computing resources, on an on-demand, self service, and pay per use basis. Customers can retain control of provisioned resources and deploy varied range of applications on top of this layer.

With dynamic scaling provision that allows organizations to scale up or down based on their application usage and needs, Sify Cloud Infrastructure as a Service (IaaS), comes in three variants—public (cloudinfinit) and private (Private Cloud) and combination of public and private – Hybrid Cloud.

Sify Cloud and Managed Services cover end to end spectrum across Advisory to Service Provider of Cloud and IT transformation practices. Service portfolio is broadly categorized in three pillar approach as below,

The Advisory and Enabler service portfolio is professional skill based services extended across Sify Data Centers as well as customer environment.

The Provider services portfolio deals with delivery of IT infrastructure as a service for varied IT deployment needs. This service is currently extended from Sify's Mumbai and Bangalore Tier-III datacenters and is planned to be expanded to other data centers in phased manner.

The Cloudinfinit portfolio includes monitoring, management, and performance capabilities to suit different client hosting needs – ranging from Sify providing a fully managed, end-to-end hosting solution to an entirely client-managed scenario where the user (Sify client) is responsible for managing its applications that are physically hosted at the Sify Data Center. Optional services can include Cloud Assessment, Application migration, Public/Private Cloud, Backup/Recovery, and Security Services.

SIfy Managed IT Services Centers (MITS) provide the primary point of customer contact and support; the Sify Global Network Operation Center (G-NOC) provides hosting / cloud network surveillance, network security (Firewall, IPS, DDoS protection, etc.) and network issue detection/resolution services.

Sify offers most comprehensive secured cloud environment to customer to meet stringent compliance needs.

Sify Awards & CertificationsSify Awards & CertificationsSify Awards & CertificationsSify Awards & CertificationsSify Awards & CertificationsSify Awards & Certifications


Marketing Automation Platform Marketing Automation Tool