PivotLink investors

PivotLink Security

PivotLink Receives SAS 70 Type II Certification


"SAS 70 Type II certification demonstrates our total commitment to constant improvement and delivering value to our customers. To date, PivotLink is the only On-Demand Business Analytics service that is SAS 70 Type II certified. With more than 7,200 users worldwide, it's absolutely essential for our customers to trust PivotLink's ability to unequivocally protect their data. Completing the audit provides further validation and assurance to our customers."

- Frank Fulton, SVP of Operations, PivotLink

What does the SAS 70 audit cover?

The SAS 70 audit is an intensive process, requiring months of preparation. A SAS 70 Type II certification can take years to acquire, but the preparation work including documentation and process development is highly valuable. Issued by Moss Adams LLP, an independent accounting firm, a Service Auditor's Report with an unqualified opinion differentiates the service organization from its peers by demonstrating effectively designed control objectives and control activities.

The SAS 70 audit includes a review of the processes and controls for physical security and facilities redundancy and maintenance. Leading the charge is redundancy – of everything. A SAS 70 audit ensures that claims of backup systems for power, fire suppression, network connectivity, and security are in place and properly managed. Hardware failure can often be attributed to lack of preventative maintenance of critical infrastructure components and other “pre-failure investments”. The SAS 70 Type II audit assures that any claim of preventative maintenance is backed up with proper documentation and service records.

The audit assures that PivotLink's service has the necessary controls in place to effectively manage and protect customer data. For its Type II audit, PivotLink identified control objectives in the following areas that were then examined, tested, and certified by the auditors:

  • Control environment
  • Physical Security (e.g., ensure appropriate access to the server facility)
  • Environmental Security
  • Computer Operations (e.g., backup data and ensure 99.9% uptime)
  • Information Security
  • Data Communications

What is difference between SAS 70 Type I and Type II certification?

There are two types of SAS 70 audits, both of which offer a report as the primary deliverable.

In a Type I audit, the service organization provides a detailed description of internal controls to be examined by the auditor. The auditor then issues a statement assessing the fairness of that description, as well as an opinion on whether the controls are suitably designed to achieve the objectives included in the description. Many service providers offer a Type I audit, which lacks the level of due diligence offered by a Type II audit. Type I reports do not state whether the controls described by the service provider are operating effectively, as a Type I audit does not external or iterative include testing of those controls.

A SAS 70 Type II audit is much more involved, actively testing the service provider’s designed controls over a six-month period to determine if they are in fact operating effectively, consistently, and as designed. A Type II report includes the same assessment as a Type I report, augmented with a thorough description of the specific tests applied and their corresponding results. Simply stated a Type II certification means that:

  • The processes adopted by PivotLink are appropriate to our goals of protecting customer information
  • The processes work as described
  • The processes were tested and audited by an independent 3rd party auditor, in this case Moss Adams
  • To maintain certified status, these processes will be audited regularly

Why is SAS 70 Type II certification important for customers?

In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. Because a SAS 70 Service Auditor's Report certifies a provider’s integrity and operational excellence, PivotLink customers have greater confidence that they are entrusting their critical business data to a capable and qualified organization. Other benefits include:

  • Satisfy customers' financial audit requirements
  • Satisfy customers' Sarbanes-Oxley 404 requirements
  • Compliance with regulatory requirements
  • Satisfy contract requirements
  • Documentation and testing of internal control structure

A SAS 70 Audit is voluntary, so it acknowledges a high level of commitment by PivotLink and also assists companies in meeting regulatory compliance for HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act of 2002), GLBA (Gramm-Leach-Bliley Act of 1999, and ISO 17799. Businesses regulated by compliance initiatives such as HIPAA and Sarbanes-Oxley may already realize that establishing, documenting and testing processes is an expensive proposition. In the event of a business audit, a company is able to use the established SAS 70 documents as baseline for their regulatory compliance. This allows our customers to reduce expenses toward regulatory compliance and streamline any effort that is necessary to complete the regulatory audit.