Home Google Announces SSAE-16 Compliance

Google Announces SSAE-16 Compliance

Google has announced that its Google Apps, App Engine, Postini and Google Storage for Developers products have passed the SSAE-16 Type II and ISAE 3402 Type II certifications. Sounds great, but what does it actually mean?

Well, the SSAE-16 is actually the “American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE-16).” Got all that? If you go read the sites related to SSAE-16 and ISAE 3402 linked by Google, you’ll probably come away with a head full of jargon and no better idea of what Google has achieved than before.

According to the End Point blog, it basically means that Google is saying that its products are suitable for customers that need to comply with legal requirements like Sarbanes-Oxley and that its data centers are secure. It also means that individual customers don’t need to perform their own audits of Google’s services – they can use Google’s SSAE-16 report in their own reporting.

The SSAE-16 evolved from a previous standard called SAS 70. What’s the difference? According to Curt Finch of Journyx, SSAE-16 “prohibits the use of prior evidence,” which means that companies can’t roll previous audits into the current certification.

SSAE also differs in that the company’s management is required to attest to “the fair presentation and design of controls.” Previously it was just the auditors that reported on a company’s controls. By the way, one might wonder who performed the audit for Google – but Google declined to publicly disclose who their auditor is.

In short, the SSAE-16 is a good thing to have, but it’s important to understand what it is and isn’t. Essentially, Google sets a series of controls and control objectives, and an auditor verifies that Google meets those practices. The SSAE-16 does not appear to be an objective measure that means that every organization that is SSAE-16 compliant is following the same procedures. (Note that the consensus seems to be that Google should announce “compliance” and not “certification.”)

If you’re really interested in Google’s data center security, they’ve posted a video tour of a Google data center to highlight security and data protections in place, as well as a security white paper that goes into more detail.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.