Certifications

Certifications

Leaseweb systems are certified by third-party auditors and they comply with all the latest industry standards. Find out in detail all the relevant certifications of the assurance reports.

Pour la version française cliquez ici.

Leaseweb is compliant with the following standards:

  • ISO 27001
  • PCI DSS
  • SOC1
  • HIPAA
  • NEN 7510

Find out more about Leaseweb’s compliance with each certificate and assurance report – and the scope of what is covered by each one of them.

Security and Compliance

Certifications and assurance reports ensure logical security, physical security, service deployment, customer support, incident management, change management, and operational resilience meet industry-leading standards. ISO 27001, PCI DSS, SOC1, HIPAA, and NEN 7510 certifications/assurance reports and our external audit partners are recognized all around the world.

ISO 27001

The International Organization for Standardization (ISO) 27001:2022 is the international security standard used to benchmark the protection of sensitive data. ISO 27001 is recognized as the premier information security standard around the world. 

ISO 27001 details – click to expand

Certified Leaseweb entities

The following independent Leaseweb companies are covered by this certification:

  • Leaseweb Global B.V.
  • Leaseweb Netherlands B.V.
  • Leaseweb USA, Inc.
  • Leaseweb Deutschland GmbH
  • Leaseweb UK Ltd.
  • Leaseweb Singapore Pte. Ltd

Services covered

The following services are certified:

ISO 27001 version

Leaseweb is certified according to the latest (2022) version of the ISO/IEC 27001 standard.

Certifying agent

Certification was carried out by EY CertifyPoint. EY CertifyPoint is accredited by the Raad voor Accreditatie (RvA) which is a member of the International Accreditation Forum (IAF). Their certificates are recognized as valid in all IAF member countries.

Certificate register

The certificate is listed in the certificate register of CertifyPoint. 

Certificate download

You can download a copy of the certificate on our Compliance & Security page.

27001 certified by association

As a client or reseller, you are not certified by association. However, as Leaseweb is ISO 27001 certified, it will make your own certification process easier.

Official ISO 27001 standard

You can purchase a copy online from www.iso.org.

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) certifies online credit card transactions and ensures that credit card data and personal, privacy-sensitive information are protected from theft. Please note that considering our service delivery, our certification covers only physical security aspects of the standard. Our services are by default not meant to process or store credit card transactions.

PCI DSS details – click to expand

Certified Leaseweb entities

The following independent Leaseweb companies are covered by this certification:

  • Leaseweb Global B.V.

Certified data centers

The following data centers in our portfolio are certified:

  • AMS-01
  • FRA-01
  • LON-01
  • SIN-01
  • WDC-02

Services covered

The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data. 

As Leaseweb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.

IncludedExcluded
Hosting provider: Physical space (co-location) Security services Secured housing servicesHosting provider: Shared Hosting provider Cloud services
Managed services: Physical security Managed services: IT Support
  Network provider

Certificate version

Leaseweb is certified according to the latest version (4.0) of the PCI DSS standard.

Quality Security Assessor

The assessments were carried out by our global QSA partner ComSec Consulting.

Applicability

All merchants manage their own PCI DSS certification. Your QSA can rely on our PCI compliance but you will still be required to satisfy all other PCI compliance and testing requirements including how you manage the cardholder environment that you host with the relevant Leaseweb entity.

Attestation of Compliance (AoC)

Please contact your Account Manager or our Sales department if you would like to receive a copy of the Attestation of Compliance (AoC).

SOC1

Service Organization Controls (SOC)1 reports attest that the Leaseweb control objectives are appropriately designed and that the controls are operating effectively. Normally, SOC1 is associated with financial controls, but given the type of our business, we broadened the remit of our assurance reports to reflect our close connection with IT issues. This also enhances their relevance to you as a customer and your operations.

There are two types of reports: type I and type II, where type II adds an extended assertion and auditor’s opinion on the operating effectiveness of your controls.

SOC1 details – click to expand

Leaseweb entities

All the independent Leaseweb companies have a SOC1 assurance report:

  • Leaseweb Netherlands B.V. (Type II)
  • Leaseweb Deutschland GmbH (Type II)
  • Leaseweb USA, Inc. (Type II)
  • Leaseweb Singapore Pte. Ltd. (Type II)
  • Leaseweb UK Ltd. (Type II)

Services covered

The following services are covered in these reports:

Control objectives

The following control objectives are covered in our reports:

Objective areaObjective descriptionControls provide reasonable assurance that services to clients are appropriately deployed and managed to ensure timely and standardized delivery.
Logical security Controls provide reasonable assurance that logical security is appropriately implemented, administered and logged to safeguard against unauthorized access to or modifications of the customer portal that our clients are using to administer their infrastructure and administration.Leaseweb Netherlands
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Physical securityControls provide reasonable assurance that physical access to the data centers is restricted to authorized individuals to prevent unauthorized use, disclosure, modification, damage or loss of data.Leaseweb Netherlands
Leaseweb USA
Service deploymentControls provide reasonable assurance that the customer support teams timely and effectively act on clients’ infrastructure problems to minimize service disruptions.Leaseweb Netherlands
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Customer supportControls provide reasonable assurance that incidents on the shared infrastructure are appropriately managed, resolved and analyzed to minimize disruption and impact on the services.Leaseweb Netherlands
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Incident managementControls provide reasonable assurance that changes in the shared infrastructure are appropriately managed to minimize the disruption and impact of the services.Leaseweb Netherlands
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Change managementControls provide reasonable assurance that changes on the shared infrastructure are appropriately managed to minimize the disruption and impact of the services.Leaseweb Netherlands
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Operational resilienceOperations are appropriately managed to safeguard the data center facilities to avoid and minimize service disruptions. Leaseweb Netherlands
Leaseweb USA

SOC1 certificate download

You can download a copy of the different SOC1 certificates on our Compliance & Security page.

International standard (ISAE 3402)

The independent third-party audit for the various Leaseweb reports has been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), Dutch law, and attestation standards established by the American Institute of Certified Public Accountants (CPA).

Independent third-party auditor

The SOC1 examinations of the independent Leaseweb companies are performed by Ernst & Young Accountants LLP.

Period covered

Our SOC1 reports are issued on an annual basis and cover the period January 1 – December 31. New reports will be issued at the end of January of each year. An assurance report is always based on the previous year. 

SOC1 report by association

As a client or reseller, you do not have a SOC1 report by association, but as Leaseweb has a SOC1 report it will make your compliance process easier.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for security controls to protect health information stored or processed online. Although there is no specific HIPAA certification for service providers like Leaseweb, EY has issued us with a third-party statement that recognizes our platform as being compliant with HIPAA’s requirements. 

HIPAA details – click to expand

Version

The provided third-party statement is based on the Health Information Security provisions of HIPAA Administrative Simplification Regulations set forth in 45 CFR Parts 160, 162, and 164 (as amended through March 2103) for Health Information Security provisions of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as of May 29, 2015.

Compliant entities

Considering this is a US standard, only Leaseweb USA, Inc. is compliant. Leaseweb Netherlands B.V., however, is compliant with the Dutch Health care standard NEN 7510.

Compliant data centers

Leaseweb USA, Inc. – WDC-01

Processes covered

Given the type of services offered by Leaseweb USA, Inc., their HIPAA compliance is focused on physical security, operational resilience, incident management, and service deployment.

Third-party auditor

The HIPAA compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the HIPAA compliance statement on our Compliance & Security page.

HIPAA compliant by association

As a client or reseller, you are not HIPAA compliant by association, but as Leaseweb USA, Inc. has a HIPAA compliance statement it will make your compliance process easier.

NEN 7510

NEN 7510 is the standard developed by the Nederlands Normalisatie Institute for information security in the health sector. We have received a third-party statement from EY for compliance with the NEN 7510’s requirements.

NEN 7510 details – click here to expand

Version

The examination is performed according to the latest version of the NEN 7510 standard.

Compliant entities

Considering this is a Dutch standard, only Leaseweb Netherlands B.V. is compliant. Leaseweb USA, Inc. is compliant with the US Health care standard HIPAA (Health Insurance Portability and Accountability Act).

Compliant data centers

Leaseweb Netherlands B.V. – AMS-01

Processes covered

Given the type of services offered by Leaseweb Netherlands B.V. our NEN 7510 compliance is focused on physical security, information security policy, risk management, operational resilience, incident management and service deployment.

Third-party auditor

The NEN 7510 compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the NEN 7510 compliance statement on our Compliance & Security page.

NEN 7510 compliant by association

As a client or reseller, you are not NEN 7510 compliant by association, but as Leaseweb Netherlands B.V. has a NEN 7510 compliance statement it will make your compliance process easier.

Official NEN 7510 standard

You can download a copy online from NEN.


The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data.

As Leaseweb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are: 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.


Certifications

Les systèmes Leaseweb sont certifiés par des auditeurs tiers et ils sont conformes à toutes les dernières normes du secteur. Découvrez en détail toutes les certifications pertinentes des rapports d’assurance.

Leaseweb est conforme aux normes suivantes :

  • ISO 27001
  • PCI DSS
  • SOC1
  • HIPAA
  • NEN 7510

Découvrez la conformité de Leaseweb à chaque certificat et rapport d’assurance – et l’étendue de ce qui est couvert par chacun d’eux.

Sécurité et conformité

Les certifications et les rapports d’assurance garantissent que la sécurité logique, la sécurité physique, le déploiement des services, le support client, la gestion des incidents, la gestion des changements et la résilience opérationnelle répondent aux normes de pointe du secteur. Les certifications/rapports d’assurance ISO 27001, PCI DSS, SOC1, HIPAA et NEN 7510 et nos partenaires d’audit externe sont reconnus dans le monde entier.

ISO 27001

L’Organisation internationale de normalisation (ISO) 27001:2022 est la norme de sécurité internationale utilisée pour évaluer la protection des données sensibles. L’ISO 27001 est reconnue comme la première norme de sécurité de l’information dans le monde.

ISO 27001 détails – cliquez pour agrandir

Entitée Leaseweb certifié

Les entreprises Leaseweb indépendantes suivantes sont couvertes par cette certification :

  • Leaseweb Global B.V.
  • Leaseweb Netherlands B.V.
  • Leaseweb USA, Inc.
  • Leaseweb Deutschland GmbH
  • Leaseweb UK Ltd.
  • Leaseweb Singapore Pte. Ltd

Services couverts

Les services suivants sont certifiés :

Version ISO 27001

Leaseweb est certifié conformément à la dernière version (2022) de la norme ISO/IEC 27001 standard.

Agent de certification

La certification a été effectuée par EY CertifyPoint. EY CertifyPoint est accrédité par le Raad voor Accreditatie (RvA), qui est membre de l’International Accreditation Forum (IAF). Leurs certificats sont reconnus comme valides dans tous les pays membres de l’IAF.

Registre des certificats

Le certificat est répertorié dans le registre des certificats de CertifyPoint.

Téléchargement de certificat

Vous pouvez télécharger une copie du certificat sur notre page Conformité et sécurité.

27001 certifié par association

En tant que client ou revendeur, vous n’êtes pas certifié par l’association. Cependant, comme Leaseweb est certifié ISO 27001, cela facilitera votre propre processus de certification.

ISO 27001 standard officiel

Vous pouvez acheter une copie en ligne sur https://www.iso.org.

PCI DSS

La norme de sécurité des données de l’industrie des cartes de paiement (PCI DSS) certifie les transactions par carte de crédit en ligne et garantit que les données des cartes de crédit et les informations personnelles et confidentielles sont protégées contre le vol. Veuillez noter que, compte tenu de notre prestation de services, notre certification ne couvre que les aspects de sécurité physique de la norme. Par défaut, nos services ne sont pas destinés à traiter ou à stocker des transactions par carte de crédit.

PCI DSS détails – cliquez pour agrandir

Entitée Leaseweb certifié

Les entreprises Leaseweb indépendantes suivantes sont couvertes par cette certification:

  • Leaseweb Global B.V

Centre de données certifié

Les centres de données suivants de notre portefeuille sont certifiés :

  • AMS-01
  • FRA-01
  • LON-01
  • SIN-01
  • WDC-02

Services couverts

La norme de sécurité des données PCI (PCI DSS) garantit le traitement sécurisé des informations sensibles et vise à aider les entreprises à protéger de manière proactive les données des comptes clients.

Étant donné que Leaseweb ne surveille pas les données des clients et n’y a pas accès, l’applicabilité de la certification PCI/DSS est limitée à la sécurité physique de l’accès aux équipements des clients par une combinaison de systèmes de gestion et de mesures et procédures de protection de l’accès physique. Les aspects couverts par la certification PCI/DSS sont les suivants : 9.1 à 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 à 12.10.

InclusExclus
Fournisseur d’hébergement : Place physique (co-location) Service de sécurité Services de logement sécuriséFournisseur d’hébergement: Fournisseur d’hébergement partagé Services en nuage
Services gérés : Sécurité physique Services gérés : Support TI
 Fournisseur réseau

Version de certificat

Leaseweb est certifié selon la dernière version (4.0) de la norme PCI DSS.

Assesseur à la sécurité de la qualité

Les évaluations ont été réalisées par notre partenaire QSA mondial ComSec Consulting.

Applicabilité

Tous les commerçants gèrent leur propre certification PCI DSS. Votre QSA peut s’appuyer sur notre conformité PCI, mais vous devrez néanmoins satisfaire à toutes les autres exigences de conformité et de test PCI, notamment en ce qui concerne la gestion de l’environnement des titulaires de cartes que vous hébergez au sein de l’entité Leaseweb concernée.

Attestation de conformité (AC)

Veuillez contacter votre gestionnaire de compte ou notre service commercial si vous souhaitez recevoir une copie de l’attestation de conformité (AC).

SOC1

Les rapports Service Organization Controls (SOC)1 attestent que les objectifs de contrôle de Leaseweb sont conçus de manière appropriée et que les contrôles fonctionnent efficacement. Normalement, le rapport SOC1 est associé aux contrôles financiers, mais compte tenu de la nature de notre activité, nous avons élargi le champ d’application de nos rapports d’assurance afin de refléter notre lien étroit avec les questions informatiques. Cela renforce également leur pertinence pour vous en tant que clients et pour vos opérations.

Il existe deux types de rapports : le type I et le type II, le type II ajoutant une assertion étendue et l’opinion de l’auditeur sur l’efficacité opérationnelle de vos contrôles.

SOC1 détails – cliquez pour agrandir

Entitée Leaseweb certifié

Toutes les sociétés indépendantes de Leaseweb disposent d’un rapport d’assurance SOC1 :

  • Leaseweb Netherlands B.V. (Type II)
  • Leaseweb Deutschland GmbH (Type II)
  • Leaseweb USA, Inc. (Type II)
  • Leaseweb Singapore Pte. Ltd. (Type II)
  • Leaseweb UK Ltd. (Type II)

Services couverts

Les services suivants sont couverts par ces rapports:

Objectifs de contrôle

Zone d’objectifDescription de l’objectifInclus dans le rapport
Sécurité logiqueLes contrôles fournissent une assurance raisonnable que la sécurité logique est mise en œuvre, administrée et enregistrée de manière appropriée afin de se prémunir contre tout accès non autorisé ou toute modification du portail client que nos clients utilisent pour gérer leur infrastructure et leur administration.Leaseweb Pays-Bas
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Sécurité physiqueLes contrôles fournissent une assurance raisonnable que l’accès physique aux centres de données est limité aux personnes autorisées afin d’empêcher l’utilisation, la divulgation, la modification, l’endommagement ou la perte de données sans autorisation.Leaseweb Pays-Bas
Leaseweb USA
Déploiement des servicesLes contrôles fournissent une assurance raisonnable que les services aux clients sont déployés et gérés de manière appropriée afin de garantir une prestation standardisée et en temps voulu.Leaseweb Pays-Bas
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Soutien à la clientèleLes contrôles fournissent une assurance raisonnable que les équipes d’assistance à la clientèle interviennent en temps utile et de manière efficace sur les problèmes d’infrastructure des clients afin de minimiser les interruptions de service.Leaseweb Pays-Bas
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Gestion des incidentsLes contrôles fournissent une assurance raisonnable que les incidents survenant sur l’infrastructure partagée sont gérés, résolus et analysés de manière appropriée afin de minimiser la perturbation et l’impact des services.Leaseweb Pays-Bas
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Gestion du changementLes contrôles fournissent une assurance raisonnable que les changements apportés à l’infrastructure partagée sont gérés de manière appropriée afin de minimiser les perturbations et l’impact des services.Leaseweb Pays-Bas
Leaseweb Deutschland
Leaseweb USA
Leaseweb Singapore
Résilience opérationnelleLes opérations sont gérées de manière appropriée pour protéger les installations du centre de données afin d’éviter et de minimiser les interruptions de service.Leaseweb Pays-Bas
Leaseweb USA


Certifications - Frequently Asked Questions

  • Is it because of these certifications that automatically all my data is secure?

    As a customer of Leaseweb, you share the responsibility of the IT environment and the protection of data.

    We manage the security of the shared infrastructure and make sure that our cloud infrastructure, dedicated servers, and network operates in a controlled and secure manner, the physical security of our data centers are in place, and make sure that you can safely use our Customer Portal. As a customer, you are responsible for the security in your own infrastructure. This means OS management, encryption, (security) patching, access control, application management, firewall settings and back-ups.

     

  • Do you have a SOC2 report?

    We do not have a SOC2 report.

    Although we do have SOC1 assurance reports in place for all the independent Leaseweb companies. The SOC1 is a similar standard as the SOC2, both are reports on controls at a service organization and are audited by accountants. The difference is that SOC2 has a mandatory set of controls. At the moment we consider the SOC1 as the preferred internal standard due to its flexibility, it allows us to completely tailor and update the framework to our activities, risks and client expectations.

     

     

  • Do you have a SAS70 report?

    SOC1 reports have effectively replaced SAS 70 reports as of June 15, 2011.

     

  • Do you have a SSAE16 report?

    Please refer to our SOC1 reports. Our SOC1 reports have been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), which like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) prescribes Service Organization Control reports.

    The difference is that SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and the ISAE 3402 is issued by the International Auditing and Assurance Standards Board (IAASB).

     

  • Can I perform my own data center or Leaseweb operations audits?

    We are unable to support this because potentially thousands of customers can then audit our services and facilities. Plus this would expose additional risks to our infrastructure and facilities.

    We do understand that you need to have confidence that we meet security and compliance objectives. To help you in this and give the reassurance you need, we employ independent third party auditors to state and certify that our systems, data centers and processes comply with all the latest industry standards. Please visit our Compliance & Security page for the complete overview.

     

  • Can I perform penetration tests on or from my own hosted infrastructure at Leaseweb?

    Permission is required for all penetration tests to or originating from Leaseweb resources.

    Please contact our security department first to request authorization for penetration testing.  Be aware that we do not permit penetration testing on all our services as this could have potential negative performance impacts on shared resources in our infrastructure. Our security department can inform you about this.

     

  • Can you customize your audits for me?

    Due to the size of our customer base and global operations, we are unable to customize our audits based on individual client needs.