Certifications

LeaseWeb systems are certified by third party auditors and they comply with all the latest industry standards. Find out in detail all the relevant certifications of the assurance reports.

Description

LeaseWeb is compliant with the following standards:

  • ISO 27001
  • PCI DSS
  • SOC1
  • HIPAA
  • NEN 7510
Find out more about LeaseWeb’s compliance with each certificate and assurance report - and the scope of what is covered by each one of them.

Contents


Security and compliance

Certifications and assurance reports ensure logical security, physical security, service deployment, customer support, incident management, change management, and operational resilience meet industry-leading standards. ISO 27001, PCI DSS, SOC1, HIPAA, and NEN 7510 certifications/assurance reports and our external audit partners are recognized all around the world.

ISO 27001

The International Organization for Standardization (ISO) 27001:2013 is the international security standard used to benchmark the protection of sensitive data. ISO 27001 is recognized as the premier information security standard around the world. 

Certified LeaseWeb entities

The following independent LeaseWeb companies are covered by this certification:

  • LeaseWeb Netherlands B.V.
  • LeaseWeb Global Services B.V.
  • LeaseWeb Deutschland GmbH
  • LeaseWeb USA, Inc.
  • LeaseWeb Asia Pacific Ltd

Services covered

The following services are certified:

ISO 27001 version

LeaseWeb is certified according to the latest (2013) version of the ISO/IEC 27001 standard.

Certifying agent

Certification was carried out by EY CertifyPoint. EY CertifyPoint is accredited by the Raad voor Accreditatie (RvA) which is a member of the International Accreditation Forum (IAF). Their certificates are recognized as valid in all IAF member countries.

Certificate register

The certificate is listed in the certificate register of CertifyPoint. 

Certificate download

You can download a copy of the certificate on our Compliance & Security page.

27001 certified by association

As a client or reseller, you are not certified by association. However as LeaseWeb is ISO 27001 certified, it will make your own certification process easier.

Official ISO 27001 standard

You can purchase a copy online from www.iso.org.


PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) certifies online credit card transactions and ensures that credit card data and personal, privacy-sensitive information is protected from theft. Please note that considering our service delivery, our certification covers only physical security aspects of the standard. Our services are by default not meant to process or store credit card transactions.

Certified LeaseWeb entities

The following independent LeaseWeb companies are covered by this certification:

  • LeaseWeb Deutschland GmbH (FRA10)
  • LeaseWeb USA, Inc. (WDC1)

Certified data centers

The following data centers in our portfolio are certified:

  • AMS-01
  • AMS-10
  • FRA-10
  • WDC-01
  • SIN-11
  • HKG-10

Services covered

The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data. 

As LeaseWeb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are: 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.

Included Excluded

Hosting provider:

  • Physical space (co-location)
  • Security services
  • Secured housing services

Hosting provider:

  • Shared Hosting provider
  • Cloud services

Managed services:

  • Physical security
 Managed services:
  • IT Support

 Network provider

Certificate version

LeaseWeb is certified according to the latest version (3.0) of the PCI DSS standard.

Quality Security Assessor

The assessments were carried out by our global QSA partner ComSec Consulting.

Applicability

All merchants manage their own PCI DSS certification. Your QSA can rely on our PCI compliance but you will still be required to satisfy all other PCI compliance and testing requirements including how you manage the cardholder environment that you host with the relevant LeaseWeb entity.

Attestation of Compliance (AoC)

Please contact your Account Manager or our Sales department if you would like to receive a copy of the Attestation of Compliance (AoC).

SOC1

Service Organization Controls (SOC)1 reports attests that the LeaseWeb control objectives are appropriately designed and that the controls are operating effectively. Normally, SOC1 is associated with financial controls, but given the type of our business, we broadened the remit of our assurance reports to reflect our close connection with IT issues. This also enhances their relevance to you as a customers and your operations.

There are two types of reports: type I and type II, where type II adds an extended assertion and auditor’s opinion on the operating effectiveness of your controls.

LeaseWeb entities

All the independent LeaseWeb companies have a SOC1 assurance report:

  • LeaseWeb Netherlands B.V. (Type II)
  • LeaseWeb Deutschland GmbH (Type II)
  • LeaseWeb USA, Inc. (Type II)
  • LeaseWeb Asia Pacific Ltd (Type II)

Services covered

The following services are covered in these reports:

Control objectives

The following control objectives are covered in our reports:

Objective area Objective description Included in report
Logical security  Controls provide reasonable assurance that logical security is appropriately implemented, administered and logged to safeguard against unauthorized access to or modifications of the customer portal that our clients are using to administer their infrastructure and administration.
  • LeaseWeb Netherlands
  • LeaseWeb Deutschland
  • LeaseWeb USA
  • LeaseWeb Asia Pacific
Physical security Controls provide reasonable assurance that physical access to the data centers is restricted to authorized individuals to prevent unauthorized use, disclosure, modification, damage or loss of data.
  • LeaseWeb Netherlands
  • LeaseWeb USA
Service deployment Controls provide reasonable assurance that services to clients are appropriately deployed and managed to ensure a timely and standardized delivery.
  • LeaseWeb Netherlands
  • LeaseWeb Deutschland
  • LeaseWeb USA
  • LeaseWeb Asia Pacific
Customer support Controls provide reasonable assurance that the customer support teams timely and effectively act on client’s infrastructure problems to minimize service disruptions.
  • LeaseWeb Netherlands
  • LeaseWeb Deutschland
  • LeaseWeb USA
  • LeaseWeb Asia Pacific
Incident management Controls provide reasonable assurance that incidents on the shared infrastructure are appropriately managed, resolved and analyzed to minimize disruption and impact of the services.
  • LeaseWeb Netherlands
  • LeaseWeb Deutschland
  • LeaseWeb USA
  • LeaseWeb Asia Pacific
Change management Controls provide reasonable assurance that changes on the shared infrastructure are appropriately managed to minimize the disruption and impact of the services.
  • LeaseWeb Netherlands
  • LeaseWeb Deutschland
  • LeaseWeb USA
  • LeaseWeb Asia Pacific
Operational resilience Operations are appropriately managed to safeguard the data center facilities to avoid and minimize service disruptions. 
  • LeaseWeb Netherlands
  • LeaseWeb USA


SOC1 certificate download

You can download a copy of the different SOC1 certificates on our Compliance & Security page.

International standard (ISAE 3402)

The independent third-party audit for the various LeaseWeb reports has been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), Dutch law, and attestation standards established by the American Institute of Certified Public Accountants (CPA).

Independent third-party auditor

The SOC1 examinations of the independent LeaseWeb companies are performed by Ernst & Young Accountants LLP.

Period covered

Our SOC1 reports are issued on an annual basis and cover the period January 1 – December 31. New reports will be issued at the end of January of each year. An assurance report is always based on the previous year. 

SOC1 report by association

As a client or reseller you do not have a SOC1 report by association, but as LeaseWeb has a SOC1 report it will make your compliance process easier.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for security controls to protect health information stored or processed online. Although there is no specific HIPAA certification for service providers like LeaseWeb, EY has issued us with a third party statement that recognizes our platform as being compliant with HIPAA’s requirements. 

Version

The provided third party statement is based on the Health Information Security provisions of HIPAA Administrative Simplification Regulations set forth in 45 CFR Parts 160, 162, and 164 (as amended through March 2103) for Health Information Security provisions of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as of May 29, 2015.

Compliant entities

Considering this is a US standard, only LeaseWeb USA, Inc. is compliant. LeaseWeb Netherlands B.V., however, is compliant with the Dutch Health care standard NEN 7510.

Compliant data centers

LeaseWeb USA, Inc. - WDC-01

Processes covered

Given the type of services offered by LeaseWeb USA, Inc., their HIPAA compliance is focused on physical security, operational resilience, incident management, and service deployment.

Third party auditor

The HIPAA compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the HIPAA compliance statement on our Compliance & Security page.

HIPAA compliant by association

As a client or reseller you are not HIPAA compliant by association, but as LeaseWeb USA, Inc. has a HIPAA compliance statement it will make your compliance process easier.

NEN 7510

NEN 7510 is the standard developed by the Nederlands Normalisatie Institute for information security in the health sector. We have received a third party statement by EY for compliance with the NEN 7510’s requirements.

Version

The examination is performed according to the latest version of the NEN 7510 standard.

Compliant entities

Considering this is a Dutch standard, only LeaseWeb Netherlands B.V. is compliant. LeaseWeb USA, Inc. is though compliant with the US Health care standard HIPAA (Health Insurance Portability and Accountability Act).

Compliant data centers

LeaseWeb Netherlands B.V. - AMS-01

Processes covered

Given the type of services offered by LeaseWeb Netherlands B.V. our NEN 7510 compliance is focused on physical security, information security policy, risk management, operational resilience, incident management and service deployment.

Third party auditor

The NEN 7510 compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the NEN 7510 compliance statement on our Compliance & Security page.

NEN 7510 compliant by association

As a client or reseller you are not NEN 7510 compliant by association, but as LeaseWeb Netherlands B.V. has a NEN 7510 compliance statement it will make your compliance process easier.

Official NEN 7510 standard

You can download a copy online from NEN.


FAQ about security and certifications

Is because of these certifications that automatically all my data is secure?

As a customer of LeaseWeb, you share the responsibility of the IT environment and the protection of data.

We manage the security of the shared infrastructure and make sure that our cloud infrastructure, dedicated servers, and network operates in a controlled and secure manner, the physical security of our data centers are in place, and make sure that you can safely use our Customer Portal. As a customer, you are responsible for the security in your own infrastructure. This means OS management, encryption, (security) patching, access control, application management, firewall settings and back-ups.

Do you have a SOC2 report?

We do not have a SOC2 report.

Although we do have SOC1 assurance reports in place for all the independent LeaseWeb companies. The SOC1 is a similar standard as the SOC2, both are reports on controls at a service organization and are audited by accountants. The difference is that SOC2 has a mandatory set of controls. At the moment we consider the SOC1 as the preferred internal standard due to its flexibility, it allows us to completely tailor and update the framework to our activities, risks and client expectations.

Do you have a SAS70 report?

SOC1 reports have effectively replaced SAS 70 reports as of June 15, 2011. 

Do you have a SSAE16 report?

Please refer to our SOC1 reports. Our SOC1 reports have been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), which like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) prescribes Service Organization Control reports.

The difference is that SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and the ISAE 3402 is issued by the International Auditing and Assurance Standards Board (IAASB).

Can I perform my own data center or LeaseWeb operations audits?

We are unable to support this because potentially thousands of customers can then audit our services and facilities. Plus this would expose additional risks to our infrastructure and facilities.

We do understand that you need to have confidence that we meet security and compliance objectives. To help you in this and give the reassurance you need, we employ independent third party auditors to state and certify that our systems, data centers and processes comply with all the latest industry standards. Please visit our Compliance & Security page for the complete overview.

Can I perform penetration tests on or from my own hosted infrastructure at LeaseWeb?

Permission is required for all penetration tests to or originating from LeaseWeb resources.

Please contact our security department first to request authorization for penetration testing.  Be aware that we do not permit penetration testing on all our services as this could have potential negative performance impacts on shared resources in our infrastructure. Our security department can inform you about this.

Can you customize your audits for me?

Due to the size of our customer base and global operations, we are unable to customize our audits based on individual client needs.



The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data.

As LeaseWeb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are: 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.