Certifications

Leaseweb systems are certified by third party auditors and they comply with all the latest industry standards. Find out in detail all the relevant certifications of the assurance reports.

Description

Leaseweb is compliant with the following standards:

  • ISO 27001
  • PCI DSS
  • SOC1
  • HIPAA
  • NEN 7510
Find out more about Leaseweb’s compliance with each certificate and assurance report - and the scope of what is covered by each one of them.

Contents


Security and compliance

Certifications and assurance reports ensure logical security, physical security, service deployment, customer support, incident management, change management, and operational resilience meet industry-leading standards. ISO 27001, PCI DSS, SOC1, HIPAA, and NEN 7510 certifications/assurance reports and our external audit partners are recognized all around the world.

ISO 27001

The International Organization for Standardization (ISO) 27001:2013 is the international security standard used to benchmark the protection of sensitive data. ISO 27001 is recognized as the premier information security standard around the world. 

Certified Leaseweb entities

The following independent Leaseweb companies are covered by this certification:

  • Leaseweb Netherlands B.V.
  • Leaseweb Global Services B.V.
  • Leaseweb Deutschland GmbH
  • Leaseweb USA, Inc.
  • Leaseweb Singapore Pte. Ltd.

Services covered

The following services are certified:

ISO 27001 version

Leaseweb is certified according to the latest (2013) version of the ISO/IEC 27001 standard.

Certifying agent

Certification was carried out by EY CertifyPoint. EY CertifyPoint is accredited by the Raad voor Accreditatie (RvA) which is a member of the International Accreditation Forum (IAF). Their certificates are recognized as valid in all IAF member countries.

Certificate register

The certificate is listed in the certificate register of CertifyPoint. 

Certificate download

You can download a copy of the certificate on our Compliance & Security page.

27001 certified by association

As a client or reseller, you are not certified by association. However as Leaseweb is ISO 27001 certified, it will make your own certification process easier.

Official ISO 27001 standard

You can purchase a copy online from www.iso.org.


PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) certifies online credit card transactions and ensures that credit card data and personal, privacy-sensitive information is protected from theft. Please note that considering our service delivery, our certification covers only physical security aspects of the standard. Our services are by default not meant to process or store credit card transactions.

Certified Leaseweb entities

The following independent Leaseweb companies are covered by this certification:

  • Leaseweb Deutschland GmbH (FRA10)
  • Leaseweb USA, Inc. (WDC1)

Certified data centers

The following data centers in our portfolio are certified:

  • AMS-01
  • AMS-10
  • FRA-10
  • WDC-01
  • SIN-11
  • HKG-10
  • MTL-01
  • MTL-02
  • MTL-03

Services covered

The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data. 

As Leaseweb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are: 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.

IncludedExcluded

Hosting provider:

  • Physical space (co-location)
  • Security services
  • Secured housing services

Hosting provider:

  • Shared Hosting provider
  • Cloud services

Managed services:

  • Physical security
 Managed services:
  • IT Support

 Network provider

Certificate version

Leaseweb is certified according to the latest version (3.0) of the PCI DSS standard.

Quality Security Assessor

The assessments were carried out by our global QSA partner ComSec Consulting.

Applicability

All merchants manage their own PCI DSS certification. Your QSA can rely on our PCI compliance but you will still be required to satisfy all other PCI compliance and testing requirements including how you manage the cardholder environment that you host with the relevant Leaseweb entity.

Attestation of Compliance (AoC)

Please contact your Account Manager or our Sales department if you would like to receive a copy of the Attestation of Compliance (AoC).

SOC1

Service Organization Controls (SOC)1 reports attests that the Leaseweb control objectives are appropriately designed and that the controls are operating effectively. Normally, SOC1 is associated with financial controls, but given the type of our business, we broadened the remit of our assurance reports to reflect our close connection with IT issues. This also enhances their relevance to you as a customers and your operations.

There are two types of reports: type I and type II, where type II adds an extended assertion and auditor’s opinion on the operating effectiveness of your controls.

Leaseweb entities

All the independent Leaseweb companies have a SOC1 assurance report:

  • Leaseweb Netherlands B.V. (Type II)
  • Leaseweb Deutschland GmbH (Type II)
  • Leaseweb USA, Inc. (Type II)
  • Leaseweb Singapore Pte. Ltd. (Type II)

Services covered

The following services are covered in these reports:

Control objectives

The following control objectives are covered in our reports:

Objective areaObjective descriptionIncluded in report
Logical security Controls provide reasonable assurance that logical security is appropriately implemented, administered and logged to safeguard against unauthorized access to or modifications of the customer portal that our clients are using to administer their infrastructure and administration.
  • Leaseweb Netherlands
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asia Pacific
Physical securityControls provide reasonable assurance that physical access to the data centers is restricted to authorized individuals to prevent unauthorized use, disclosure, modification, damage or loss of data.
  • Leaseweb Netherlands
  • Leaseweb USA
Service deploymentControls provide reasonable assurance that services to clients are appropriately deployed and managed to ensure a timely and standardized delivery.
  • Leaseweb Netherlands
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asia Pacific
Customer supportControls provide reasonable assurance that the customer support teams timely and effectively act on client’s infrastructure problems to minimize service disruptions.
  • Leaseweb Netherlands
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asia Pacific
Incident managementControls provide reasonable assurance that incidents on the shared infrastructure are appropriately managed, resolved and analyzed to minimize disruption and impact of the services.
  • Leaseweb Netherlands
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asia Pacific
Change managementControls provide reasonable assurance that changes on the shared infrastructure are appropriately managed to minimize the disruption and impact of the services.
  • Leaseweb Netherlands
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asia Pacific
Operational resilienceOperations are appropriately managed to safeguard the data center facilities to avoid and minimize service disruptions. 
  • Leaseweb Netherlands
  • Leaseweb USA


SOC1 certificate download

You can download a copy of the different SOC1 certificates on our Compliance & Security page.

International standard (ISAE 3402)

The independent third-party audit for the various Leaseweb reports has been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), Dutch law, and attestation standards established by the American Institute of Certified Public Accountants (CPA).

Independent third-party auditor

The SOC1 examinations of the independent Leaseweb companies are performed by Ernst & Young Accountants LLP.

Period covered

Our SOC1 reports are issued on an annual basis and cover the period January 1 – December 31. New reports will be issued at the end of January of each year. An assurance report is always based on the previous year. 

SOC1 report by association

As a client or reseller you do not have a SOC1 report by association, but as Leaseweb has a SOC1 report it will make your compliance process easier.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets out standards for security controls to protect health information stored or processed online. Although there is no specific HIPAA certification for service providers like Leaseweb, EY has issued us with a third party statement that recognizes our platform as being compliant with HIPAA’s requirements. 

Version

The provided third party statement is based on the Health Information Security provisions of HIPAA Administrative Simplification Regulations set forth in 45 CFR Parts 160, 162, and 164 (as amended through March 2103) for Health Information Security provisions of Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as of May 29, 2015.

Compliant entities

Considering this is a US standard, only Leaseweb USA, Inc. is compliant. Leaseweb Netherlands B.V., however, is compliant with the Dutch Health care standard NEN 7510.

Compliant data centers

Leaseweb USA, Inc. - WDC-01

Processes covered

Given the type of services offered by Leaseweb USA, Inc., their HIPAA compliance is focused on physical security, operational resilience, incident management, and service deployment.

Third party auditor

The HIPAA compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the HIPAA compliance statement on our Compliance & Security page.

HIPAA compliant by association

As a client or reseller you are not HIPAA compliant by association, but as Leaseweb USA, Inc. has a HIPAA compliance statement it will make your compliance process easier.

NEN 7510

NEN 7510 is the standard developed by the Nederlands Normalisatie Institute for information security in the health sector. We have received a third party statement by EY for compliance with the NEN 7510’s requirements.

Version

The examination is performed according to the latest version of the NEN 7510 standard.

Compliant entities

Considering this is a Dutch standard, only Leaseweb Netherlands B.V. is compliant. Leaseweb USA, Inc. is though compliant with the US Health care standard HIPAA (Health Insurance Portability and Accountability Act).

Compliant data centers

Leaseweb Netherlands B.V. - AMS-01

Processes covered

Given the type of services offered by Leaseweb Netherlands B.V. our NEN 7510 compliance is focused on physical security, information security policy, risk management, operational resilience, incident management and service deployment.

Third party auditor

The NEN 7510 compliance examination is performed by Ernst & Young Accountants LLP.

Statement download

You can download a copy of the NEN 7510 compliance statement on our Compliance & Security page.

NEN 7510 compliant by association

As a client or reseller you are not NEN 7510 compliant by association, but as Leaseweb Netherlands B.V. has a NEN 7510 compliance statement it will make your compliance process easier.

Official NEN 7510 standard

You can download a copy online from NEN.


FAQ about security and certifications

Is because of these certifications that automatically all my data is secure?

As a customer of Leaseweb, you share the responsibility of the IT environment and the protection of data.

We manage the security of the shared infrastructure and make sure that our cloud infrastructure, dedicated servers, and network operates in a controlled and secure manner, the physical security of our data centers are in place, and make sure that you can safely use our Customer Portal. As a customer, you are responsible for the security in your own infrastructure. This means OS management, encryption, (security) patching, access control, application management, firewall settings and back-ups.

Do you have a SOC2 report?

We do not have a SOC2 report.

Although we do have SOC1 assurance reports in place for all the independent Leaseweb companies. The SOC1 is a similar standard as the SOC2, both are reports on controls at a service organization and are audited by accountants. The difference is that SOC2 has a mandatory set of controls. At the moment we consider the SOC1 as the preferred internal standard due to its flexibility, it allows us to completely tailor and update the framework to our activities, risks and client expectations.

Do you have a SAS70 report?

SOC1 reports have effectively replaced SAS 70 reports as of June 15, 2011. 

Do you have a SSAE16 report?

Please refer to our SOC1 reports. Our SOC1 reports have been conducted in accordance with the International Standard on Assurance Engagements No. 3402 (ISAE 3402), which like the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) prescribes Service Organization Control reports.

The difference is that SSAE 16 is issued by the American Institute of Certified Public Accountants (AICPA) and the ISAE 3402 is issued by the International Auditing and Assurance Standards Board (IAASB).

Can I perform my own data center or Leaseweb operations audits?

We are unable to support this because potentially thousands of customers can then audit our services and facilities. Plus this would expose additional risks to our infrastructure and facilities.

We do understand that you need to have confidence that we meet security and compliance objectives. To help you in this and give the reassurance you need, we employ independent third party auditors to state and certify that our systems, data centers and processes comply with all the latest industry standards. Please visit our Compliance & Security page for the complete overview.

Can I perform penetration tests on or from my own hosted infrastructure at Leaseweb?

Permission is required for all penetration tests to or originating from Leaseweb resources.

Please contact our security department first to request authorization for penetration testing.  Be aware that we do not permit penetration testing on all our services as this could have potential negative performance impacts on shared resources in our infrastructure. Our security department can inform you about this.

Can you customize your audits for me?

Due to the size of our customer base and global operations, we are unable to customize our audits based on individual client needs.



The PCI Data Security Standard (PCI DSS) ensures the secure handling of sensitive information and is intended to help organizations proactively protect customer account data.

As Leaseweb does not monitor or has access to customer data, applicability of the PCI/DSS certification is restricted to physical security access to customer equipment through a combination of management systems and physical access safeguards and procedures. The covered aspects of the PCI/DSS certification are: 9.1 to 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 to 12.10.




Certifications


Les systèmes Leaseweb sont certifiés par des auditeurs tiers et ils sont conformes à toutes les dernières normes du secteur. Découvrez en détail toutes les certifications pertinentes des rapports d'assurance.


DescriptionLeaseweb est conforme aux normes suivantes :

  • ISO 27001
  • PCI DSS
  • SOC1
  • HIPAA
  • NEN 7510

Découvrez la conformité de Leaseweb à chaque certificat et rapport d'assurance - et l'étendue de ce qui est couvert par chacun d'eux.

Security and compliance


Les certifications et les rapports d'assurance garantissent que la sécurité logique, la sécurité physique, le déploiement des services, le support client, la gestion des incidents, la gestion des changements et la résilience opérationnelle répondent aux normes de pointe du secteur. Les certifications/rapports d'assurance ISO 27001, PCI DSS, SOC1, HIPAA et NEN 7510 et nos partenaires d'audit externe sont reconnus dans le monde entier.


ISO 27001


L'Organisation internationale de normalisation (ISO) 27001:2013 est la norme de sécurité internationale utilisée pour évaluer la protection des données sensibles. L'ISO 27001 est reconnue comme la première norme de sécurité de l'information dans le monde.


Entitée Leaseweb certifié


Les entreprises Leaseweb indépendantes suivantes sont couvertes par cette certification :

  • Leaseweb Netherlands B.V.
  • Leaseweb Global Services B.V.
  • Leaseweb Deutschland GmbH
  • Leaseweb USA, Inc.
  • Leaseweb Singapore Pte. Ltd.


Services couverts


Les services suivants sont certifiés :


Version ISO 27001


Leaseweb est certifié conformément à la dernière version (2013) de la norme ISO/IEC 27001 standard.


Agent de certification


La certification a été effectuée par EY CertifyPoint. EY CertifyPoint est accrédité par le Raad voor Accreditatie (RvA), qui est membre de l'International Accreditation Forum (IAF). Leurs certificats sont reconnus comme valides dans tous les pays membres de l'IAF.


Registre des certificats


Le certificat est répertorié dans le registre des certificats de CertifyPoint.


Téléchargement de certificat


Vous pouvez télécharger une copie du certificat sur notre page Conformité et sécurité.


27001 certifié par association


En tant que client ou revendeur, vous n'êtes pas certifié par l'association. Cependant, comme Leaseweb est certifié ISO 27001, cela facilitera votre propre processus de certification.


ISO 27001 standard officiel


Vous pouvez acheter une copie en ligne sur https://www.iso.org.


PCI DSS


La norme de sécurité des données de l'industrie des cartes de paiement (PCI DSS) certifie les transactions par carte de crédit en ligne et garantit que les données des cartes de crédit et les informations personnelles et confidentielles sont protégées contre le vol. Veuillez noter que, compte tenu de notre prestation de services, notre certification ne couvre que les aspects de sécurité physique de la norme. Par défaut, nos services ne sont pas destinés à traiter ou à stocker des transactions par carte de crédit.


Entitée Leaseweb certifié


Les entreprises Leaseweb indépendantes suivantes sont couvertes par cette certification :

  • Leaseweb Deutschland GmbH (FRA10)
  • Leaseweb USA, Inc. (WDC1)


Centre de données certifié


Les centres de données suivants de notre portefeuille sont certifiés :

  • AMS-01
  • AMS-10
  • FRA-10
  • WDC-01
  • SIN-11
  • HKG-10
  • MTL-01
  • MTL-02
  • MTL-03


Services couverts


La norme de sécurité des données PCI (PCI DSS) garantit le traitement sécurisé des informations sensibles et vise à aider les entreprises à protéger de manière proactive les données des comptes clients.

Étant donné que Leaseweb ne surveille pas les données des clients et n'y a pas accès, l'applicabilité de la certification PCI/DSS est limitée à la sécurité physique de l'accès aux équipements des clients par une combinaison de systèmes de gestion et de mesures et procédures de protection de l'accès physique. Les aspects couverts par la certification PCI/DSS sont les suivants : 9.1 à 9.4, 9.10, 10.6.1, 11.1.2, 12.1, 12.2, 12.4 à 12.10.

Inclus

Exclus

Fournisseur d'hébergement :

  • Place physique (co-location)
  • Service de sécurité
  • Services de logement sécurisé

Fournisseur d'hébergement:

  • Fournisseur d'hébergement partagé
  • Services en nuage

Services gérés :

  • Sécurité physique

 Services gérés :

  • Support TI

Fournisseur réseau

Version de certificat


Leaseweb est certifié selon la dernière version (3.0) de la norme PCI DSS.


Assesseur à la sécurité de la qualité


Les évaluations ont été réalisées par notre partenaire QSA mondial ComSec Consulting.


Applicabilité


Tous les commerçants gèrent leur propre certification PCI DSS. Votre QSA peut s'appuyer sur notre conformité PCI, mais vous devrez néanmoins satisfaire à toutes les autres exigences de conformité et de test PCI, notamment en ce qui concerne la gestion de l'environnement des titulaires de cartes que vous hébergez au sein de l'entité Leaseweb concernée.


Attestation de conformité (AC)


Veuillez contacter votre gestionnaire de compte ou notre service commercial si vous souhaitez recevoir une copie de l'attestation de conformité (AC).


SOC1


Les rapports Service Organization Controls (SOC)1 attestent que les objectifs de contrôle de Leaseweb sont conçus de manière appropriée et que les contrôles fonctionnent efficacement. Normalement, le rapport SOC1 est associé aux contrôles financiers, mais compte tenu de la nature de notre activité, nous avons élargi le champ d'application de nos rapports d'assurance afin de refléter notre lien étroit avec les questions informatiques. Cela renforce également leur pertinence pour vous en tant que clients et pour vos opérations.

Il existe deux types de rapports : le type I et le type II, le type II ajoutant une assertion étendue et l'opinion de l'auditeur sur l'efficacité opérationnelle de vos contrôles.


Entités Leaseweb


Toutes les sociétés indépendantes de Leaseweb disposent d'un rapport d'assurance SOC1 :

  • Leaseweb Netherlands B.V. (Type II)
  • Leaseweb Deutschland GmbH (Type II)
  • Leaseweb USA, Inc. (Type II)
  • Leaseweb Singapore Pte. Ltd. (Type II)


Services couverts


Les services suivants sont couverts par ces rapports :

  • Cloud
  • Serveurs dédiés
  • Colocation
  • Hébergement web
  • Domaines


Objectifs de contrôle


Zone d'objectif

Description de l'objectif

Inclus dans le rapport

Sécurité logique

Les contrôles fournissent une assurance raisonnable que la sécurité logique est mise en œuvre, administrée et enregistrée de manière appropriée afin de se prémunir contre tout accès non autorisé ou toute modification du portail client que nos clients utilisent pour gérer leur infrastructure et leur administration.

  • Leaseweb Pays-Bas
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asie-Pacifique

Sécurité physique

Les contrôles fournissent une assurance raisonnable que l'accès physique aux centres de données est limité aux personnes autorisées afin d'empêcher l'utilisation, la divulgation, la modification, l'endommagement ou la perte de données sans autorisation.

  • Leaseweb Pays-Bas
  • Leaseweb USA

Déploiement des services

Les contrôles fournissent une assurance raisonnable que les services aux clients sont déployés et gérés de manière appropriée afin de garantir une prestation standardisée et en temps voulu.

  • Leaseweb Pays-Bas
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asie-Pacifique

Soutien à la clientèle

Les contrôles fournissent une assurance raisonnable que les équipes d'assistance à la clientèle interviennent en temps utile et de manière efficace sur les problèmes d'infrastructure des clients afin de minimiser les interruptions de service.

  • Leaseweb Pays-Bas
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asie-Pacifique

Gestion des incidents

Les contrôles fournissent une assurance raisonnable que les incidents survenant sur l'infrastructure partagée sont gérés, résolus et analysés de manière appropriée afin de minimiser la perturbation et l'impact des services.

  • Leaseweb Pays-Bas
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asie-Pacifique

Gestion du changement

Les contrôles fournissent une assurance raisonnable que les changements apportés à l'infrastructure partagée sont gérés de manière appropriée afin de minimiser les perturbations et l'impact des services.

  • Leaseweb Pays-Bas
  • Leaseweb Deutschland
  • Leaseweb USA
  • Leaseweb Asie-Pacifique

Résilience opérationnelle

Les opérations sont gérées de manière appropriée pour protéger les installations du centre de données afin d'éviter et de minimiser les interruptions de service.

  • Leaseweb Pays-Bas
  • Leaseweb USA






Get Support

Need Technical Support?

Have a specific challenge with your setup?

Create a Ticket