eDiscovery Daily Blog

eDiscovery Trends: The Best SaaS Providers are Certifiable


The increasing popularity of cloud-based Software-as-a-Service (SaaS) solutions is becoming well documented, with this very blog noting Forrester and Gartner predictions of tremendous growth in cloud computing over the next several years.  We’ve also noted the importance of knowing where your data is stored, as many online poker players learned the hard way when the recent US government crackdown of several gambling sites left them without a way to recover their funds.

If only there were some sort of certification, administered by an impartial third party, to ensure that your SaaS provider has implemented policies and processes that keep your information secure, stable and safe.  There is such a certification.

SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to assess the contracted internal controls of a service provider. Service providers, such as insurance claims processors, credit processing companies and, especially pertinent to eDiscovery, hosted data centers, are evaluated by these standards. The SAS 70 was developed by the American Institute of Certified Public Accountants (AICPA) as a simplification of a set of criteria for auditing standards originally defined in 1988.  Standards such as SAS 70 became critical in the wake of the Sarbanes-Oxley, which created significant legal penalties for publicly traded companies who lacked sufficient control standards for their financial information.

Under SAS 70, auditor reports are classified as either Type I or Type II. In a Type I report, the auditor evaluates the service provider to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluates the likelihood that those efforts will produce the desired future results. A Type II report goes a step further.  It includes the same information as that contained in a Type I report; however, the auditor also attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data compiled during a specific time period, usually a minimum of six months.

SAS 70 reports are either requested by the service provider or a user organization (i.e., clients). The ability for the service provider to provide consistent service auditor's reports builds a client's trust and confidence in the service provider, satisfying potential concerns. A SaaS (2 a’s, as opposed to one for SAS) provider that has received SAS 70 Type II certification has demonstrated to an impartial third party a proven track record of policies and processes to protect its clients’ data.  When it comes to your data, you want a provider that has proven to be certifiable.

So, what do you think?  Is your SaaS provider SAS 70 Type II certified?  Please share any comments you might have or if you’d like to know more about a particular topic.

Full disclosure: I work for Trial Solutions, which provides SaaS-based eDiscovery review applications FirstPass® (for first pass review) and OnDemand® (for linear review and production).  Our clients’ data is hosted in a secured, SAS 70 Type II certified Tier 4 Data Center in Houston, Texas.