NetSuite has passed a SAS 70 Type II audit, is certified for PCI-DSS, and is EU-US Safe Harbor certified.
What is SAS 70?
The American Institute of Certified Public Accountants developed the Statement on Auditing Standards (SAS) No. 70. Organizations that successfully complete a SAS 70 audit have been through an in-depth audit of their control activities, including controls over IT and related processes. SAS 70 allows a company to provide a third-party certification of its internal controls to customers.

SAS 70 data centers have to maintain prescribed levels of data security and redundancy, as well as personnel controls. These requirements include reporting on the following:

  • Firewall configuration and access
  • Database access
  • Data transmissions
  • Data backup and recovery
  • Application security
  • Product development

In addition, data center staff cannot access servers or data without a specific procedure. All access and activity is logged. And all physical access is highly controlled.

What is EU-US Safe Harbor?

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) "adequacy" standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The EU, however, relies on comprehensive legislation that requires, among other things, the creation of independent government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. organizations to engage in a range of trans-Atlantic transactions.

In order to bridge these differences in approach and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU in 2000, is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws. Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive.