SECURITY AND COMPLIANCE
See what networking services are in your area
View our high-level approaches to solving business and technology challenges
Learn how peers in your area are working with CenturyLink
Hybrid IT and Cloud
Voice and Unified Communications
Managed and IT Services
Get support, access resources, and explore products and services at centurylink.com.
CenturyLink has sold its data centers and associated colocation business to a consortium led by BC Partners and Medina Capital Advisors. This move led to the creation of a bold, new company, Cyxtera Technologies, comprised of world-class talent and technology.
CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Standard on Assurance Engagements (ISAE) 3402 combined examination. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 (SOC 1) Type II report covers October 1 to September 30 annually for the network, colocation and managed services in CenturyLink’s data centers A Type II examination means that an independent service auditor formally evaluated and issued an opinion on the description of selected CenturyLink systems and the suitability of the design and operating applicable controls’ effectiveness. This audit report includes controls related to managed security services, change management, service delivery, support services, environmental services, physical security and facilities management, managed hosting services, and managed storage and backup services in CenturyLink’s data centers in Asia, EMEA, and North America. A mid-year SOC 1 report geared toward colocation customers is also available, the report covers July 1 to June 30 and includes physical security, facility and environmental protection services.
CenturyLink also provides an annual SOC 2 report which meets the requirements of a broad range of users that must understand internal controls at a service organization as it relates to the Trust Service principles framework. The SOC 2 Type II report covers October 1 to September 30 for the network, colocation and managed services. The report is relevant to the non-financial reporting controls related to the security and availability principles modeled around four broad areas: Policies, Communications, Procedures, and Monitoring. This audit report includes: managed security services, change management, service delivery, support services, environmental services, logical and physical security, managed hosting services, and managed storage and backup services controls in data centers in Asia, EMEA, and North America.
CenturyLink has achieved PCI compliance as service provider for the following services:
The auditors provide a Reports On Compliance “ROC Letter” and Attestation of Compliance (AOC) that confirms CenturyLink’s compliance with specific PCI controls and the applicable locations and services. ROC Letters and AOCs are available upon request, subject to CenturyLink’s Non-Disclosure Agreement.
CenturyLink has implemented an information security program for the services subject to essential elements of the Health Insurance Portability and Accountability Act Security Rule of 2003 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), enacted as part of the American Recovery and Reinvestment Act of 2009. CenturyLink engaged an independent third party auditor to conduct the Type 1 examination in accordance with AT-101 attestation standards established by the American Institute of Certified Public Accountants (AICPA). The report covers CenturyLink’s processes and services used to support our Colocation Services, Managed Hosting Services, Managed Security Services and Managed Backup and Storage Services customer environments. This includes Administrative (risk management, security policies, training, Business Associates Agreements, etc.), Physical (data center security, media handling, etc.), Technical (access administration) and Breach Notification Controls (security incident management). The report provides an assessment of CTL processes and services and how they meet those HIPAA Security Rules and Breach Notification requirements.
CenturyLink will evaluate Business Associate Agreement requests on a case-by-case basis within the context of the customer’s specific services and solutions.
CenturyLink currently maintains ISO 27001 certification for managed hosting operations and data centers in Singapore, United Kingdom, Germany, and Japan. The certificate also addresses colocation services (including physical security and facilities management) for data centers in Asia, EMEA, and North America. ISO 27001 is an International Standard providing a model for establishing, operating, monitoring, andimproving an Information Security Management System (ISMS). The ISO 27001 certificatizon demonstrates CenturyLink complies with and enforces information security processes. ISO 27001 conducts interim audits annually to support a three year renewal cycle.
For information on our privacy practices,