Is DigitalOcean HIPAA or PCI compliant?

I had asked the same question, and here is what I got back…

Hello,

Thank you for your question. All of our datacenters have been certified by national and/or international security standards.

• Our NYC1 facility is SSAE16 SOC-1 Type II certified.
• Our NYC2 facility is SSAE16 SOC-2 Type II certified.
• Our NYC3 facility is SSAE16 SOC-2 and SOC-3 compliant.
• Our AMS1 and AMS2 facilities are ISO27001:2005 and ISO9001 certified.
• Our AMS3 facility is ISO9001, ISO27001, and SSAE16 Type II certified
• Our SFO1 facility is SSAE16 SOC-1 Type II certified.
• Our SGP1 facility is ISO27001:2005 certified.
• Our LON1 facility is ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.

Please let us know if we can provide any additional information.

Thank you. DigitalOcean Support

Hi @devin774507,

Digital Ocean may adhere to some of HIPAA’s technical guidelines, but probably not hit all of them. I could be wrong though. Ultimately, signing a BAA with them is what’s important, and if they won’t sign, you’re out of luck.

If you are an application developer, you will have many other concerns to worry about that DO does not address at all. At a high level, they are:

• dedicated logging
• dedicated monitoring
• intrusion detection
• vulnerability scanning
• encryption in transit and at rest
• and a whole slew of company policies

As a disclaimer, I’m a designer at Catalyze, which is a platform as a service (think Heroku) that is built entirely from the ground up to be HIPAA compliant. What we provide might be what you are looking for if HIPAA compliance is a concern of yours. I’d be happy to chat if you have any questions; you can reach me at kris@catalyze.io

One major value of someone like Catalyze is you only have to sign one BAA and you can trust that everything is covered for compliance. Going from managing a dozen BAAs to just one is quite nice :).

Something we recently built was this handy self assessment checklist. If you have a few minutes, you might want to walk through it and either answer for yourself or for the vendor you’re currently using. You will likely get a better understanding of the high level things it takes for compliance:

https://catalyze.io/hipaa-self-assessment-checklist/

Lastly, for anyone reading this, we recently open sourced our internal company policies. If you’re a digital health company and are handling PHI, you need your own set. Feel free to use ours to get started.

https://catalyzeio.github.io/policies

@bruins.nicholas,

Quick note - just signing a BAA with a vendor does not necessarily make someone fully HIPAA compliant. There are so many requirements for compliance, that generally you’ll need many BAA’s with vendors who do different things. Even if DO did sign a BAA, they wouldn’t necessarily cover everything you’d need in it for full compliance.

As I understand it, DO doesn’t sign agreements. They won’t sign a BAA towards HIPAA and they won’t sign anything towards PCI either. I believe that DO has the security in place, they just won’t sign the agreements. Joyent is in the same situation.

AWS is fine and they sign BAA’s, which is great. Azure, Rackspace and Google do too. Our app is still hosted on AWS.
We were looking to switch to DO because the price to performance ratio is significantly better on DO than on AWS (for our application).

Does anyone have a definitive answer for this?

I believe, no matter what, you still have to do some things yourself. DO can make sure the infrastructure has proper IDS setup. It cannot ensure you are not using default passwords, for example.