Is DigitalOcean HIPAA or PCI compliant?

I believe, no matter what, you still have to do some things yourself. DO can make sure the infrastructure has proper IDS setup. It cannot ensure you are not using default passwords, for example.

As I understand it, DO doesn’t sign agreements. They won’t sign a BAA towards HIPAA and they won’t sign anything towards PCI either. I believe that DO has the security in place, they just won’t sign the agreements. Joyent is in the same situation.

AWS is fine and they sign BAA’s, which is great. Azure, Rackspace and Google do too. Our app is still hosted on AWS.
We were looking to switch to DO because the price to performance ratio is significantly better on DO than on AWS (for our application).

I had asked the same question, and here is what I got back…

Hello,

Thank you for your question. All of our datacenters have been certified by national and/or international security standards.

• Our NYC1 facility is SSAE16 SOC-1 Type II certified.
• Our NYC2 facility is SSAE16 SOC-2 Type II certified.
• Our NYC3 facility is SSAE16 SOC-2 and SOC-3 compliant.
• Our AMS1 and AMS2 facilities are ISO27001:2005 and ISO9001 certified.
• Our AMS3 facility is ISO9001, ISO27001, and SSAE16 Type II certified
• Our SFO1 facility is SSAE16 SOC-1 Type II certified.
• Our SGP1 facility is ISO27001:2005 certified.
• Our LON1 facility is ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.

Please let us know if we can provide any additional information.

Thank you. DigitalOcean Support