Committed to Security, Accessibility & Operational Excellence

Webair is dedicated to upholding the highest industry standards for compliance, security and continuous improvement, evidenced by our achievement and attainment of numerous data center and service certifications outlined below. In keeping with our commitment to ensuring the safety and security of customer data, the agility of our solutions, and the continued excellence of our customer service, we are always evaluating and considering new certifications and standards based on the needs of our customers. Webair also employs a Compliance Specialist who is instrumental in working side-by-side with customers and our engineers to help plan and architect technical solutions that comply with various certification and security requirements, such as HIPAA.


What is it?

Why is Webair certified?

SSAE 18 Certification SSAE18 SOC 2 Type 2 certification was established by the American Institute of Certified Public Accountants (AICPA) in May 2017, superseding the globally-recognized control and services reporting standard, SSAE16. To achieve certification, data centers must undergo an independent examination of control objectives and activities supporting their solutions performed by an independent, third-party service auditor. Recent changes to the standard require companies to take additional control and ownership of internal controls surrounding the identification and classification of risk and appropriate management of third-party vendor relationships. SSAE18 SOC 2 Type 2 is a critical designation for serving Webair’s healthcare, financial services, eCommerce and government customers. The certification demonstrates Webair’s ability to effectively support these global customers’ business environments and offer critical protection for sensitive company information. SOC 2 Type 2 audits offer an unbiased assessment of Webair’s data center infrastructure, systems, processes and services, evidencing the company’s ability to provide the highest levels of security and reliability across all of its certified data centers.
HIPAA Certification

The HIPAA Act of 1996 is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). HIPAA was expanded in 2009 to include Health Information Technology for Economic and Clinical Health Act (HITECH) to promote the adoption and meaningful use of health information technology in the U.S. In 2013, the final HIPAA Omnibus Rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of PHI — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as covered entities under HIPAA.

While there are no specific industry certifications for HIPAA compliance, SSAE16 SOC 1 TYPE II audits include a HIPAA Matrix attesting that companies’ administrative actions, policies and procedures properly conform to HIPAA regulations. Yearly audits are performed and evaluated by an independent, third-party auditor who issues an evaluation report that details the controls Webair has in place to meet HIPAA requirements in regards to data privacy and security.

Healthcare and enterprise customers require proper storage and security of their electronic Protected Health Information (ePHI) in order to remain compliant with HIPAA / HITECH mandates.

Webair’s hosting services feature a number of safeguards to ensure maximum data protection, fast accessibility and safe transmission of ePHI, including customer segmentation, dedicated VLANs, restricted physical access to production servers, default firewalls for all managed services, audit logs and reporting, 99.9 uptime SLA, and more.

Webair also signs HIPAA Business Associate Agreements (BAAs) with customers.

The Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) requires federal agencies to implement and support standardized IT security controls. These controls, defined by the National Institute of Standards and Technology (NIST), allow agencies to safely and confidently outsource critical applications to FISMA-compliant clouds, managed hosting environments and SaaS providers.

Webair implements and deploys the appropriate FISMA, NIST and Federal Information Processing Standard (FIPS) for managed security controls, auditing, and documentation. This allows federal agencies that must adhere to these regulations to outsource ownership and accountability of critical infrastructure to Webair in a compliant manor.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS), administered by the Payment Card Industry Security Standards Council, is a mandatory designation for any provider or organization that stores, processed or transmits cardholder data and / or sensitive authentication data. Setting forth proper controls and best practices, PCI DSS helps to alleviate merchant-based security vulnerabilities and protect cardholder data.

Webair’s team manages, monitors and scales PCI-compliant infrastructure for a variety of eCommerce customers and platforms. Webair provides physical, environmental, network and infrastructure security to ensure sensitive cardholder data remains sage and secure.

CJIS Certification

The CJIS Security Policy is a set of standards developed by the FBI’s Criminal Justice Information Services Division (CJIS) in 2011 to better protect the data it delivers to federal, state and local law enforcement agencies. or organizations that access criminal justice information

While there are no specific industry certifications for CJIS compliance, SSAE16 SOC 1 TYPE II audits include a matrix attesting that companies’ administrative actions, policies and procedures properly conform to CJIS regulations. Yearly audits are performed and evaluated by an independent, third-party auditor who issues an evaluation report that details the controls Webair has in place to meet CJIS requirements in regards to data privacy and security.

Webair provides a secure environment and redundant technical infrastructure to safely handle the storage, exchange and recovery of critical information belonging to state, local and federal law enforcement, justice and public safety agencies.

Webair operates a private, secure and DDoS-monitored network. Its data centers are also monitored by CCTV 24x7.

Webair’s NY1 facility features an on-site Security Operations Center (SOC). Card access, a mantrap and 24x7 on-site personnel ensure customer identity is verified before access is granted to the data center.

In addition to completing extensive pre-employment background checks on employees, Webair also signs CJIS security agreements with customers.

Internal Revenue Service Publication 1075

Internal Revenue Service Publication 1075 (IRS 1075) provides guidance for > US government agencies and their agents to protect Federal Tax Information (FTI). IRS 1075 specifically references NIST 800-53 security controls.

While there is no official certification for 1075, Webair supports organizations to protect FTI by taking ownership of encryption at rest and in transit. Additionally, Webair can provide direct and secure connectivity between customer networks and hosted infrastructure, completely segmenting the FTI information from the public internet.

The EU–US Privacy Shield

The EU–US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.

Webair completed its compliance assessment and filed the Privacy Shield application with the U.S. Department of Commerce in 2018. Webair has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Click for our certification on the Privacy Shield website.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) establishes a legal framework that sets policies for the collection, storage and processing of the personal data of individuals in the European Union (EU). The GDPR takes effect on May 25, 2018, and affects all companies that interact with the digital information of data subjects in the EU.

Most services that Webair provides are content-neutral - Webair does not know, and has no way of knowing, whether customer content contains the personal data of EU residents.  As such, it is the customer, not Webair, who has primary responsibility for GDPR compliance.

Webair assists customers in achieving GDPR compliance as required by Article 28 of the GDPR, including cooperating with security audits and providing contractual assurances where necessary.


GDPR requirements apply to the personal data of EU residents, wherever in the world that data is collected or stored, and cannot be avoided by moving data to a different jurisdiction or registering a website in a different country.


Webair ensures security of physical data, data at rest, and data in transit via industry accepted best practices. Webair's security controls are audited via 3rd party through the aforementioned SSAE18 SOC2 audits.


Webair will provide copies of third-party audits and certifications upon request.