SOC 3 WebTrust and SysTrust for Service Organizations


The Trust Services Principles and Criteria are a set of professional attestation and advisory services that form the basis for both the WebTrustTM and SysTrustSM Services. The Trust Services are a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA) and the Chartered Professional Accountants of Canada (CPA Canada). In today’s global economy, companies are relying more and more on complex and powerful information technology systems. In order to gain the trust of key stakeholders, many companies choose to undergo a WebTrustTM or SysTrustSM audit when a SOC 1 SSAE 16 or SOC 2 AT 101 audit is not appropriate.

A Trust Services audit is performed by a licensed CPA firm and can be a key differentiator in today’s competitive global market. With today’s dependence on information systems, Trust Services provides comfort around key business processes by ensuring information systems provide timely and reliable information, while maintaining privacy and confidentiality of information.

WebTrust Reports

The WebTrust service is primarily designed for e-commerce systems and is comprised of a family of assurance services including:

  • WebTrust Online Privacy. The scope of the assurance engagement includes the relevant online Privacy principle and criteria
  • WebTrust Consumer Protection. The scope of the assurance engagement includes both the Processing Integrity and relevant online Privacy Principles and Criteria
  • WebTrust. The scope of the assurance engagement includes one or more combinations of the Principles and Criteria not anticipated above
  • WebTrust for Certification Authorities. The scope of the assurance engagement includes the Principles and related Criteria unique to certification authorities

SysTrust Reports

As with the WebTrust service, the SOC 3 SysTrust for Service Organizations is comprised of a family of assurance services designed for a wide variety of information technology based systems that are defined by the entity. The scope of these reports can include one or more of the following Principles and Criteria:

  • Security: The system is protected against unauthorized access (both physical and logical)
  • Availability: The system is available for operation and use as committed or agreed
  • Processing Integrity: System processing is complete, accurate, timely, and authorized
  • Confidentiality: Information designated as confidential is protected as committed or agreed
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA

Unlike a SOC 2 report (which is a restricted use report), WebTrustTM and SysTrustSM reports are general use reports, which means upon attainment of an unqualified report, they can be freely distributed or posted on a website as a seal for one full-calendar year from the date of issue. This is important, as the report can provide comfort to your company’s many key stakeholders including customers, business partners, creditors, bankers, regulators, and other stakeholders who may rely on e-commerce and information technology systems.

Readiness Assessment

Many companies undergoing a SOC 3 audit for the first time choose to perform a Readiness Assessment prior to undergoing the SOC 3 audit. For more information regarding the benefits of our Readiness Assessment services, please click here.


SSAE 16 Professionals has assembled top tier leadership to help our clients through the SOC 3 process. For further information regarding SSAE 16 reports, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call1-866-480-9485 today. We look forward to hearing from you!