KPMG LLP Suite 1400 55 Second Street San Francisco, CA 94105 Independent Service Auditors Report The Board of Directors of GoDaddy.com, LLC: We have examined management's assertion that during the period July 1, 2012 to June 30, 2013, GoDaddy.com, LLC ( Go Daddy ) maintained effective controls over the Hosting Services system to provide reasonable assurance that the system was protected against unauthorized access (both physical and logical) based on the AICPA and CICA Trust Services security criteria. Go Daddy's management is responsible for this assertion. Our responsibility is to express an opinion based on our examination. Management's description of the aspects of the Hosting Services system covered by its assertion is attached. We did not examine this description, and accordingly, we do not express an opinion on it. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of Go Daddy's relevant controls over the security of the Hosting Services system; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of the nature and inherent limitations of controls, Go Daddy's ability to meet the aforementioned criteria may be affected. For example, controls may not prevent or detect and correct error or fraud, unauthorized access to systems and information, or failure to comply with internal and external policies or requirements. Also, the projection of any conclusions based on our findings to future periods is subject to the risk that changes may alter the validity of such conclusions. In our opinion, management's assertion referred to above is fairly stated, in all material respects, based on the AICPA and CICA trust services security criteria. The SOC 3 seal on Go Daddy s Web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. August 8, 2013 San Francisco, California KPMG LLP is a Delaware limited liability partnership, the U.S. member firm of KPMG International Cooperative ( KPMG International ), a Swiss entity.
Management of GoDaddy.com, LLC s Assertion August 8, 2013 The management of GoDaddy.com, LLC, ( Go Daddy ) makes the following assertion pertaining to the Hosting Services System: Go Daddy maintained effective controls over the Hosting Services System, during the period July 1, 2012 through June 30, 2013, in Phoenix, AZ; Scottsdale, AZ; Mesa, AZ; Amsterdam, Netherlands; and Singapore based on the AICPA and CICA Trust Services security criteria to provide reasonable assurance that The system was protected against unauthorized access (both physical and logical) The attached description of the Hosting Services System identifies those aspects of the system covered by our assertion. GoDaddy.com, LLC. Blake Irving Chief Executive Officer
DESCRIPTION OF GO DADDY.COM, LLC S HOSTING SERVICES Background GoDaddy.com, LLC (Go Daddy), based in Scottsdale, Arizona, provides a broad range of internet business (e-business) related software and services. Go Daddy s hosting services refer to housing, maintaining, and providing internet service (bandwidth) to servers. Go Daddy offers the following hosting services: Web Hosting Servers - Dedicated and Virtual Dedicated Hosted Microsoft Exchange email services Go Daddy s hosting services are housed in data centers located at Phoenix, Arizona; Mesa, Arizona; Scottsdale, Arizona; Amsterdam, Netherlands; and Singapore as referenced in the table below. Data Center Buckeye Data Center in Phoenix, AZ K2 Data Center in Phoenix, AZ Mesa Data Center in Mesa, AZ Perimeter Data Center in Scottsdale, AZ Amsterdam Data Center in Amsterdam, Netherlands Singapore Data Center in Singapore Web Hosting Virtual Dedicated Servers Dedicated Servers Hosted Exchange Infrastructure Web Hosting houses multiple customers in a single server cluster (legacy customers may be housed on a single server). Through the Hosting Control Center (HCC), customers may access and manage their own content, including content stored on MySQL and MS SQL databases. Customers are also responsible for website setup and backups. Go Daddy manages system and hardware-level security and patching. Dedicated servers house a single customer per dedicated physical server. Initial configuration is performed through the Hosting Control Center (HCC). The customer controls system level access and is responsible for server setup, security, patching and backups. Go Daddy manages hardware-level security.
Virtual dedicated servers house several customer accounts on a single server. Each customer controls system level access to their virtual server environment. Customers are responsible for server setup, virtual server security and backups. Go Daddy manages hardware-level security and patching. Web Hosting, Dedicated Servers, and Virtual Dedicated Servers may be configured using Windows or Linux operating systems. Hosted Exchange provides customers with Microsoft Exchange mailboxes, contacts and calendars. Customers manage mailboxes using Hosted Exchange Control Center (HXCC). Go Daddy manages setup, system and hardware-security and patching. Firewalls protect the servers housed within the data center by service offering, and are configured in a high-availability mode. Intrusion detection systems (IDSs) are implemented throughout the network and are monitored by the Security Operations Center (SOC). The Go Daddy data centers are equipped with UPS, fire detection and suppression systems, backup generators, and HVAC Systems to protect systems from environmental threats. The Go Daddy collocation data centers are equipped with these environmental systems and a review by Go Daddy is performed to confirm the existence and operational status of these systems. Software HCC and HXCC are internally developed applications that are supported by Go Daddy s programming staff. HCC enables setup and management of Web Hosting, Dedicated Servers, and Virtual Dedicated Servers. HXCC enables setup and management of Hosted Exchange. Go Daddy hosting servers run on Microsoft Windows or Linux based operating system. Databases supporting the hosting servers run either MS SQL Server or MySQL. Microsoft Exchange servers run on the Microsoft Windows operations system, and databases supporting the Exchange servers run MS SQL Server. Parallels Virtuozzo and Bare Metal (PSBM) are used to create the virtualized server environments for Web Hosting and Virtual Dedicated Servers. People Go Daddy teams providing direct support to hosting customers consist of the following: Specialized inbound hosting support provides customer service and technical assistance Advanced hosting provides level two technical assistance for issues that cannot be resolved by inbound hosting support Hosting operations manages the hosted systems infrastructure and may provide level three technical assistance for issues related to hardware Hosting product development creates and supports hosting products and services and may provide level three technical assistance for issues related to software Additional functions within Go Daddy that indirectly support hosting include: Physical security is responsible for the safety of the buildings in which Go Daddy operates Critical Facilities is responsible for climate controls, fire suppression and power-related systems
Data center operations performs day-to-day operation of servers and related peripherals Security Operations Center (SOC) is responsible for security administration, intrusion detection, and security monitoring IT Operations Center (ITOC) maintains the communication environment and monitors the network Procedures The hosting services procedures covered by this system description include: Web and email customer account setup Information security and incident management Physical security Computer operations Change management Program development Go Daddy s procedures and controls are described in more detail in the sections that follow. Data Data, as defined for hosting services, constitutes account setup information. Account setup is processed online and provisioned through HCC or HXCC. These systems collect the data that Go Daddy is responsible for maintaining. For Web Hosting, Dedicated Servers, and Virtual Dedicated Servers, other data which is excluded from this report includes user content provided by Go Daddy s customers as well as applications installed by Go Daddy s customers. For Hosted Exchange, other data which is excluded from this report includes emails which are stored within the Microsoft Exchange servers.