Compliance certifications

ISO 27001

Aspera on Cloud (AOC) managed services are certified, when provisioned on IBM Cloud™, under the International Organization for Standardization (ISO) 27001 and 27002 standards, which define the best practices for information security management processes. The ISO 27001:2013 standard specifies the requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) controls. The IBM program has structured the ISMS according to these guidelines, using controls from the NIST SP 800-53 controls set.

AOC managed services are audited by a third-party security firm and meets all of the requirements for ISO 27001:2013 certification. See: IBM Cloud ISO 27001:2013 Certificate of Registration.

ISO 27017

ISO 27017 gives guidelines for information-security controls applicable to the provisioning and use of cloud services, as well as implementation guidance for both cloud service providers and cloud service customers.

View our certificate

ISO 27018

ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

View our certificate

Global regulations

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' Personally Identifiable Information (PII). These clauses obligate non-EU companies to follow the laws and practices mandated by the EU in all global locations. The clauses provide enforcement rights and comfort to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws.


The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those that are hosting and processing this data, anywhere in the world.

IBM is committed to providing our clients and IBM Business Partners with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness.

For more information about GDPR readiness at IBM, see:


IBM Aspera on Cloud meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

Contact your sales representative to sign the IBM Business Associate Addendum (BAA) agreement.

FDA 21 CFR - Part 11

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

View our white paper

Alignments and frameworks


The Cloud Security Alliance CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) — a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

View our questionnaire

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

View our policy


The Motion Picture Association of America (MPAA) has created a security model guideline for third- party vendors engaged by its members for the purpose of understanding general content expectations and current industry best practices. The guideline identifies controls in the areas of physical and digital security and system management and are mapped to ISO and NIST controls.

To request more information, contact an IBM Sales representative.