Compliance certifications


The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal: to ensure that products and services are safe, reliable and of good quality.

See ISO 27001 / 27017 / 27018 / 27701 Certified Product Listing (PDF, 594 KB) →

See ISO 27001 – Certificate (PDF, 988 KB) →

Contact an IBM representative to request the ISO 27001 Statement of Applicability (SOA) for IBM Aspera on Cloud


The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protects information stored in the cloud. SOC reports help users assess and address the risks associated with an outsourced cloud service.

SOC 1 is an audit of the internal controls at a service organization over financial reporting implemented to protect client-owned data. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18).

SOC 2 is an audit of the effectiveness of internal controls implemented by a service organization to protect customer-owned data. SOC 2 audits and reports are based on the AICPA Trust Service Principles relevant to security, availability, processing integrity, and confidentiality or privacy.

Contact an IBM representative to request the IBM Aspera on Cloud SOC 1 and SOC 2 reports

Global regulations

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' PII. These clauses obligate non-EU companies to follow the laws and practices mandated by the EU in all global locations. The clauses provide enforcement rights and comfort to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws.


The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those that are hosting and processing this data, anywhere in the world.
IBM is committed to providing each client and IBM Business Partner® with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness.


IBM Aspera on Cloud meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

Contact your sales representative to sign the IBM Business Associate Addendum (BAA) agreement.

FDA 21 CFR -Part 11

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Alignments and frameworks


The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) —a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection 


The Motion Picture Association of America (MPAA) has created a security model guideline for third-party vendors engaged by its members for the purpose of understanding general content expectations and current industry best practices. The guideline identifies controls in the areas of physical and digital security and system management and are mapped to ISO and NIST controls.