Home Middleware Aspera Compliance
Start Aspera on Cloud trial for free IBM Aspera Help Center
Isometric illustration for Aspera on Cloud - Compliance
Compliance certifications

Learn how IBM® Aspera® complies with industry guidelines and governmental regulations.


The International Organization for Standardization (ISO) is an independent, non-governmental organization with a membership of 164 national standards bodies. ISO develops international standards that are voluntary, consensus-based and market relevant. The goal is to oversee that products and services are safe, reliable and of good quality.

See ISO 27001 / 27017 / 27018 / 27701 Certified Product Listing →

See ISO 27001 – Certificate →

Contact an IBM representative to request the ISO 27001 Statement of Applicability (SOA) for IBM Aspera on Cloud.


The System and Organization Controls (SOC) framework, developed by the American Institute of Certified Public Accountants (AICPA), is a standard for controls that protects information stored in the cloud. SOC reports help users assess and address the risks associated with an outsourced cloud service.

SOC 1 is an audit of the internal controls at a service organization over financial reporting implemented to protect client-owned data. SOC 1 audits and reports are based on the Statement on Standards for Attestation Engagements (SSAE 18).

SOC 2 is an audit of the effectiveness of internal controls implemented by a service organization to protect customer-owned data. SOC 2 audits and reports are based on the AICPA Trust Service Principles relevant to security, availability, processing integrity and confidentiality or privacy.

Contact an IBM representative to request the IBM Aspera on Cloud SOC 1 and SOC 2 reports.

Global regulations
EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' PII. These clauses obligate non-EU companies to follow the laws and practices mandated by the EU in all global locations. The clauses provide enforcement rights and comfort to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws.


The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those that are hosting and processing this data, anywhere in the world.
IBM is committed to providing each client and IBM Business Partner® with innovative data privacy, security and governance solutions to assist them in their journey to GDPR readiness.

Learn more


IBM Aspera on Cloud meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

Contact your sales representative to sign the IBM Business Associate Addendum (BAA) agreement.

Sign the agreements

FDA 21 CFR -Part 11

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Read the white paper
Alignments and frameworks

The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR)—a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

View the questionnaire

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection.

View our policy


The Motion Picture Association of America (MPAA) has created a security model guideline for third-party vendors engaged by its members for the purpose of understanding general content expectations and current industry best practices. The guideline identifies controls in the areas of physical and digital security and system management and are mapped to ISO and NIST controls.

Take the next step

Let’s discuss about your data compliance questions.