Compliance certifications

ISO 27001

IBM Aspera® on Cloud managed services are certified, when provisioned on IBM Cloud®, under the International Organization for Standardization (ISO) 27001 and 27002 standards, which define the best practices for information security management processes. The ISO 27001:2013 standard specifies the requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) controls. The IBM program has structured the ISMS according to these guidelines, using controls from the NIST SP 800-53 controls set.Services managed by Aspera on Cloud are audited by a third-party security firm and meets all of the requirements for ISO 27001:2013 certification.

ISO 27017

ISO 27017 gives guidelines for information-security controls applicable to the provisioning and use of cloud services, as well as implementation guidance for both cloud service providers and cloud service customers.

ISO 27018

ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

Global regulations

EU Model Clauses

EU Model Clauses are available to controllers and processors of EU citizens' PII. These clauses obligate non-EU companies to follow the laws and practices mandated by the EU in all global locations. The clauses provide enforcement rights and comfort to companies that hold EU PII that providers located outside of the EU will process data only in accordance with their instructions and in conformance with EU laws.


The GDPR seeks to create a harmonized data protection law framework across the EU and aims to give citizens back the control of their personal data, while imposing strict rules on those that are hosting and processing this data, anywhere in the world.
IBM is committed to providing each client and IBM Business Partner® with innovative data privacy, security, and governance solutions to assist them in their journey to GDPR readiness.


IBM Aspera on Cloud meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164.

Contact your sales representative to sign the IBM Business Associate Addendum (BAA) agreement.

FDA 21 CFR -Part 11

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES).

Alignments and frameworks


he Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) —a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

EU-US Privacy Shield

The EU-US and Swiss-US Privacy Shield Frameworks were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection 


The Motion Picture Association of America (MPAA) has created a security model guideline for third-party vendors engaged by its members for the purpose of understanding general content expectations and current industry best practices. The guideline identifies controls in the areas of physical and digital security and system management and are mapped to ISO and NIST controls.