Security and Compliance

AuditFile is the most secure way to perform audits. Nothing else comes close.

Encryption

AuditFile uses enterprise-grade security and administrative controls. All data is encrypted at rest and in transit. This protects data in three key ways:
  1. Authentication ensures that you are communicating with us and prevents another computer from impersonating AuditFile.
  2. Encryption scrambles transferred data so that it cannot be read by unauthorized parties.
  3. Data integrity verifies that the information you send to AuditFile is not altered during the transfer. The system detects if data was added or deleted after you sent the message. If any tampering has occurred, the connection is dropped.
AuditFile’s security practices are in the process of being verified by a SOC 2 Type I audit by the public accounting firm Moss Adams LLP.

Data Storage and Disaster Recovery Systems

Full backups run nightly. All data is replicated to at least three physically separate data centers operated by Amazon Web Services (AWS). AWS has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS has obtained a favorable unbiased opinion from its independent auditors. SAS70 certifies that a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of AWS relates to operational performance and security to safeguard customer data. Learn more about our AWS security and compliance here.



Enterprise, Government, and Defense

AuditFile supports Single Sign-on (SSO), SAML, Active Directory (AD), and LDAP. We have partnerships with OneLogin and Okta. AuditFile also offers SIPRNet/NIPRNet deployments and CAC/PIV authentication for government entities and defense contractors.



Compliance Programs


AICPA SOC

AuditFile’s security practices are in the process of being verified by a SOC 2 Type I report for the Trust Service Principles of Security and Availability by the public accounting firm Moss Adams LLP. AuditFile's hosting partner, Amazon Web Services (AWS), has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report.




GDPR

AuditFile is in compliance with the EU General Data Protection Regulation (GDPR). You can view our GDPR / European Economic Area Notice at https://auditfile.com/gdpr.




PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces as supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec. PIPEDA also applies to international and interprovincial transfers of personal information. AuditFile customers have the option to host their data on Amazon Web Services (AWS) Canada Central Region. (HIPAA compliance requires a separate Terms of Service agreement. The standard AuditFile Terms of Service do not allow users to upload personally identifiable information.) PIPEDA compliance requires a separate Terms of Service agreement.




AICPA Peer Review Program- QCM Review

AuditFile received a grade of "PASS" from the AICPA Peer Review Program - QCM Review, conducted by the public accounting firm Buchbinder Tunick & Company LLP. You can view the "REPORT ON THE PROVIDER’S SYSTEM OF QUALITY CONTROL AND RESULTANT MATERIALS" at: https://www.aicpa.org/content/dam/aicpa/interestareas/peerreview/community/nationalprc/downloadabledocuments/wileyadvantageauditreport33118.pdf.




EU-US and Swiss-US Privacy Shield Frameworks

AuditFile complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. AuditFile has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. AuditFile is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). AuditFile has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship. You can verify AuditFile's registration with the US Department of Commerce at: https://www.privacyshield.gov/participant?id=a2zt00000008RaZAAU&status=Active.




HIPAA

AuditFile enables users to comply with HIPAA. In order to meet the HIPAA requirements applicable to our operating model, AuditFile aligns our HIPAA risk management program with NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. (HIPAA compliance requires a separate Terms of Service agreement. The standard AuditFile Terms of Service do not allow users to upload personally identifiable information.)




ITAR

International Traffic in Arms Regulations (ITAR) controls the export from the US of defense-related articles, and the regulations state that no non-US person can have physical or logical access to the articles stored in the ITAR environment. Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens. AuditFile's "Enterprise/Gov" plan enables users to achieve ITAR compliance with hosting options on the AWS GovCloud. All AuditFile employees are US citizens. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO) and has been issued a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline. The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security, and General Services Administration represent the JAB. (ITAR compliance requires use of the AuditFile "Gov" plan, which is hosted on AWS Gov Cloud.)




A+ Rating Qualys SSL Server Test

AuditFile has received an A+ Rating from Qualys Labs' SSL Server Test. The Qualys Labs SSL Server Test checks certificates, protocol support, key exchanges, cipher strengths, and vulnerabilities.




PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. AuditFile completed PCI DSS v3.2.1. SAQ A-EP on 8/24/2018.




Microsoft AppSource

AuditFile's Word and Excel Add-ins have been accepted to Microsoft's AppSource program. Microsoft has validated that the add-ins validated their stringent policies for functionality, stability, compatibility, documentation, and that they are free from malware.

View the AuditFile Report Builder for Excel here: https://appsource.microsoft.com/en-us/product/office/WA104380977?tab=Overview

View the AuditFile Report Write Toolbox for Word here: https://appsource.microsoft.com/en-us/product/office/WA104381373?tab=Overview



Norton Secured

AuditFile is Norton Secured. Norton Secured organization registration is verified through the appropriate government entity in charge of registration. For example, a California Corporation may be verified through the California Secretary of State. Norton Secured also ensures the verification and validation of AuditFile, Inc. and auditfile.com has been done in accordance with the validation guidelines laid out by the CA/Browser Forum. The CA/Browser Forum is a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing. Norton Secured also includes daily malware scanning and vulnerability testing.