Security and Compliance
AuditFile is the most secure way to perform audits. Nothing else comes close.
EncryptionAuditFile uses enterprise-grade security and administrative controls. All data is encrypted at rest and in transit. This protects data in three key ways:
- Authentication ensures that you are communicating with us and prevents another computer from impersonating AuditFile.
- Encryption scrambles transferred data so that it cannot be read by unauthorized parties.
- Data integrity verifies that the information you send to AuditFile is not altered during the transfer. The system detects if data was added or deleted after you sent the message. If any tampering has occurred, the connection is dropped.
Data Storage and Disaster Recovery SystemsFull backups run nightly. All data is replicated to at least three physically separate data centers operated by Amazon Web Services (AWS). AWS has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS has obtained a favorable unbiased opinion from its independent auditors. SAS70 certifies that a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of AWS relates to operational performance and security to safeguard customer data. Learn more about our AWS security and compliance here.
Enterprise, Government, and DefenseAuditFile supports Single Sign-on (SSO), SAML, Active Directory (AD), and LDAP. We have partnerships with OneLogin and Okta. AuditFile also offers SIPRNet/NIPRNet deployments and CAC/PIV authentication for government entities and defense contractors.
AuditFile’s security practices are in the process of being verified by a Service Organization Controls 2 (SOC 2) Type I report for the Trust Service Principles of Security and Availability by the public accounting firm Moss Adams LLP. AuditFile's hosting partner, Amazon Web Services (AWS), has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report.
AuditFile is in compliance with the EU General Data Protection Regulation (GDPR). You can view our GDPR / European Economic Area Notice at https://auditfile.com/gdpr.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces as supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec. PIPEDA also applies to international and interprovincial transfers of personal information. AuditFile customers have the option to host their data on Amazon Web Services (AWS) Canada Central Region. (HIPAA compliance requires a separate Terms of Service agreement. The standard AuditFile Terms of Service do not allow users to upload personally identifiable information.) PIPEDA compliance requires a separate Terms of Service agreement.
AICPA Peer Review Program- QCM Review
AuditFile received a grade of "PASS" from the AICPA Peer Review Program - QCM Review, conducted by the public accounting firm Buchbinder Tunick & Company LLP. You can view the "REPORT ON THE PROVIDER’S SYSTEM OF QUALITY CONTROL AND RESULTANT MATERIALS" at: https://www.aicpa.org/content/dam/aicpa/interestareas/peerreview/community/nationalprc/downloadabledocuments/wileyadvantageauditreport33118.pdf.
EU-US and Swiss-US Privacy Shield Frameworks
AuditFile enables users to comply with HIPAA. In order to meet the HIPAA requirements applicable to our operating model, AuditFile aligns our HIPAA risk management program with NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. (HIPAA compliance requires a separate Terms of Service agreement. The standard AuditFile Terms of Service do not allow users to upload personally identifiable information.)
International Traffic in Arms Regulations (ITAR) controls the export from the US of defense-related articles, and the regulations state that no non-US person can have physical or logical access to the articles stored in the ITAR environment. Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens. AuditFile's "Enterprise/Gov" plan enables users to achieve ITAR compliance with hosting options on the AWS GovCloud. All AuditFile employees are US citizens. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO) and has been issued a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline. The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security, and General Services Administration represent the JAB. (ITAR compliance requires use of the AuditFile "Gov" plan, which is hosted on AWS Gov Cloud.)
A+ Rating Qualys SSL Server Test
AuditFile has received an A+ Rating from Qualys Labs' SSL Server Test. The Qualys Labs SSL Server Test checks certificates, protocol support, key exchanges, cipher strengths, and vulnerabilities.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. AuditFile completed PCI DSS v3.2.1. SAQ A-EP on 8/24/2018.
AuditFile's Word and Excel Add-ins have been accepted to Microsoft's AppSource program. Microsoft has validated that the add-ins validated their stringent policies for functionality, stability, compatibility, documentation, and that they are free from malware.
View the AuditFile Report Builder for Excel here: https://appsource.microsoft.com/en-us/product/office/WA104380977?tab=Overview
View the AuditFile Report Write Toolbox for Word here: https://appsource.microsoft.com/en-us/product/office/WA104381373?tab=Overview
AuditFile is Norton Secured. Norton Secured organization registration is verified through the appropriate government entity in charge of registration. For example, a California Corporation may be verified through the California Secretary of State. Norton Secured also ensures the verification and validation of AuditFile, Inc. and auditfile.com has been done in accordance with the validation guidelines laid out by the CA/Browser Forum. The CA/Browser Forum is a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing. Norton Secured also includes daily malware scanning and vulnerability testing.