Security and Compliance

AuditFile is the most secure way to perform audits. Nothing else comes close.

Encryption

AuditFile uses enterprise-grade security and administrative controls. All data is encrypted at rest and in transit. This protects data in three key ways:
  1. Authentication ensures that you are communicating with us and prevents another computer from impersonating AuditFile.
  2. Encryption scrambles transferred data so that it cannot be read by unauthorized parties.
  3. Data integrity verifies that the information you send to AuditFile is not altered during the transfer. The system detects if data was added or deleted after you sent the message. If any tampering has occurred, the connection is dropped.

Data Storage and Disaster Recovery Systems

Full backups run nightly. All data is replicated to at least three physically separate data centers operated by Amazon Web Services (AWS). AWS has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS has obtained a favorable unbiased opinion from its independent auditors. SAS70 certifies that a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of AWS relates to operational performance and security to safeguard customer data. Learn more about our AWS security and compliance here.



Multifactor (MFA) and Biometric Authentication

AuditFile supports multifactor authentication, including Microsoft Authenticator, Google Authenticator, and Authy. AuditFile supports biometric (fingerprint) authentication with Yubico YubiKey Bio Series devices.



Enterprise, Government, and Defense

AuditFile supports Single Sign-on (SSO), SAML, Active Directory (AD), and LDAP. We have partnerships with OneLogin and Okta. AuditFile also offers SIPRNet/NIPRNet deployments and CAC/PIV authentication for government entities and defense contractors.



Compliance Programs


AICPA SOC

AuditFile's hosting partner, Amazon Web Services (AWS), has successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report.




GDPR

AuditFile is in compliance with the EU General Data Protection Regulation (GDPR). You can view our GDPR / European Economic Area Notice at https://auditfile.com/gdpr.




PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces as supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec. PIPEDA also applies to international and interprovincial transfers of personal information. AuditFile customers have the option to host their data on Amazon Web Services (AWS) Canada Central Region. Please contact sales to learn more about this feature.




AICPA Peer Review Program- QCM Review

AuditFile received a grade of "PASS" from the AICPA Peer Review Program - QCM Review, conducted by the public accounting firm Buchbinder Tunick & Company LLP. You can view the "REPORT ON THE PROVIDER’S SYSTEM OF QUALITY CONTROL AND RESULTANT MATERIALS" here.




K-ISMS

Korea Information Security Management System (K-ISMS) is a certification by the Korea Internet and Security Agency (KISA) and the Korean Ministry of Science and ICT (MSIT). The K-ISMS program began in 2002, and serves as a standard for evaluating whether enterprises and organizations operate and manage their systems securely. AuditFile's servers for our Korean product are located in the Amazon Web Services (AWS) Asia Pacific (Seoul) Region, using AWS resources within scope for the K-ISMS certification.




HIPAA

AuditFile enables users to comply with HIPAA. In order to meet the HIPAA requirements applicable to our operating model, AuditFile aligns our HIPAA risk management program with NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule.




ITAR

International Traffic in Arms Regulations (ITAR) controls the export from the US of defense-related articles, and the regulations state that no non-US person can have physical or logical access to the articles stored in the ITAR environment. Articles that are covered by the ITAR United States Munitions List (USML) include equipment, components, materials, software, and technical information that can only be shared with US Persons unless under special authorization or exemption. US Persons are individuals who are US Green Card (Permanent Resident Card) holders or US citizens. AuditFile's "Enterprise/Gov" plan enables users to achieve ITAR compliance with hosting options on the AWS GovCloud. All AuditFile employees are US citizens. AWS GovCloud (US) is continuously audited by an accredited Federal Risk Authorization Management Program (FedRAMP) independent third-party assessment organization (3PAO) and has been issued a FedRAMP Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) at the High Baseline. The Chief Information Officers (CIO) from the US Department of Defense, Department of Homeland Security, and General Services Administration represent the JAB. (ITAR compliance requires use of the AuditFile "Gov" plan, which is hosted on AWS Gov Cloud.)




NIST 800-53 Revision 5

NIST 800-53 Revision 5 is a comprehensive framework of security and privacy controls for federal information systems and organizations. It provides a catalog of controls to protect systems against a wide array of threats, emphasizing flexibility, scalability, and integration into risk management processes. This revision focuses on outcome-based security, integrates privacy controls with security controls, and aligns with international standards to enhance global interoperability. AuditFile is in compliance with NIST 800-53 Revision 5.




A+ Rating Qualys SSL Server Test

AuditFile has received an A+ Rating from Qualys Labs' SSL Server Test. The Qualys Labs SSL Server Test checks certificates, protocol support, key exchanges, cipher strengths, and vulnerabilities.




PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. AuditFile completed PCI DSS v3.2.1 SAQ A on December 6, 2023.




Microsoft AppSource

AuditFile's Word and Excel Add-ins have been accepted to Microsoft's AppSource program. Microsoft has validated that the add-ins validated their stringent policies for functionality, stability, compatibility, documentation, and that they are free from malware.

View the AuditFile Report Builder for Excel here: https://appsource.microsoft.com/en-us/product/office/WA104380977?tab=Overview

View the AuditFile Report Writer Toolbox for Word here: https://appsource.microsoft.com/en-us/product/office/WA104381373?tab=Overview