Aspose HITRUST Statement

1. Introduction

This HITRUST Statement outlines Aspose Pty Ltd’s position regarding the HITRUST Common Security Framework (CSF) and clarifies our approach to security and compliance within our operations.

2. Structure, Operations, and Data Handling

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, and CAD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, and Android.

Aspose’s products are self-hosted, meaning customers deploy and manage Aspose’s APIs within their own infrastructure. Aspose does not process or store customer data, including sensitive information like protected health information (PHI).

3. HITRUST Applicability and Risk

HITRUST certification is primarily designed for organizations that handle sensitive customer data, such as healthcare data governed by HIPAA. Since Aspose’s APIs are self-hosted and do not process or store customer data, HITRUST certification is not required for our operations.

However, Aspose recognizes the importance of aligning with industry best practices for security and compliance. Our approach includes strong security controls and risk management practices consistent with HITRUST principles.

4. Security Measures and Monitoring

Aspose has implemented the following measures to maintain strong security and compliance standards:

  • Secure Code Practices – Aspose follows secure coding guidelines and conducts regular code reviews and vulnerability scans using tools like SonarQube.
  • Access Control – Aspose enforces least-privilege access and multi-factor authentication (MFA) for all critical systems.
  • Incident Management – A dedicated Incident Response Team (IRT) is in place to detect, respond to, and contain security incidents promptly.
  • Third-Party Risk Management – Aspose evaluates and monitors the security posture of its third-party vendors, ensuring compliance with contractual security obligations.

5. Review and Monitoring

We assess the effectiveness of our security and compliance approach through:

  • Security Monitoring – Conducting internal audits and penetration tests to identify and mitigate potential vulnerabilities.
  • Compliance Monitoring – Ongoing assessments to ensure that security practices align with industry best practices.
  • Employee Awareness and Training – Providing regular training and guidance to employees on secure development, access control, and incident response.

6. Policy Review, Updates and Approval

This policy is actively maintained and forms part of Aspose’s operational and governance framework. Material updates are supported by communication, guidance, or training where appropriate. It is reviewed at least annually, and more frequently where required to address changes in business practices, regulatory expectations, risk posture, or emerging threats. Where applicable, it is approved through Aspose’s internal governance processes, including review by the Board of Directors or designated leadership. Its publication confirms that it has been reviewed within the past 12 months and remains current and in effect.