Aspose HITRUST Statement

Last updated: 11 March 2025

1. Introduction

This HITRUST Statement outlines Aspose Pty Ltd’s position regarding the HITRUST Common Security Framework (CSF) and clarifies our approach to security and compliance within our operations.

2. Structure, Operations, and Data Handling

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, and CAD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, and Android.

Aspose’s products are self-hosted, meaning customers deploy and manage Aspose’s APIs within their own infrastructure. Aspose does not process or store customer data, including sensitive information like protected health information (PHI).

3. HITRUST Applicability and Risk

HITRUST certification is primarily designed for organizations that handle sensitive customer data, such as healthcare data governed by HIPAA. Since Aspose’s APIs are self-hosted and do not process or store customer data, HITRUST certification is not required for our operations.

However, Aspose recognizes the importance of aligning with industry best practices for security and compliance. Our approach includes strong security controls and risk management practices consistent with HITRUST principles.

4. Security Measures and Monitoring

Aspose has implemented the following measures to maintain strong security and compliance standards:

  • Secure Code Practices – Aspose follows secure coding guidelines and conducts regular code reviews and vulnerability scans using tools like SonarQube.
  • Access Control – Aspose enforces least-privilege access and multi-factor authentication (MFA) for all critical systems.
  • Incident Management – A dedicated Incident Response Team (IRT) is in place to detect, respond to, and contain security incidents promptly.
  • Third-Party Risk Management – Aspose evaluates and monitors the security posture of its third-party vendors, ensuring compliance with contractual security obligations.

5. Review and Monitoring

We assess the effectiveness of our security and compliance approach through:

  • Security Monitoring – Conducting internal audits and penetration tests to identify and mitigate potential vulnerabilities.
  • Compliance Monitoring – Ongoing assessments to ensure that security practices align with industry best practices.
  • Employee Awareness and Training – Providing regular training and guidance to employees on secure development, access control, and incident response.

6. Policy Management

Aspose is a privately held company. Our policies are reviewed and maintained by the leadership team to keep them aligned with our business goals and industry standards.

This policy is live and effective as of the Last Updated date at the top of this document. Updates reflect changes in our business practices, customer feedback, and compliance requirements.