Splashtop Compliance

Learn how Splashtop remote access and remote support solutions comply with or support our customers’ compliance with industry and government standards and regulations. Learn more about Splashtop and SOC 2, ISO/IEC 27001, GDPR, CCPA, PCI, HIPAA, and FERPA.

Splashtop is now ISO/IEC 27001:2022 certified, the latest version of the world’s leading standard for information security management systems (ISMS). This certification replaces our previous ISO/IEC 27001:2013 certification, demonstrating our continued commitment to protecting customer data with the most up-to-date security best practices.

The 2022 update to ISO 27001 strengthens requirements in areas such as:

• Cloud services security

• Threat intelligence

• Data privacy by design

• Operational resilience

• Supplier and third-party risk management

Our ISO 27001:2022 certification means that Splashtop:

• Maintains a comprehensive ISMS covering people, processes, and technology.

• Undergoes annual independent audits to ensure ongoing compliance.

• Continuously improves our controls to address emerging cyber threats and evolving business risks.

Certification scope: The development, maintenance and operation of SaaS services (Remote Desktop Service System)

Splashtop has achieved SOC 2 Type 2 compliance, validated by independent auditors under the AICPA Trust Services Criteria for Security, Availability, and Confidentiality.
Foxpass customers benefit from the same rigorously controlled environment for data protection and service reliability.

A public SOC 3 report is available for reference.
Additional SOC 2 documentation available upon NDA and by request.

How Foxpass supports your SOC 2 compliance:
Foxpass helps customers meet key SOC 2 Trust Services Criteria — especially those addressing Access Controls (CC6.x) and System Operations (CC7.x).
Through centralized authentication, detailed access logging, and certificate-based verification, Foxpass enables customers to demonstrate effective access management and monitoring in their own SOC 2 audits.

Foxpass and Splashtop comply with the principles and obligations of the EU GDPR as both Data Controller and Data Processor.

We implement data-protection-by-design practices, limit personal data collection to what’s necessary to service our customers, and secure all data in transit and at rest using strong encryption.

We maintain Data Processing Agreements (DPAs) with sub-processors and support customer requests related to access, correction, and deletion of personal data.

We have formally reviewed our GDPR readiness with a third party professional firm, put in place additional processes, and set up proper communication channels to handle all GDPR related inquiries and tasks both internally and externally.

See the Splashtop Privacy Policy and Corporate Data Processing Agreement for details.

In compliance with the CCPA, California residents may request access to, deletion of, or opt-out from the sale or sharing of their personal information.

Splashtop — and by extension Foxpass — maintains transparent privacy practices and provides mechanisms to exercise these rights as outlined in our Privacy Policy.

The Payment Card Industry Data Security Standard (PCI DSS) establishes strict requirements for protecting cardholder data and securing networks that process or transmit payment information.

While Foxpass does not store or process cardholder data, it supports PCI DSS compliance by providing the identity and access controls, audit logging, and network segmentation capabilities required to protect cardholder-data environments (CDEs).

Organizations use Foxpass to:

• Enforce least-privilege, identity-based access to systems handling payment data

• Restrict and monitor administrator access using SSH key and privileged-access management

• Log and audit authentication events for PCI DSS control validation

• Segment networks using RADIUS-based VLAN policies to isolate CDEs from general user traffic

Splashtop partners exclusively with PCI DSS-compliant payment providers for secure transaction processing, ensuring all card data is handled in accordance with PCI requirements.

Every business that is part of the U.S. healthcare industry must comply with Federal standards regulating sensitive and private patient information. In addition to protecting worker health insurance coverage, HIPAA sets forth standards for protecting the integrity, confidentiality, and availability of electronic health information. Splashtop does not process, store, or have any access to any of the users’ computer data such as patient data or medical records. Therefore, Splashtop should not be considered as your business associate. While no single product or solution can make an organization HIPAA-compliant, the Splashtop Remote Access, Splashtop Remote Support, SRS Premium, Splashtop Enterprise, and Splashtop On-Prem products, when used properly, may help organizations fulfill HIPAA guidelines for the privacy and security of remote access to healthcare information and may be used within a larger system to support HIPAA compliance (see whitepaper below). Some key points to note are:

• Splashtop transmits but does not store the encoded screen capture stream, which is encrypted end-to-end with TLS with AES-256 bit encryption.

• The username / password transmission is encrypted with HTTPS / TLS.

• The user passwords are encrypted and stored in our database, which is protected by encrypted disk and VPN.

• All connections are logged with timestamp and user / device / session info.

• Device authentication is enabled by default with an option to turn on 2-factor authentication.

• Our Cloud security modules monitor and flag suspicious activities real-time and block the aggressor from further access to our Cloud services.

All of these measures should help ensure that Splashtop may be securely deployed in your organization without affecting HIPAA compliance.

White Paper: Splashtop HIPAA Compliance and Security

Splashtop also offers an on-premise implementation of its remote access and remote support solutions. With this implementation, all of the server modules / services are hosted in the customers’ private cloud. Please find more information at https://www.splashtop.com/products/on-prem and https://www.splashtop.com/solutions/iot (for remote support of computers, mobile / embedded / IoT devices) .

Please contact sales@splashtop.com to start a trial or get additional information.

FERPA protects personally identifiable information (PII) in students’ education records from unauthorized disclosure.

Foxpass helps educational institutions support FERPA compliance by securing network and system access through identity- and certificate-based authentication. By ensuring that only verified users and managed devices can access campus Wi-Fi, servers, and systems, Foxpass strengthens protection of sensitive student and institutional data.

Foxpass does not access or store student records and follows industry best practices for encryption and privacy.

Learn more about Splashtop and FERPA: Splashtop FERPA Info Sheet

Foxpass is backed by Splashtop’s secure cloud infrastructure, incorporating:

• End-to-end encryption and TLS 1.2+ enforcement

• Continuous monitoring and independent vulnerability assessments

• 99.9 % uptime SLA with global redundancy

• Comprehensive audit logging for compliance evidence

For details, visit the Splashtop Security Overview and Technical and Organizational Measures (TOMs).

For compliance documentation, questionnaires, or security inquiries, contact us at sales@splashtop.com or speak with us at Sales - +1.408.886.7177 .