Australian Privacy Principles
Very similar to the need to adhere to the EU GDPR requirements, Australian law requires that personal
data be managed and protected in accordance with the Australian Privacy Principles (APPs) noted within
the Privacy Act 1988. 11:11 maintains strict adherence to data sovereignty and privacy requirements for
all Australian operations.
Regions applicable: 
Autoriteit Persoonsgegevens
With EU presence and operations within Amsterdam personal data protection is also overseen by the
Autoriteit Persoonsgegevens based in the Netherlands. Responsible for personal data requirements general
to the EU and specific to the Netherlands, Autoriteit Persoonsgegevens strictly enforces conformity not
to just general data protection regulations but also country specific controls and personal rights.
11:11 is committed to ensuring conformity to Dutch privacy and data sovereignty laws and maintains
strict adherence.
Regions applicable: 
CCPA
Under the California Consumer Privacy Act (CCPA), including the recent update, California Privacy Rights Act (CPRA) California residents may be entitled to certain notices and disclosures regarding the collection and use of their Personal Information. This statement is intended to provide the Notice at Collection required under the CCPA.
We may collect Personal Information from you and use it for specified purposes. For a list of Categories of Personal Information that we collect and the Purposes for which we use such Personal Information, see 11:11 privacy policy.
While we do not sell Personal Information for monetary value, we may disclose Personal Information to third parties, such as our dealers, in such a way that may be considered a sale of Personal Information under CCPA. To stop such sales, please contact 11:11 at [email protected].
For our general privacy policy see privacy policy.
Regions applicable: 
CJIS
A joint program of the FBI, State Identification Bureaus, and CJIS Systems Agency, the Criminal Justice
Information Services (CJIS) Security Policy outlines the security precautions that must be taken to
protect sensitive law enforcement information. The CJIS Security Policy contains specific requirements
for wireless networking, remote access, encryption, certification of cryptographic modules, and minimum
key lengths.
In conjunction with the NIST 800-53 and FIPS 140-2 architecture 11:11 ensures strict adherence to data
controls and data access requirements.
Regions applicable:
CSA STAR
The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Program encompasses key
principles of transparency, rigorous auditing, and harmonization of standards such as ISO 27001 and SSAE
18 SOC 2. The STAR registry documents the security and privacy controls provided by popular cloud
computing offerings. The CSA STAR is a publicly accessible registry that allows cloud customers to
assess an organization’s security practices to make the best procurement decisions. 11:11 participates
in the voluntary CSA STAR self-assessment to document 11:11’s compliance with CSA-published best
practices. Additionally, 11:11 aligns to CSA STAR’s attestation and certification based on 11:11’s ISO
27001 and SSAE 18 SOC 2 third-party audit programs.
Regions applicable: 
Cyber Essentials
Cyber Essentials is a UK government framework set of security controls to protect information from
internet-facing threats and breaches and includes reviews of organizational firewalls, data services,
virus and threat management system, and patching practices.
11:11 participates in the voluntary Cyber Essentials self-assessment annually to document 11:11’s
compliance with the National Cyber Security Centre’s best practices. Additionally, 11:11 aligns to Cyber
Essentials attestation and certification based on 11:11’s ISO 27001 and ISO 27701 third-party audit
programs.
Regions applicable: 
GDPR
The EU General Data Protection Regulation (GDPR) and the UK GDPR are data protection laws that seek to protect the privacy of European residents’ personal data and information. These laws ensure the Data Controllers and Data Processors implement technical and organizational controls to ensure the security and privacy of the personal information they may collect and process. These laws also require that any transfers of personal information to third parties within Europe and outside of Europe commit to the same level of data protection provided by these laws. 11:11 complies with these European Data Protection laws by maintaining a Data Protection Committee that is responsible for oversight and to ensure compliance with all legal regulatory requirements. Additionally, 11:11 maintains an ISO 27701 certification to test 11:11’s Privacy Information Management System (PIMS) as a Processor of personal data. Customers may request a copy of 11:11’s ISO 27701 certificate to review 11:11’s commitment to GDPR compliance and data processor activities.
Legal
As a Processor, 11:11 has Data Processing Agreements (DPA) with Standard Contractual Clauses (SCCs) available for execution with Controllers upon request via 11:11’s legal team. Please review 11:11's
Privacy Notice and
Data Privacy Framework Notice for the most up-to-date information regarding 11:11 Systems’ Data Privacy commitments.
Regions applicable: 
HITRUST Compliance
The Health Information Trust Alliance (HITRUST) maintains the Common Security Framework (CSF) that
harmonizes several compliance frameworks including HIPAA, GDPR, PCI, ISO, and NIST. In collaboration
with privacy, information security, and risk management leaders from the public and private sectors,
HITRUST develops and maintains its widely-adopted common risk and compliance management frameworks,
related assessment and assurance methodologies. 11:11 aligns to HITRUST’s attestation and certification based on 11:11’s ISO 27001 and SSAE 18 SOC 2 third-party audit programs.
Regions applicable:
UK ICO
The information Commissioners Office or ICO maintains the privacy rights and protections for entities
operating within the United Kingdom (UK). ICO requires that organizations operating within the UK
conform to privacy and data protection regulations and that personal data is correctly handled.
Full registration is maintained by 11:11 and publicly facing privacy statements and documentation
pertaining to UK specific data controls are available for all customers of 11:11.
Regions applicable:
ISO 9001
The ISO 9000 family of quality management systems (QMS) standards are designed to help organizations ensure
that they meet the needs of customers and other stakeholders while meeting statutory and regulatory
requirements related to a product or service. Quality and quality management are intrinsic to 11:11’s
operations and business practices, we are proud to be ISO 9001 certified for all of 11:11’s products and
services. The 11:11 Systems ISO 9001 certificate is available for review on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
ISO 27001
The international standard for information security and risk management, the ISO 27001 certification
ensures that the organization you are working with adheres to best practices for data protection as well
as extensive risk management evaluations. 11:11 maintains ISO 27001 certifications for its data centers
as well as full corporate review and certification of its operations. The 11:11 Systems ISO 27001/27701 certificate and related Statement of Applicability (SOA) is available for review on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
ISO 27701
The international standard for security techniques and privacy information management systems (PIMS), ISO
27701 is an extension of ISO 27001. ISO 27701 ensures that an organization you are working with adheres
with the General Data Protection Regulation (GDPR) as a Controller and/or a Processor of personal data.
11:11 maintains an ISO 27701 certification for 11:11’s activities as a Processor of personal data for
our customers. The 11:11 Systems ISO 27001/27701 certificate is available for review on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
ISO 22301
ISO 22301 is the international standard for the development and maintenance of a Business Continuity Management System (BCMS). It specifies the requirements to implement, maintain, and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. 11:11 Systems maintains a robust Business Continuity Program and annually assesses this program against the international standard. The ISO 22301 certificate is available for review on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
ITIL
ITIL, formally an acronym for Information Technology Infrastructure Library, is a set of detailed
practices for IT service management (ITSM) that focuses on aligning IT services with the needs of
business. ITIL requires extensive documentation, certified staff, and alignments within organizations to
achieve successful outcomes. 11:11 maintains ITIL certified staff to ensure proper IT Service alignment,
optimizations and operates under the most recent version, ITIL v2011.
Regions applicable:
Model Contract Clause Offering
Ensuring EU data protection and remaining compliant with data sovereignty requirements. 11:11 provides
for its customers Model Contract Clauses for the contractual movement of data for both Controllers and
Processor entities, ensuring that the movement of data conforms to EU regulations and requirements.
Regions applicable:
NIST 800-53
NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information
systems except those related to national security. NIST develops and issues standards, guidelines, and
other publications to assist federal agencies in implementing the Federal Information Security
Management Act (FISMA). NIST 800-53 is the foundation of nearly all security requirements within the IT
space.
Alignment to NIST 800-53 is performed within 11:11 at all levels, from the requirements to use FIPS
standards through the physical access requirements for data center access. Customers are encouraged to
review our policies and processes to evaluate our alignments and help ensure alignment to their
requirements.
Regions applicable:
NIST 800-171
NIST Special Publication 800-171 provides recommended security requirements organizations should put in
place to protect the confidentiality of Controlled Unclassified Information (CUI) that is processed, stored,
or transmitted in non-federal systems in the United States. NIST develops and issues standards, guidelines,
and other publications to help federal agencies and organizations that process, store, or transmit CUI
better protect their data. 11:11's systems have been built with compliance and security in mind. As such,
11:11 can support customers that need to adhere to the recommended security guidelines detailed in NIST
800-171. Customers are encouraged to review our policies and processes to evaluate our alignment to
the publication and ensure that we can support their unique compliance requirements.
Regions applicable:
PCI DSS
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card providers. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually for 11:11 Systems' data centers. 11:11 Systems also receives annually an Attestation of Compliance (AOC) from a Qualified Systems Assessor (QSA), which is available for customers on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
PIPEDA
For customers operating in Canada, 11:11 maintains and adheres to the privacy requirements defined within
the Personal Information Protection and Electronic Documents Act (PIPEDA) for 11:11’s Canadian
customers. PIPEDA governs how organizations collect, use, and disclose personal information in the
course of conducting business. 11:11 has a robust Privacy Information Management System (PIMS) that
helps our teams properly secure customer data stored within 11:11’s cloud environment. Please reach out
to our compliance team to learn more about 11:11’s privacy program and how we protect customer data.
Regions applicable: 
Singapore Personal Data Protection Act
For customers operating within Singapore, 11:11 maintains and adheres to all privacy requirements
outlined under the Personal Data Protection Act (PDPA) of 2012 for citizens and legal operations within
the Singapore region. Protection of individuals rights is paramount to proper data sovereignty.
Regions applicable: 
SOC 2 and SOC 3
The Statements on Standards for Attestation Engagements, also known as SSAE 18, develops the Trust Service Principles that organizations can test and report on the design and operating effectiveness of a service organization’s controls. System and Organization Controls (SOC) test an organization’s security, availability, processing integrity, confidentiality, and privacy controls. 11:11 maintains an SSAE 18 SOC 2 Type 2 report and a SOC 3 report for our internal operations. 11:11 obtains and reviews the SOC 2 Type II reports for our U.S. data center locations. The 11:11 Systems SOC 2 and SOC 3 reports and most recent Bridge Letter are available for review on the Trust Center or in the 11:11 Systems Cloud Console.
Regions applicable:
