Following up on its publication of Oxebridge Q017, the world’s first international standard on secure “Remote Auditing Methods”, Oxebridge has now begun implementing ITAR-compliant, secure remote auditing for its own clients, using the RegDOX secure sharing portal.

RegDOX allows users to share ITAR controlled information in a secure environment that ensures information is not leaked, misused or jeopardized. During ISO 9001 or other such audits, sensitive or controlled information is often shared with auditors, including ITAR controlled data, requiring careful handling of such information.

Not only do audits performed within RegDOX comply with the International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR), they also comply with NIST 800-171 and related Defense Federal Acquisition Regulation Supplement (DFARS) regulations. RegDOX received an official advisory notice from the US Dept. of State Directorate of Defense Trade Controls (DDTC) that its application complies fully with ITAR regulations.

The current COVID-19 pandemic has forced certification bodies and consultants, such as Oxebridge, who provide contract internal auditing to move to “remote” audits. Typically these use non-secure platforms such as Zoom, GoToMeeting, Google Meet, Cisco WebEx, or SharePoint. In almost all cases, the platforms do not provide ITAR and related compliance, risking felony violations for anyone sharing ITAR controlled information while utilizing them.

Oxebridge has pressed key organizations such as ISO, UKAS and the International Accreditation Forum (IAF) to adopt the Oxebridge Q017 approaches, which include using secure platforms such as RegDOX for document sharing and Signal for secure voice and messaging. The bodies have nevertheless continued to promote performing audits via Zoom, which has been plagued with security lapses and intentional sharing of data with the government of China.

“We are implementing RegDOX to accomplish two milestones,” said Christopher Paris, Oxebridge’s founder. “First, to show that secure remote audits can be accomplished without exposing clients to felonies. And second, to put our money where our mouth is, and perform audits for our clients in the way we’d want others to audit them.”

Oxebridge has likewise implemented a blockchain-enabled solution for its upcoming database of Q001 certifications, after having pressed ISO to do the same for worldwide certifications under its standards. ISO and the IAF have instead opted for a less-secure, non-blockchain traditional database that is open to hacking and has no verifiable data audit trail.

While the RegDOX platform will be mandatory for clients undergoing AS9100 internal audits by Oxebridge, it will also be made available to all clients, regardless of the standard used. Oxebridge is absorbing the costs of using RegDOX, and clients will not be required to buy any licenses or pay additional service fees. Clients will receive temporary, one-time login credentials to the Oxebridge RegDOX portal to be used during such audits. Once inside the portal, clients will be able to share ITAR or other controlled information as audit evidence, without fear of loss or theft. Every view, manipulation and transaction of the data is fully recorded, auditable and performed in a secure environment.

Oxebridge is exploring the use of RegDOX as a requirement for any accredited body offering Oxebridge Q0o1 Certification audits. TI is not yet decided if the certification bodies will be required to use their own RegDOX instance, or if Oxebridge will provide a universal one for use by the bodies and their clients.

To request a price quote for secure remote internal audits performed by Oxebridge, click here.

To learn more about RegDOX, visit

[Oxebridge does not receive any compensation for its use or recommendation of RegDOX.]


ISO Benchmark