Compliance

---

At Files.com, we are committed to excellence in all aspects of our company and our platform. We have invested heavily in our internal controls and internal processes around security and compliance, and we are proud to share the details of our programs here.

It is our hope that you can use the information in these documentation to complete any security or compliance questionnaires that may be applicable to your use of Files.com.

We are able to complete Vendor Audit questionnaires for customers on our Premier or Enterprise plan levels. Please reach out to us if we can help you out in this way.

Files.com is a Software as a Service (SaaS) platform providing one app and API through which you can manage, store, and transfer all files in your business. Notable features include granular permissions, integrations with numerous other services, no-code/low-code file automations, and a host of security and compliance tools.

Files.com is operated by Action Verb LLC dba Files.com. We do not have any other DBAs. Our company was founded in 2008, giving us well over a decade of experience in the managed file transfer business. Our leadership team collectively have over 100 years of experience in the technology industry.

Action Verb LLC dba Files.com is a Nevada Limited Liability Company. We are majority owned by affiliates of Riverwood Capital. View the full list of Riverwood portfolio companies here.

The company is well capitalized, profitable, and growing.

Files.com is well capitalized, profitable, and growing, with a working capital buffer sufficient to support operations in the event of a variety of contingencies identified in the risk management process. We have reviewed banking system risks as part of the risk management process.

Our financial statements are audited annually by Grant Thornton LLP. Upon request, we will provide a letter attesting to the completion of our annual audit.

Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Our physical address is: Files.com, 222 S Mill Ave, Suite 800, Tempe, AZ 85281. Our physical location does not accept visitors without an appointment. Please contact us to arrange any sort of visit.

Due to the changes in work preferences caused by COVID-19, Files.com has a substantial number of employees who work from home, the vast majority of which are based in the United States.

Our telephone number is: (800) 286-8372.

As a matter of policy, Files.com does not provide its employee count.

Files.com competes with companies such as Microsoft, Google, Amazon Web Services, IBM, Oracle, and others.

Files.com is trusted by over 4,000 businesses of all sizes, including dozens of the World's Largest Companies.

Files.com does not share customer retention rates.

To protect the privacy of our customers, Files.com does not typically facilitate customer reference calls with other current customers. We recommend reading the dozens of real customer reviews posted on sites like G2, Capterra, and Gartner Peer Insights. These are real reviews that we don't have any editorial control over.

We are able to make exceptions for large prospective deals ($250k+). Please contact your Account Executive to learn more.

Customers may contact the Files.com Customer Support team by phone at (800) 286-8372, by email at support@files.com, or by submitting an authenticated support request through the web application.

If you require a named support contact such as a Technical Account Manager, or a Support response time SLA, please speak to your Account Executive about upgrading to an Enterprise level of service. The Technical Account Manager contact details will be provided as part of your Enterprise agreement.

While we do not offer a formal training program, Files.com offers unlimited access to our Customer Support team, as well as onboarding assistance from our Customer Success team. Universally, our customers find Files.com easy to learn and our extensive documentation for both end users and administrators is very comprehensive. Additionally, our team is happy to help with proof of concept, testing, and validation during the pre sales phase.

Our Service Level Agreement page provides the details of our SLA.

As a matter of policy, Files.com does not comment on pending or recent legal matters, even if there are none.

Files.com has industry standard insurance policies in place.

As a matter of policy, we do not provide insurance certificates for customers.

Files.com's internal budgetary data is confidential and proprietary, and therefore we do not provide it to customers.

The W9 form is a USA tax form used to communicate the corporate structure and Tax ID number of a business. It is requested by customers and is not submitted to the IRS.

Click here to download the Form W9 for Action Verb LLC dba Files.com.

Files.com uses Zoom for its phone and video conferencing system. Phone and video calls may be recorded for training and review purposes. If a phone or video call is being recorded, you will be notified of the recording and given the opportunity to disconnect. Recordings are retained for a maximum of six months.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

The InfoSec program is designed to support the business objectives, security requirements (IAM, encryption, monitoring, etc) and regulatory/compliance obligations, and is audited internally on a continual basis. The roles and responsibilities are clearly defined and communicated throughout the entire organization, and available on the internal company intranet site.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com provides world class tools that enable customers to manage their Information Security Program according to their unique business objectives, security requirements and regulatory/compliance obligations.

Customers are responsible for their own InfoSec Program. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com maintains a Security team dedicated to Information Security.

The Chief Information Security Officer is Sean E. Smith, HCISPP, CISM, CISSP who is a member of ICS2, ISACA, CSA and InfraGuard, and regularly participates in continuing education and awareness updates to keep abreast of the changing information security landscape.

The Security team, which benefits from multiple people throughout the organization participation, is represented in all architecture/project management efforts.

Employees and internal contractors receive training on the Information Security Program (includes the Acceptable Use Policy, Work From Home Policy, etc.) and Privacy as part of the Onboarding process and receive refresher training at least annually. Additional role-specific trainings are provided as necessary.

Security Training is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com InfoSec Program documentation includes proprietary information and is not provided to customers.

These documents include but are not limited to: Admin Access Reset Policy, Antivirus Policy, Asset Management Policy, Automated Network Drawings Procedures, Backup Policy, Backup/Restoration Test Procedures, Business Continuity Plan, Business Impact Analysis, Change Management Policy/Procedures, Data Breach Policy/Handling Procedures, Data Classification Policy/Listing, Data Retention Policy/Procedures, Document/Record Control Procedures, Employee Onboarding/Offboarding Policy/Procedures, Encryption Key Management Policy/Procedures, Incident Handling Policy/Management Plan/Identification Guideline/Alert Procedures, Information Security Policy (includes the Acceptable Use Policy), Laptop/Media Destruction Policy/Procedures, Network Monitoring Policy/Procedures, Penetration Testing Policy/Procedures, Phish Program Policy/Procedures, Risk Assessment/Risk Treatment Policy/Procedures, Risk Matrix, System Configuration Security Policy/Procedures, Vendor Management Policy/Procedures, Vulnerability Management Policy/Procedures.

This documentation is updated immediately as changes dictate, and receives an annual review, with all changes communicated and available immediately on the internal company intranet site, and is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Files.com has not been breached. No Files.com vendor has suffered a data loss or security breach that has impacted Files.com.

Files.com has not experienced a DDoS event.

In the unlikely event of a breach, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Incident Management and Notification are reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Files.com has an Incident Management Program that includes an Incident Handling Policy, Incident Identification Guideline, Incident Alert Procedure, Incident Management Plan and an Incident Management Team. Incident Response is one phase of the Incident Management Plan. Employees and internal contractors receive training on the Incident Management Program as part of the Onboarding process and receive refresher training at least annually. The Incident Management Team receives more in-depth training specific to their roles and responsibilities and receive refresher training at least annually.

Files.com has never suffered a breach, though Incident Management is regularly invoked for smaller incidents, such as customer-impacting availability issues. Files.com conducts regular tests and applies the lessons learned to improve the Incident Management Program. All incidents are tracked and documented, including the root cause and any additional required remediation.

Files.com is often able to provide Incident Report on specific incidents when requested by customers.

Incident Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com handles evidence identification and collection as part of the Incident Management Program.

The Files.com service is designed for High Availability.

Our service is designed to withstand the loss of any single datacenter location with no impact whatsoever to the service. We operate redundant server instances in multiple datacenter locations ("Availability Zones") for every service in every region.

Every customer who purchases a dedicated IP from Files.com actually receives two separate IPs that are hosted on separate infrastructure in separate datacenter locations ("Availability Zones").

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple Availability Zones.

Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones. By launching instances in separate Availability Zones, applications are prevented from failure of a single location.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com uses sophisticated strategies for DDoS Mitigation, including the use of proxy servers that sit in front of application servers.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is designed for continuity of function in a variety of disaster scenarios.

The Files.com service is designed for High Availability.

Files.com conducts regular tests of its Business Continuity and Disaster Recovery procedures (including ransomware testing) at least annually. Results of testing are reviewed by senior management as part of the Risk Management Program.

As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason. Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.

Files.com does not share the results of Business Continuity / Disaster Recovery testing, however, Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is designed for continuity of function in a variety of disaster scenarios.

Files.com demonstrated during COVID-19 an ability to operate successfully with a fully remote workforce for an extended period of time.

All Files.com employees located at the physical office in Scottsdale, AZ would work from home should an incident/disaster occur.

Files.com also has a management continuity plan.

Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com maintains different internal Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different components of the Files.com service offering. These timeframes are derived from the Business Impact Analysis (BIA) process which is reviewed at least semi-annually.

The BIA process, MTD, RTO and RPO are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has extensive infrastructure and application monitoring capabilities. Technologies used for monitoring include PagerDuty, Sensu, Sentry, and more.

Our monitoring systems will page and alert our Incident Management Team under a number of different scenarios requiring an alert. Our Incident Management Team will respond immediately to these alerts.

Infrastructure and Application Monitoring are reviewed as part of the SOC 2 audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance. All system maintenance and activities are logged.

If any downtime is required for maintenance in the future, it will be scheduled for a Saturday or Sunday and announced 2 weeks in advance.

Files.com has a formal Risk Management Program based upon COBIT 5 Framework, and conducts risk assessments at least semi-annually. A centralized Risk Register is maintained that documents the likelihood and impact of compromise of the CIA Triad on all assets. The status of the Information Security Program is reviewed as part of this process. Senior Management is included in the risk assessment process, including providing key oversight of the Risk Register. The results from the risk assessment process (risk treatment options) drive improvements in controls, countermeasures, processes and business decisions resulting in lower overall risk to the organization.

Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has a Vendor Risk Management program in place, which is part of the larger Risk Management Program. Vendors deemed Critical to the organization have their security documentation reviewed at least annually. Vendor Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data governance is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com (the company) has procedures to identify and label data that is Confidential, Protected, Sensitive and Public.

Data Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com (the company) is managed by a 6 person board of directors which exercises regular oversight over the operations of the company. The board consists of representatives from affiliates of Riverwood Capital as well as other entities that have ownership in the company.

Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has an Asset Management program in place which includes semi-annual review/update of the Software and Hardware Assets listings. The asset listings are a basis of the Risk Management Program.

Asset Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation, such as a list of any hardware and software used, includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has a detailed Change Management processes in place which includes things like pre-production testing and independent approval of changes. All changes to the system are logged and applied through strict processes which include role-based logical access restrictions on deployment to production. All Files.com (the company) assets are covered by Change Management processes, including audit review on at least a quarterly basis to ensure compliance with existing processes and identification of any process changes.

Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

All new systems/software requested for use must follow an established approval process. Once approved, software follows all standard processes and is deployed through Change Management.

Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com classifies all information assets into Confidential, Protected, Sensitive and Public categories, and uses those classification levels to ensure appropriate administrative, physical and logical controls are in place and an asset owner is identified. At no time will Confidential, Protected or Sensitive information be sent through the corporate email system. These classification levels are reviewed at least annually to ensure compliance with all Legal, Regulatory and Contractual obligations.

The Data Retention period of information assets are identified to ensure compliance with all Legal, Regulatory and Contractual obligations. Data deletion occurs through automated or manual methods, and is audited at least quarterly to ensure compliance the corresponding policies and procedures.

Data Classification and Data Retention are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com uses the Center for Internet Security (CIS) industry standard hardening guidelines (removing services not needed, managing all service accounts, changing default passwords, etc.) for configuring company systems and inclusion in all company baselines. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Configuration Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

We automatically install critical security updates as soon as possible using an automatic patch installation system. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.

Due to these continuous updates, it's not practical for us to provide specific lists of the internal software versions in use.

Patch Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com offers a Mobile App for iOS and Android that provides a subset of functionality as the web application.

Files.com has sophisticated processes and controls around Application Development and the Software Development Life Cycle (SDLC).

These include separated development, staging, test, and production environments, code review processes, and integration and acceptance testing programs. All data used in development, staging and test is testing data, not production data. Testing is performed by automated processes, with additional manual testing as required.

Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege. This means that most employees do not have access to Production environments.

Application Development and the Files.com SDLC are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

All positions are Files.com have written job descriptions, including providing protections for confidential and sensitive information. Job descriptions are adjusted as needed to address any skills gap. Existing employees are provided training to close any identified skills gap.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does not currently utilize internal contractors, but our policies dictate they would be subjected to the same reviews as employees prior to onboarding.

Files.com has a formal employee onboarding process that includes issuing unique identifiers to all employees appropriate to their job roles. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee performance is regularly reviewed, including a formal performance review at least annually.

Files.com has an employee termination and offboarding process, which includes immediate removal of access to all systems. Nearly all internal systems require access to our VPN, access to which is removed immediately upon employee termination. As a matter of policy, Files.com does not discuss employee terminations.

All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Upon termination the device is rendered useless to the terminated employee and the laptop is returned.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Discipline against employees and contractors is handled on a case-by-case basis depending on the facts and circumstances of any given incident. These outcomes can include termination.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has a team of full time employees and does not outsource any key components of its business. Should contractors/vendors be used, all personnel will be subjected to the same onboarding and access control processes as employees.

Files.com has one key/critical vendor: Amazon Web Services. All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Files.com reviews the SOC-2 report of Amazon Web Services at least semi-annually and finds it to be satisfactory with no deficiencies noted as of the most recent review. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason. Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.

Our Desktop app for Windows and Mac is developed in partnership with a 3rd party vendor, however that vendor has no privileged access to the Files.com platform.

Files.com operates a fairly sophisticated cloud environment that leverages many different Amazon Web Services regions. We operate hundreds of server instances in total using industry standard systems and tools. All systems are time synchronized.

The Files.com SaaS is made up on smaller components that are developed in a variety of programming languages and environments, including Java, Ruby, Javascript, Go, .Net, and others.

For most process isolation, Files.com uses virtual-machine level isolation rather than containers. We do, however, use containers for additional isolation & security during certain high-risk processing activities related to customer data, such as when generating image and document previews, scanning for malware (note: this feature is not generally available yet), converting document types, and compression and extraction.

Files.com is a Software as a Service (SaaS) platform and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC, Network Diagrams and Data Flow diagrams are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is a multi-tenant Software as a Service (SaaS) platform and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.

Every deployment updates the platform baseline that is used when adding new systems onto the platform.

All updates are designed to avoid any downtime or disruption in service wherever possible. Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance.

As such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com regularly leverages Open Source Software (OSS) in its development process. Use of OSS is subject to various controls to mitigate the security and compliance risks associated with OSS, including notification of security vulnerabilities from multiple sources. All vulnerabilities in OSS are handled through the existing Patch Management process.

Files.com leverages automated scanning technology to ensure that any OSS used in the Files.com application is available under an appropriate license.

Software Licensing, Vulnerability and Patch Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does not publicly share details of its roadmap or planned updates. However, Files.com does maintain a Customer Advisory Board.

These customers have signed appropriate NDAs, and therefore Files.com is able to share details about the roadmap and planned updates with customers who are members of the Customer Advisory Board.

If you would like to be considered for the Customer Advisory Board, please reach out to us.

Application Development is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is a SaaS (Software-as-a-Service) and is priced using custom quotations based on your requirements. Quotations provide multi-year, annual or monthly pricing for a specific level of features, user/connection count, maximum number API calls, and Transfer and Storage usage. Should you go over your allocated User/Connection Count, or Usage, we will automatically invoice you based on the additional usage.

All of the details are provided in the quotation, proposal, and/or order form, as appropriate.

To make changes to your User/connection count or Usage commitment, please contact your Account Executive. Changes are very easy to process and we are happy to help you upgrade at any time during your contract term.

Files.com is a Software as a Service (SaaS) platform and most of the software provided is hosted and maintained by Files.com and delivered as a service.

Files.com is accessed via the open Internet and does not require a VPN or private network connection. Files.com may not be run as a fully on-premise or internally hosted application.

However, Files.com does provide an agent application and SDKs that can be optionally run inside your on-premise environment to act as a bridge or gateway to your internal/hybrid/private storage and resources.

Additionally, Files.com includes a Desktop App for Windows and Mac, Mobile App for iOS and Android, Command Line App for Windows/Mac/Linux, and open source SDKs available for download. These applications are all covered by our SDLC.

This means that Files.com can optionally operate as a Hybrid cloud model.

All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least semi-annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Amazon does not provide specific details about the hardware used for our server instances. Amazon is responsible for all system maintenance tasks.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least semi-annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Files.com does operate a physical office location, however no servers nor privileged information is stored at the office. Computers at our office are treated as if they are remote workstations and required to connect through a secure on-device VPN. Physical access to the office is controlled by an Access Control system and only accessible to non-employees with an escort. A monitored alarm system protects the office during non-working hours. All physical access is logged and audited routinely.

Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com Customer Support and Engineering staff can access information related to configuration, logs, and file metadata (but not file contents) for the purpose of troubleshooting and ensuring system stability.

Most Files.com staff do not have access to passwords, file contents, passwords to remote servers, or other secure data. This data is stored safely in our production systems. Only senior Files.com Engineering and Infrastructure staff have "root" access to production systems that could allow them to access this information more directly. These staff are all full-time USA-based employees, passed background/references/certification checks, and have all signed agreements to honor the Files.com Privacy Policy, and are subject to termination and other penalties in the event of any inappropriate actions. Additionally, unless otherwise approved by the CTO, staff will be employed by Files.com for at least one year before being given "root" access to production systems. Any direct access to servers is logged.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification/data handling is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

We store all the actual contents of customer files in the Amazon S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.

Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

We save backups of files that are deleted and retain such backups for a period of time that is customizable by you. Our support staff is able to restore deleted files directly back to your account.

Files.com allows customers to choose where their data is stored. Files.com has customers worldwide, and multiple geographic locations are available to support each customer. You can even use several data storage locations within the same account on certain plans. Files.com does not support utilizing physical media for bulk uploads.

For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimately stored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature. For HIPAA accounts, disabling global acceleration is required and automatic because our HIPAA agreement with Amazon only covers USA-based server locations.

Please refer to the Files.com Shared Responsibility Model for more information.

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple availability zones.

We have Point-in-time Restore capabilities such that we are able to restore our database to its state at any given time in the past 7 days (such as immediately before a service disruption).

Additionally, we take full database snapshots and store them in Amazon S3 every 24 hours. These snapshots are retained for at least 7 days. Backups are audited as part of the Backup and Restoration Test Procedure

We do not make backups of customer files other than the internal redundancy provided by Amazon S3. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

Learn more on the AWS Compliance programs website.

Backup Policy and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does not retain customer data once a customer cancels their account. Customer data is deleted within 7 days of receipt of customer cancellation notice or termination due to nonpayment.

Files.com provides world class tools that allow customers to manage their accounts according to their own policy.

Backup retention periods for deleted customer data be configured to any setting the customer chooses to align with their internal security policies. Please refer to the Files.com Shared Responsibility Model for more information.

We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the Files.com website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.

These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.

Notwithstanding the foregoing, Files.com does not sell customer data or access or use customer data for any purpose other than providing the Files.com service to the customer. Files.com does not market directly to customers of our customers.

Files.com maintains a Privacy Policy. The Files.com Privacy Officer is our Chief Legal Counsel, Joseph Buszka. For any privacy-related inquiries, complaints, or questions, you can contact privacy@files.com.

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Files.com platform access is managed by customers. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

Files.com eventually plans to allow customers to integrate their own DLP services into the Files.com system for content classification. If this capability would be of interest to you, please let us know.

Please refer to the Files.com Shared Responsibility Model for more information.

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy. Files.com platform access is managed by customers.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Passwords are stored in a salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm. Customers may neither see nor export user passwords, in either hashed or unhashed format.

Passwords may be imported into Files.com as a hash in raw MD5, SHA-1, or SHA-2 formats, and if they are imported, they will be converted to Files.com's internal format upon first use.

Customers can set length requirements, complexity requirements, and change timeframe on user account passwords according to their own password policy. Files.com has provided a password strength meter aligned with the NIST SP800-63B standard for reference as passwords are created.

Customers can require users to change their password on their next login.

Customers can restrict access to certain IPs or IP ranges, or certain countries, either on a per-user or site-wide basis.

Customers can require that inactive user accounts be disabled after any length of time or lock after a certain number of failed password attempts.

API access requires the use of keys.

Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com supports, but does not require, SAML, LDAP, and OAuth technologies for customers to implement Single Sign On and automatic user provisioning.

If you choose to implement Single Sign On, it can optionally be used for automatic user provisioning. Users can additionally be provisioned via our web interface, either individually or as a bulk upload, or through our API or Command Line Interface (CLI) app.

Please reference the Files.com documentation for more detailed information.

User login may occur via our web interface, desktop app, mobile apps, or Command Line Interface (CLI) app, each of which have their own login screen.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com web sessions normally time out after 6 hours of inactivity, but customers can customize this timeout period via the Session expiration security setting. Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Customers may create and maintain an IP whitelist covering their inbound connections to Files.com.

Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist. Please reference the Files.com documentation for more detailed information.

Files.com offers a variety of 2FA/MFA options including SMS, Yubikey, U2F, and Google Authenticator on all plan levels. Customers on our Power, Premier, and Enterprise plans may optionally require that their users all use 2FA/MFA. Alternatively, customers may provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers. Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internally, Files.com (the company) uses hardware 2FA devices for all employee access to the Files.com network and all internal applications used by employees.

Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com provides a REST API as well as SDKs in multiple languages. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.

Files.com supports all modern browsers (Chrome, Firefox, Edge, etc.) that were released within the last 4 years. As with nearly all websites today, support for Javascript and Cookies are required.

We no longer support the use of Internet Explorer as it is no longer supported by Microsoft.

No browser plugins, such as Java or Silverlight are required. Certain browser extensions, such as Zscaler, interfere with Files.com and may need to be disabled.

Files.com provides for data encrypted in motion and at rest.

We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.

Files.com uses SSL for encrypted data in transit which also includes support for TLS. TLS is an improved version of SSL, it works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry.

For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).

For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.

For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option.

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.

All access and authentication credentials are stored in an encrypted state, using AES-256 and a random initialization vector. These items include:

• Storage Access Keys and Secrets (AWS S3, Azure Blob, Google Cloud Storage, etc.)
• SMTP passwords
• Active Directory / LDAP passwords
• SSL Certificate Private Keys
• PGP / GPG Private Keys

Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Encryption baselines are managed as part of the overall Risk Management Program, and are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com utilizes the Hashicorp Vault system for encryption key and secrets management.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Encryption Key Management is managed as part of the overall Risk Management Program, and is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com by default makes no remote connection to customers system(s). Customers may choose to utilize features such as LDAP/SSO, remote sync/mounts, webhooks, etc. which make a remote connection to customers system(s). Feature(s) configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage. Additionally, Files.com application logs are maintained for all file operations as well as settings changes and made available to customers in near real time.

The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal access and operational logs as well as Files.com application logs are "write once/read many", meaning that they are protected from tampering.

Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by Files.com to search for and alert on anomalous activities found in logs.

Application Development, Data Retention and Logging is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com maintains a comprehensive audit log of who, what, when, where and how your files are modified. This makes it easy to see exactly who is reading, changing, or deleting your files.

The following information is included in each history log entry:

Please reference the History Feature documentation for more detailed information.

The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.

The Files.com API and Command Line (CLI) app allow customers to export site settings information such as a user/group/folder permissions matrix.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com believes that data portability is an important goal. We only want to retain your business if we continue to earn it each and every day, and will never hold your data hostage. You can use our APIs and Command Line Interface app (CLI) to export all of your settings and data at any time. Additionally, you can use our File transfer and sync tools to transfer out your files at any time.

Files.com does not support the bulk import/export of data from/to portable media from any data center.

Please note that Files.com does not support the ability to export or retrieve user/counterparty credentials such as Passwords and Private Keys. Passwords are stored in a proprietary salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm.

Internal services are backed up in real time to a replica service wherever possible. Where that isn't possible, Files.com conducts daily backups of critical internal data, such as employee authentication data, etc. These backups are moved to multiple regions for redundancy.

Backups are verified and fire drill restorations are performed regularly on this sort of data.

Backup and Restoration management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet. We use sophisticated internal firewall technology to segment our internal network into highly specific zones. Specific technologies used include AWS Security Groups, AWS VPC, and Terraform.

We use appropriate Intrusion Detection, Intrusion Protection and Web Application Firewall (WAF) systems as part of our Infrastructure and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Most internal systems are blocked from outbound internet access, however, there are a few exceptions. For example, the mount and sync systems are required to connect to other remote storage systems across the internet, the file transfer systems requite outbound internet access, etc. A managed file transfer platform must be able to push files outbound to other systems. Whenever possible, these connections are made using proxy servers.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com prides itself on putting security first when developing software. Practices in place at Files.com include: training to software engineers on secure coding practices, use of static code security analysis tools, and a Change Management process which includes things like pre-production testing and independent approval of changes. Files.com is using Dependabot on our public GitHub repositories, and Sonatype's Lift scanner on all our public SDK's and the Command Line (CLI) application.

Files.com maintains an internal development platform that includes secure code repositories and continuous integration automation.

Application SDLC, Change Management and Secure Coding Practices are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does not use third-party code escrow services. The company is well capitalized, profitable, and growing.

Brute Force Protection is covered as part of Intrusion Detection and Intrusion Protection.

Files.com employs appropriate Intrusion Detection and Intrusion Protection systems as part of our Application, Infrastructure, and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Additionally, these topics are heavily covered during our Penetration Testing and Bug Bounty programs. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files stored in Files.com are not scanned for malware or viruses.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Company laptops at Files.com have appropriate virus scanning and malware protection software (XProtect) installed and configured. Servers are protected through the use of AWS GuardDuty Malware protection services, which has automated alerting. Wazuh agents on all internal servers perform automated FIM scanning and report any changes to installed software and configuration to a central alerting dashboard, which is monitored.

Antivirus and Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Neither customer data nor Emails sent from the Files.com platform are scanned for malware, viruses, or sensitive information. The internal employee email system does scan for malware and viruses, and has spam filters in place.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal servers and workstations at Files.com have appropriate virus scanning and malware protection software installed and configured.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com has implemented the following regulatory policies, which are reviewed regularly:

• Anti-Bribery and Anti-Corruption Policy
• Anti-Fraud Policy
• Anti-Slavery Policy
• Anti-Money Laundering Policy
• Environmental, Social, and Governance (ESG) Policy
• Third Party and Governmental Requests Policy
• Whistle-Blowing Policy
• Employee Code of Conduct
• Export Controls Policy

Employee Controls are reviewed as part of the SOC 2 Audit process. Files.com internal policies are considered proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com's General Counsel and Chief Information Security Officer (CISO) regularly attend continuing education courses to keep up with the latest legal and regulatory changes.

Files.com uses the latest changes in legal, regulatory and any contractual obligations to drive updates across all facets of the organization, including the InfoSec Program.

Legal and Regulatory Compliance is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

If a request for disclosure by Law Enforcement Authorities or a subpoena is received, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Read the full response to the Log4j vulnerability here.

Files.com will complete compliance and security questionnaires for Enterprise prospects and customers on our Premier plan and up. These questionnaires are completed by Files.com staff members and reviewed by a member of the Files.com in-house Legal team and/or Information Security Team for approval prior to sending to the customer/prospect.