Support For Your Audit Programs

We understand that many businesses are requiring more information from their SaaS and cloud vendors than ever before. We support these efforts, and we do the same of our vendors.  

We have assisted customers with different attestation standards such as SOC 1, SOC 2, SOC 3, PCI-DSS, HIPAA, and CSA Star. We are familiar with the attestation process and can provide the information customers require from their neutral third-party assessors.  

Files.com has completed a SOC 2 audit. Please contact us for a copy of the completion letter from the auditing firm. If you would like to receive a copy of the full SOC 2 Type 1 report, we require that you first sign an NDA via e-signature.  

We have developed a specialized team within our Customer Success team to handle these customer audit requests.  

Customers on our Premier and Enterprise plans receive full access to this team at no additional charge, up to a reasonable limit per year.  

For our customers on our Starter or Power plans, we encourage you to read the rest of the Security and Compliance pages on this website. We've tried to ensure that they contain the answers to any questions your company may have.  

We take our obligation to our customers further by actively reviewing neutral third-party security attestations of our key vendors, such as Amazon Web Services (AWS). We believe in the 'trust but verify' principle when it comes to our security and compliance programs. 

Penetration Testing and Other Invasive Testing 

While this is much less common, Files.com is also willing to work with customers that require penetration tests or invasive network scanning to audit for security threats. In the past, we've passed these tests with flying colors and are happy to coordinate with your testers.  

These tests can cause network problems or congestion for our other customers, so we ask that any customer running any penetration testing coordinate that testing with our Security team via a request to our Customer Success team.  

Files.com does engage a neutral third-party penetration testing vendor to conduct an annual penetration testing against all facets of our SaaS offering. That test includes infrastructure as well as web application penetration testing. While this testing is not cheap, we view it as an investment in our security posture and a critical component of protecting our customers' information.  

But penetration testing is not enough. We also offer a Security Bug Bounty program where we pay individuals who find issues with our systems or software and report it to our attention. Again, this is an investment in our security posture and a critical component of protecting our customers' information.  

Files.com also participates in the HackerOne program that pays individuals to find bugs in our systems. HackerOne is a more formalized bug bounty program and is by invitation only. Continue reading for information on HackerOne. 

Continuous Security Auditing by HackerOne 

Files.com engages the services of HackerOne, a San Francisco firm that has relationships with thousands of independent security researchers. Through HackerOne, these independent security researchers each separately audit and test our platform's security through independently conducted penetration testing of our websites, servers, platform, and APIs. 

HackerOne takes an alternative approach to penetration testing. They offer:  

• HackerOne Response: With HackerOne Response, organizations receive vulnerability reports discovered by third-party hackers, free of charge. Our customers use HackerOne Response to ensure security reports end up in front of infosec professionals while minimizing the chances that vulnerabilities are disclosed through unsuitable channels like social media.  
• HackerOne Challenge: HackerOne Challenge is a private, fully-managed alternative to traditional penetration testing. Challenges are perfect for organizations looking to supplement or replace traditional penetration tests with ethical hackers looking for severe vulnerabilities. Every Challenge will include a detailed report to help meet compliance requirements.  
• HackerOne Bounty: HackerOne Bounty is the market-leading bug bounty program, where trusted hackers are incentivized to continuously test for critical vulnerabilities. Bounty programs can be private and invite-only or fully public, and all incentives will reflect the organization's priorities. HackerOne has more experience running more programs, of any size, than any other vendor. 

The HackerOne approach is to find and incentivize the industry's best trusted, ethical hackers to attempt to penetrate the systems and applications of the HackerOne customers. We pay HackerOne a great deal of money every year to use this alternative approach to penetration testing against our systems.  

This redundant form of testing has been embraced by the top firms in the software as a service industry, including Google, Microsoft, and others, due to its unique ability to provide rapid coverage and testing of a wide variety of potential issues. 

Files.com's internal Security response team is immediately notified if a HackerOne researcher ever discovers a potential issue, and we treat the triage and resolution of issues as a high priority. Should a breach ever be discovered through our relationship with HackerOne, we will report the breach in accordance with our Privacy Policy.  

If you are an independent security researcher and would like to conduct security testing against Files.com, please join Files.com's page on HackerOne.