Internal Device & Network Access Controls

Files.com enforces internal controls around device usage, VPN access, and remote connectivity to protect our infrastructure and meet regulatory requirements. Our annual SOC 2 Type II audit reviews these controls.

Company-Owned Devices Only

Files.com employees access internal systems only from company-owned hardware. Personally owned (BYOD) devices cannot connect to internal systems, both by policy and through technical enforcement.

All company-owned devices are Apple hardware enrolled in a centralized Mobile Device Management (MDM) system. The MDM enforces full disk encryption, host-based firewalls, remote wipe capability, and software update compliance. Administrative access is restricted, removable media is disabled, and all devices use CrowdStrike Falcon for anti-malware protection. Applications are deployed and managed through MDM under our internal Change Management process.

VPN Architecture & Access Controls

All access to internal systems requires a multi-layer VPN architecture, regardless of physical location. Each company-managed device routes all outbound traffic through a base-layer VPN, even on unsecured or public networks. Additional VPN layers are required to reach internal applications.

Authentication uses a combination of multi-factor authentication (MFA) and certificate-based trust. VPN access is technically restricted to company-owned devices only.

Remote Access Protocols

Files.com does not use Remote Desktop, VNC, or Citrix services.

A limited number of engineers access production and staging environments over SSH. These connections require an additional layer of VPN access, authentication through SSH bastion hosts, public/private key credentials, and policy-based session timeouts and logging.

Access to production systems is restricted to senior employees located in the United States who are bound by confidentiality agreements. Contractors do not have access to customer data or core infrastructure.

Password & Secrets Management

Files.com centralizes credential and secrets management to reduce risk and keep practice consistent across the organization.

All employees use a company-enforced password manager to store and manage their credentials. This enforces internal complexity standards and prevents passwords from being reused or stored outside approved systems.

For infrastructure-level secrets, Files.com uses HashiCorp Vault. Vault provides policy-based access control across systems and centralized, auditable secret management.

Mobile Device Policy & Personal Devices

Files.com maintains a formal Mobile Device Policy as part of its broader Information Security Program.

Personal devices cannot access the Files.com internal network, systems, or VPN. Employees may use personal devices for third-party communication platforms such as Slack, Gmail, PagerDuty, and Zoom. These tools support business operations and communication, and they do not interface directly with core infrastructure.

Wireless Network Security

Each physical Files.com office location operates a company-managed wireless network restricted to company-owned devices, along with a separate guest network that uses WPA encryption, captive portal access, and bandwidth restrictions.

All office networks are treated as untrusted. Devices use the same VPN stack as remote workstations, and MDM enforces wireless configurations. Employees cannot alter these configurations.

Media Management

Files.com does not manage or destroy physical storage media, as all production infrastructure is cloud-based and hosted in AWS.

Local devices cannot read from or write to external storage media such as flash drives or external hard drives. MDM enforces this restriction, and our Acceptable Use Policy governs it.

Permitted Activities

Files.com does not block outgoing email, email attachments, access to personal email accounts, social media, instant messaging, or remote printing. These channels are permitted as part of standard business operations and employee collaboration.