Why We Do Not Share Internal Audit Artifacts
Files.com earns customer trust through independently verified assessments, public reporting, and responsible disclosure. Requests for internal security audit artifacts — documents beyond our formal attestations or published summaries — have grown more frequent, and this page explains what we share, what we don't, and why.
What We Do Provide
Files.com is a SOC 2 Type II audited platform with an unbroken record of successful annual audits. We maintain a wide range of controls that are independently assessed and verified. Our SOC 2 report is detailed and is provided to customers under NDA.
In addition to the SOC 2 report:
- We undergo regular third-party penetration testing.
- We operate a public bug bounty program on HackerOne, active since 2016.
- We publish summary-level audit and test results.
- We are regularly tested as part of our PCI compliance and our Google Partner Program membership.
- We invite customers to perform their own penetration testing, and major enterprise customers have done so successfully.
Why We Do Not Share Internal Audit Documents
Internal audit artifacts — control matrices, vulnerability scans, raw assessment outputs — are proprietary and sensitive. They contain detailed information about our infrastructure, internal processes, security tooling and configurations, and organizational risk assessments.
Releasing that information exposes internal implementation details that are both business-critical and potentially exploitable. We do not share it broadly.
For the majority of customers, the assurances provided by our SOC 2 reports, HackerOne history, and third-party test results are sufficient to establish confidence in our security posture.
Access for True Enterprise Customers
For customers spending $100,000 or more annually with Files.com, Files.com usage often represents a critical part of the customer's infrastructure, and internal review processes call for greater transparency.
For those customers, we offer enhanced visibility and engagement, which can include:
- Extended discussions with our security team.
- Additional documentation not provided by default.
- Custom testing agreements or review sessions.
If you are in that category, the limitations described in this article do not apply to you. Reach out to your Account Manager to discuss further.
Our Track Record and Public Transparency
- As of April 12, 2025, there are zero known vulnerabilities in the Files.com platform: no criticals, highs, mediums, or lows.
- We act on every report received through HackerOne or any penetration test.
- Our public HackerOne profile shows every vulnerability report ever submitted, how we handled it, and the current state of the program.
Files.com is one of the longest-running public programs on HackerOne and one of only two leading vendors in the Managed File Transfer space that has never had a publicized security incident, never been sued, never been found at-fault for customer damages, and never filed or paid any insurance claim related to information security.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes