Compliance
At Files.com, we are committed to excellence in all aspects of our company and our platform. We have invested heavily in our internal controls and internal processes around security and compliance, and we are proud to share the details of our programs here.
It is our hope that you can use the information in these documentation to complete any security or compliance questionnaires that may be applicable to your use of Files.com.
We are able to complete Vendor Audit questionnaires for customers on our Premier or Enterprise plan levels. Please reach out to us if we can help you out in this way.
Company / Platform Description
Files.com is a Software as a Service (SaaS) platform providing one app and API through which you can manage, store, and transfer all files in your business. Notable features include granular permissions, integrations with numerous other services, no-code/low-code file automations, and a host of security and compliance tools.
Company Structure, Names, History, and Expertise
Files.com is operated by Action Verb LLC dba Files.com. We do not have any other DBAs. Our company was founded in 2008, giving us well over a decade of experience in the managed file transfer business. Our leadership team collectively have over 100 years of experience in the technology industry.
Company Ownership
Action Verb LLC dba Files.com is a Nevada Limited Liability Company. We are majority owned by affiliates of Riverwood Capital. View the full list of Riverwood portfolio companies here.
The company is well capitalized, profitable, and growing.
Company Financial Security
Files.com is well capitalized, profitable, and growing, with a working capital buffer sufficient to support operations in the event of a variety of contingencies identified in the risk management process. We have reviewed banking system risks as part of the risk management process.
Our financial statements are audited annually by Grant Thornton LLP. Upon request, we will provide a letter attesting to the completion of our annual audit.
Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Company / Employee Location
Our physical address is: Files.com, 222 S Mill Ave, Suite 800, Tempe, AZ 85281. Our physical location does not accept visitors without an appointment. Please contact us to arrange any sort of visit.
Due to the changes in work preferences caused by COVID-19, Files.com has a substantial number of employees who work from home, the vast majority of which are based in the United States.
Our telephone number is: (800) 286-8372.
Employee Count
As a matter of policy, Files.com does not provide its employee count.
Competition
Files.com competes with companies such as Microsoft, Google, Amazon Web Services, IBM, Oracle, and others.
Customer Count
Files.com is trusted by over 4,000 businesses of all sizes, including dozens of the World's Largest Companies.
Customer Retention Rates
Files.com does not share customer retention rates.
Customer References
To protect the privacy of our customers, Files.com does not typically facilitate customer reference calls with other current customers. We recommend reading the dozens of real customer reviews posted on sites like G2, Capterra, and Gartner Peer Insights. These are real reviews that we don't have any editorial control over.
We are able to make exceptions for large prospective deals ($250k+). Please contact your Account Executive to learn more.
Support Contact
Customers may contact the Files.com Customer Support team by phone at (800) 286-8372, by email at support@files.com, or by submitting an authenticated support request through the web application.
If you require a named support contact such as a Technical Account Manager, or a Support response time SLA, please speak to your Account Executive about upgrading to an Enterprise level of service. The Technical Account Manager contact details will be provided as part of your Enterprise agreement.
Customer Training
While we do not offer a formal training program, Files.com offers unlimited access to our Customer Support team, as well as onboarding assistance from our Customer Success team. Universally, our customers find Files.com easy to learn and our extensive documentation for both end users and administrators is very comprehensive. Additionally, our team is happy to help with proof of concept, testing, and validation during the pre sales phase.
Service Level Agreement (SLA)
Our Service Level Agreement page provides the details of our SLA.
Pending or Recent Legal Matters
As a matter of policy, Files.com does not comment on pending or recent legal matters, even if there are none.
Insurance
Files.com has industry standard insurance policies in place.
As a matter of policy, we do not provide insurance certificates for customers.
Security Budget
Files.com's internal budgetary data is confidential and proprietary, and therefore we do not provide it to customers.
W9 Form
The W9 form is a USA tax form used to communicate the corporate structure and Tax ID number of a business. It is requested by customers and is not submitted to the IRS.
Click here to download the Form W9 for Action Verb LLC dba Files.com.
Phone and Zoom Call Recordings
Files.com uses Zoom for its phone and video conferencing system. Phone and video calls may be recorded for training and review purposes. If a phone or video call is being recorded, you will be notified of the recording and given the opportunity to disconnect. Recordings are retained for a maximum of six months.
Information Security Program
Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.
The InfoSec program is designed to support the business objectives, security requirements (IAM, encryption, monitoring, etc) and regulatory/compliance obligations, and is audited internally on a continual basis. The roles and responsibilities are clearly defined and communicated throughout the entire organization, and available on the internal company intranet site.
Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Customer Information Security Program
Files.com provides world class tools that enable customers to manage their Information Security Program according to their unique business objectives, security requirements and regulatory/compliance obligations.
Customers are responsible for their own InfoSec Program. Please refer to the Files.com Shared Responsibility Model for more information.
Information Security Team
Files.com maintains a Security team dedicated to Information Security.
The Chief Information Security Officer is Sean E. Smith, HCISPP, CISM, CISSP who is a member of ICS2, ISACA, CSA and InfraGuard, and regularly participates in continuing education and awareness updates to keep abreast of the changing information security landscape.
The Security team, which benefits from multiple people throughout the organization participation, is represented in all architecture/project management efforts.
Information Security and Privacy Training
Employees and internal contractors receive training on the Information Security Program (includes the Acceptable Use Policy, Work From Home Policy, etc.) and Privacy as part of the Onboarding process and receive refresher training at least annually. Additional role-specific trainings are provided as necessary.
Security Training is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Internal Information Security documentation, such as policies, procedures, standards, guidelines and baselines
Files.com InfoSec Program documentation includes proprietary information and is not provided to customers.
These documents include but are not limited to: Admin Access Reset Policy, Antivirus Policy, Asset Management Policy, Automated Network Drawings Procedures, Backup Policy, Backup/Restoration Test Procedures, Business Continuity Plan, Business Impact Analysis, Change Management Policy/Procedures, Data Breach Policy/Handling Procedures, Data Classification Policy/Listing, Data Retention Policy/Procedures, Document/Record Control Procedures, Employee Onboarding/Offboarding Policy/Procedures, Encryption Key Management Policy/Procedures, Incident Handling Policy/Management Plan/Identification Guideline/Alert Procedures, Information Security Policy (includes the Acceptable Use Policy), Laptop/Media Destruction Policy/Procedures, Network Monitoring Policy/Procedures, Penetration Testing Policy/Procedures, Phish Program Policy/Procedures, Risk Assessment/Risk Treatment Policy/Procedures, Risk Matrix, System Configuration Security Policy/Procedures, Vendor Management Policy/Procedures, Vulnerability Management Policy/Procedures.
This documentation is updated immediately as changes dictate, and receives an annual review, with all changes communicated and available immediately on the internal company intranet site, and is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.
Past Breaches
Files.com has not been breached. No Files.com vendor has suffered a data loss or security breach that has impacted Files.com.
Breach Notification
In the unlikely event of a breach, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.
Incident Management and Notification are reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.
Incident Management Program
Files.com has an Incident Management Program that includes an Incident Handling Policy, Incident Identification Guideline, Incident Alert Procedure, Incident Management Plan and an Incident Management Team. Incident Response is one phase of the Incident Management Plan. Employees and internal contractors receive training on the Incident Management Program as part of the Onboarding process and receive refresher training at least annually. The Incident Management Team receives more in-depth training specific to their roles and responsibilities and receive refresher training at least annually.
Files.com has never suffered a breach, though Incident Management is regularly invoked for smaller incidents, such as customer-impacting availability issues. Files.com conducts regular tests and applies the lessons learned to improve the Incident Management Program. All incidents are tracked and documented, including the root cause and any additional required remediation.
Files.com is often able to provide Incident Report on specific incidents when requested by customers.
Incident Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Evidence Collection
Files.com handles evidence identification and collection as part of the Incident Management Program.
High Availability
The Files.com service is designed for High Availability.
Our service is designed to withstand the loss of any single datacenter location with no impact whatsoever to the service. We operate redundant server instances in multiple datacenter locations ("Availability Zones") for every service in every region.
Every customer who purchases a dedicated IP from Files.com actually receives two separate IPs that are hosted on separate infrastructure in separate datacenter locations ("Availability Zones").
We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple Availability Zones.
Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones. By launching instances in separate Availability Zones, applications are prevented from failure of a single location.
Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
DDoS Mitigation
Files.com uses sophisticated strategies for DDoS Mitigation, including the use of proxy servers that sit in front of application servers.
Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Business Continuity / Disaster Recovery - Service Operations
Files.com is designed for continuity of function in a variety of disaster scenarios.
The Files.com service is designed for High Availability.
Files.com conducts regular tests of its Business Continuity and Disaster Recovery procedures (including ransomware testing) at least annually. Results of testing are reviewed by senior management as part of the Risk Management Program.
As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason. Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.
Files.com does not share the results of Business Continuity / Disaster Recovery testing, however, Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Business Continuity - People / Company Operations
Files.com is designed for continuity of function in a variety of disaster scenarios.
Files.com demonstrated during COVID-19 an ability to operate successfully with a fully remote workforce for an extended period of time.
All Files.com employees located at our two physical offices in Scottsdale, AZ and Austin, TX would work from home should an incident/disaster occur.
Files.com also has a management continuity plan.
Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Maximum Tolerable Downtime, Recovery Time Objective and Recovery Point Objectives
Files.com maintains different internal Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different components of the Files.com service offering. These timeframes are derived from the Business Impact Analysis (BIA) process which is reviewed at least semi-annually.
The BIA process, MTD, RTO and RPO are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Infrastructure Monitoring and Application Monitoring
Files.com has extensive infrastructure and application monitoring capabilities. Technologies used for monitoring include PagerDuty, Sensu, Sentry, and more.
Our monitoring systems will page and alert our Incident Management Team under a number of different scenarios requiring an alert. Our Incident Management Team will respond immediately to these alerts.
Infrastructure and Application Monitoring are reviewed as part of the SOC 2 audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Scheduled Maintenance
Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance. All system maintenance and activities are logged.
If any downtime is required for maintenance in the future, it will be scheduled for a Saturday or Sunday and announced 2 weeks in advance.
Risk Management Program / Risk Assessment / Risk Analysis
Files.com has a formal Risk Management Program based upon COBIT 5 Framework, and conducts risk assessments at least annually. A centralized Risk Register is maintained that documents the likelihood and impact of compromise of the CIA Triad on all assets. The status of the Information Security Program is reviewed as part of this process. Senior Management is included in the risk assessment process, including providing key oversight of the Risk Register. The results from the risk assessment process (risk treatment options) drive improvements in controls, countermeasures, processes and business decisions resulting in lower overall risk to the organization.
Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Vendor Risk Management Program
Files.com has a Vendor Risk Management program in place, which is part of the larger Risk Management Program. Vendors deemed Critical to the organization have their security documentation reviewed at least annually. Vendor Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Data Governance
Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data governance is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Files.com (the company) has procedures to identify and label data that is Confidential, Protected, Sensitive and Public.
Data Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Governance Oversight
Files.com (the company) is managed by a 6 person board of directors which exercises regular oversight over the operations of the company. The board consists of representatives from affiliates of Riverwood Capital as well as other entities that have ownership in the company.
Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Asset Management
Files.com has an Asset Management program in place which includes semi-annual review/update of the Software and Hardware Assets listings. The asset listings are a basis of the Risk Management Program.
Asset Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation, such as a list of any hardware and software used, includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Change Management
Files.com has a detailed Change Management processes in place which includes things like pre-production testing and independent approval of changes. All changes to the system are logged and applied through strict processes which include role-based logical access restrictions on deployment to production. All Files.com (the company) assets are covered by Change Management processes, including audit review on at least a quarterly basis to ensure compliance with existing processes and identification of any process changes.
Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Systems / Software Acquisition
All new systems/software requested for use must follow an established approval process. Once approved, software follows all standard processes and is deployed through Change Management.
Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Data Classification / Data Retention
Files.com classifies all information assets into Confidential, Protected, Sensitive and Public categories, and uses those classification levels to ensure appropriate administrative, physical and logical controls are in place and an asset owner is identified. At no time will Confidential, Protected or Sensitive information be sent through the corporate email system. These classification levels are reviewed at least annually to ensure compliance with all Legal, Regulatory and Contractual obligations.
The Data Retention period of information assets are identified to ensure compliance with all Legal, Regulatory and Contractual obligations. Data deletion occurs through automated or manual methods, and is audited at least quarterly to ensure compliance the corresponding policies and procedures.
Data Classification and Data Retention are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Configuration Management
Files.com uses the Center for Internet Security (CIS) industry standard hardening guidelines (removing services not needed, managing all service accounts, changing default passwords, etc.) for configuring company systems and inclusion in all company baselines. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.
Configuration Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Patch Management
We automatically install critical security updates as soon as possible using an automatic patch installation system. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.
Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.
Due to these continuous updates, it's not practical for us to provide specific lists of the internal software versions in use.
Patch Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Mobile App
Files.com offers a Mobile App for iOS and Android that provides a subset of functionality as the web application.
Software Development Life Cycle (SDLC)
Files.com has sophisticated processes and controls around Application Development and the Software Development Life Cycle (SDLC).
These include separated development, staging, test, and production environments, code review processes, and integration and acceptance testing programs. All data used in development, staging and test is testing data, not production data. Testing is performed by automated processes, with additional manual testing as required.
Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege. This means that most employees do not have access to Production environments.
Application Development and the Files.com SDLC are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Employee Job Descriptions
All positions are Files.com have written job descriptions, including providing protections for confidential and sensitive information. Job descriptions are adjusted as needed to address any skills gap. Existing employees are provided training to close any identified skills gap.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Background and Credential Checks
Files.com employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Files.com does not currently utilize internal contractors, but our policies dictate they would be subjected to the same reviews as employees prior to onboarding.
Employee Onboarding
Files.com has a formal employee onboarding process that includes issuing unique identifiers to all employees appropriate to their job roles. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Employee Performance
Employee performance is regularly reviewed, including a formal performance review at least annually.
Employee Termination Process
Files.com has an employee termination and offboarding process, which includes immediate removal of access to all systems. Nearly all internal systems require access to our VPN, access to which is removed immediately upon employee termination. As a matter of policy, Files.com does not discuss employee terminations.
All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Upon termination the device is rendered useless to the terminated employee and the laptop is returned.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Employee and Contractor Disciplinary Policies
Discipline against employees and contractors is handled on a case-by-case basis depending on the facts and circumstances of any given incident. These outcomes can include termination.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Use of Vendors for Key Activities
Files.com has a team of full time employees and does not outsource any key components of its business. Should contractors/vendors be used, all personnel will be subjected to the same onboarding and access control processes as employees.
Files.com has one key/critical vendor: Amazon Web Services. All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.
Files.com reviews the SOC-2 report of Amazon Web Services at least annually and finds it to be satisfactory with no deficiencies noted as of the most recent review. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.
Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.
As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason. Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.
Our Desktop app for Windows and Mac is developed in partnership with a 3rd party vendor, however that vendor has no privileged access to the Files.com platform.
Technology Stack / Network Diagram / Data Flow Diagrams
Files.com operates a fairly sophisticated cloud environment that leverages many different Amazon Web Services regions. We operate hundreds of server instances in total using industry standard systems and tools. All systems are time synchronized.
The Files.com SaaS is made up on smaller components that are developed in a variety of programming languages and environments, including Java, Ruby, Javascript, Go, .Net, and others.
For most process isolation, Files.com uses virtual-machine level isolation rather than containers. We do, however, use containers for additional isolation & security during certain high-risk processing activities related to customer data, such as when generating image and document previews, scanning for malware (note: this feature is not generally available yet), converting document types, and compression and extraction.
Files.com is a Software as a Service (SaaS) platform and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC, Network Diagrams and Data Flow diagrams are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
System and Application Updates
Files.com is a multi-tenant Software as a Service (SaaS) platform and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.
Every deployment updates the platform baseline that is used when adding new systems onto the platform.
All updates are designed to avoid any downtime or disruption in service wherever possible. Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance.
As such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Use of Open Source Software
Files.com regularly leverages Open Source Software (OSS) in its development process. Use of OSS is subject to various controls to mitigate the security and compliance risks associated with OSS, including notification of security vulnerabilities from multiple sources. All vulnerabilities in OSS are handled through the existing Patch Management process.
Files.com leverages automated scanning technology to ensure that any OSS used in the Files.com application is available under an appropriate license.
Software Licensing, Vulnerability and Patch Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Release Planning / Roadmap / Planned Updates
Files.com does not publicly share details of its roadmap or planned updates. However, Files.com does maintain a Customer Advisory Board.
These customers have signed appropriate NDAs, and therefore Files.com is able to share details about the roadmap and planned updates with customers who are members of the Customer Advisory Board.
If you would like to be considered for the Customer Advisory Board, please reach out to us.
Application Development is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Licensing Model / Requesting Capacity Changes / Upgrades
Files.com is a SaaS (Software-as-a-Service) and is priced using custom quotations based on your requirements. Quotations provide multi-year, annual or monthly pricing for a specific level of features, user/connection count, maximum number API calls, and Transfer and Storage usage. Should you go over your allocated User/Connection Count, or Usage, we will automatically invoice you based on the additional usage.
All of the details are provided in the quotation, proposal, and/or order form, as appropriate.
To make changes to your User/connection count or Usage commitment, please contact your Account Executive. Changes are very easy to process and we are happy to help you upgrade at any time during your contract term.
On-Premise / Internal vs External / Hybrid vs Public vs Private Cloud / Software Applications Included
Files.com is a Software as a Service (SaaS) platform and most of the software provided is hosted and maintained by Files.com and delivered as a service.
Files.com is accessed via the open Internet and does not require a VPN or private network connection. Files.com may not be run as a fully on-premise or internally hosted application.
However, Files.com does provide an agent application and SDKs that can be optionally run inside your on-premise environment to act as a bridge or gateway to your internal/hybrid/private storage and resources.
Additionally, Files.com includes a Desktop App for Windows and Mac, Mobile App for iOS and Android, Command Line App for Windows/Mac/Linux, and open source SDKs available for download. These applications are all covered by our SDLC.
This means that Files.com can optionally operate as a Hybrid cloud model.
Data Centers / Co-Location / Hardware Specifications
All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.
Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.
Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.
Amazon does not provide specific details about the hardware used for our server instances. Amazon is responsible for all system maintenance tasks.
Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.
Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Physical Controls / Environmental Safeguards
All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.
Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.
Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
Files.com does operate two physical office locations, however no servers nor privileged information is stored at either office. Computers at our offices are treated as if they are remote workstations and required to connect through a secure on-device VPN. Physical access to the offices is controlled by an Access Control system and only accessible to non-employees with an escort. A monitored alarm system protects the offices during non-working hours. All physical access is logged and audited routinely.
Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Employee / Contractor Access To Customer Data
Files.com Customer Support and Engineering staff can access information related to configuration, logs, and file metadata (but not file contents) for the purpose of troubleshooting and ensuring system stability.
Most Files.com staff do not have access to passwords, file contents, passwords to remote servers, or other secure data. This data is stored safely in our production systems. Only senior Files.com Engineering and Infrastructure staff have "root" access to production systems that could allow them to access this information more directly. These staff are all full-time USA-based employees, passed background/references/certification checks, and have all signed agreements to honor the Files.com Privacy Policy, and are subject to termination and other penalties in the event of any inappropriate actions. Additionally, unless otherwise approved by the CTO, staff will be employed by Files.com for at least one year before being given "root" access to production systems. Any direct access to servers is logged.
Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.
Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Customer Data Separation
Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.
Customer Data Classification / Data Handling
Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification/data handling is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Storage
We store all the actual contents of customer files in the Amazon S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.
Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.
Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.
We save backups of files that are deleted and retain such backups for a period of time that is customizable by you. Our support staff is able to restore deleted files directly back to your account.
Files.com allows customers to choose where their data is stored. Files.com has customers worldwide, and multiple geographic locations are available to support each customer. You can even use several data storage locations within the same account on certain plans. Files.com does not support utilizing physical media for bulk uploads.
For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimately stored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature.
Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Backups
We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple availability zones.
We have Point-in-time Restore capabilities such that we are able to restore our database to its state at any given time in the past 7 days (such as immediately before a service disruption).
Additionally, we take full database snapshots and store them in Amazon S3 every 24 hours. These snapshots are retained for at least 7 days. Backups are audited as part of the Backup and Restoration Test Procedure
We do not make backups of customer files other than the internal redundancy provided by Amazon S3. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.
Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.
Learn more on the AWS Compliance programs website.
Backup Policy and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Customer Data Retention After Cancellation
Files.com does not retain customer data once a customer cancels their account. Customer data is deleted within 7 days of receipt of customer cancellation notice or termination due to nonpayment.
Customer Data Retention After Deletion By Customer
Files.com provides world class tools that allow customers to manage their accounts according to their own policy.
Backup retention periods for deleted customer data be configured to any setting the customer chooses to align with their internal security policies. Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Privacy
We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the Files.com website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.
These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.
Notwithstanding the foregoing, Files.com does not sell customer data or access or use customer data for any purpose other than providing the Files.com service to the customer. Files.com does not market directly to customers of our customers.
Files.com maintains a Privacy Policy. The Files.com Privacy Officer is our Chief Legal Counsel, Joseph Buszka. For any privacy-related inquiries, complaints, or questions, you can contact privacy@files.com.
Customer Data Logical Access Controls
Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.
Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.
Files.com platform access is managed by customers. Please refer to the Files.com Shared Responsibility Model for more information.
Content Scanning or DLP of Customer Data
Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.
Files.com eventually plans to allow customers to integrate their own DLP services into the Files.com system for content classification. If this capability would be of interest to you, please let us know.
Please refer to the Files.com Shared Responsibility Model for more information.
Customer User Passwords and Security Capabilities
Files.com provides world class tools that allow the customer to manage their logical access according to their own policy. Files.com platform access is managed by customers.
Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.
Passwords are stored in a salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm. Customers may neither see nor export user passwords, in either hashed or unhashed format.
Passwords may be imported into Files.com as a hash in raw MD5, SHA-1, or SHA-2 formats, and if they are imported, they will be converted to Files.com's internal format upon first use.
Customers can set length requirements, complexity requirements, and change timeframe on user account passwords according to their own password policy. Files.com has provided a password strength meter aligned with the NIST SP800-63B standard for reference as passwords are created.
Customers can require users to change their password on their next login.
Customers can restrict access to certain IPs or IP ranges, or certain countries, either on a per-user or site-wide basis.
Customers can require that inactive user accounts be disabled after any length of time or lock after a certain number of failed password attempts.
API access requires the use of keys.
Please reference the Files.com documentation for more detailed information.
End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Customer User Login / Provisioning / Customer use of Single Sign On
Files.com supports, but does not require, SAML, LDAP, and OAuth technologies for customers to implement Single Sign On and automatic user provisioning.
If you choose to implement Single Sign On, it can optionally be used for automatic user provisioning. Users can additionally be provisioned via our web interface, either individually or as a bulk upload, or through our API or Command Line Interface (CLI) app.
Please reference the Files.com documentation for more detailed information.
User login may occur via our web interface, desktop app, mobile apps, or Command Line Interface (CLI) app, each of which have their own login screen.
End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Idle Timeouts
Files.com web sessions normally time out after 6 hours of inactivity, but customers can customize this timeout period via the Session expiration security setting. Please reference the Files.com documentation for more detailed information.
End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Controlling Access By Location
Customers may create and maintain an IP whitelist covering their inbound connections to Files.com.
Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist. Please reference the Files.com documentation for more detailed information.
Two Factor Authentication (2FA) / Multi Factor Authentication (MFA)
Files.com offers a variety of 2FA/MFA options including SMS, Yubikey, U2F, and Google Authenticator on all plan levels. Customers on our Power, Premier, and Enterprise plans may optionally require that their users all use 2FA/MFA. Alternatively, customers may provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers. Please reference the Files.com documentation for more detailed information.
End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Internally, Files.com (the company) uses hardware 2FA devices for all employee access to the Files.com network and all internal applications used by employees.
Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
API and SDKs
Files.com provides a REST API as well as SDKs in multiple languages. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.
Browser Requirements
Files.com supports all modern browsers (Chrome, Firefox, Edge, etc.) that were released within the last 4 years. As with nearly all websites today, support for Javascript and Cookies are required.
We no longer support the use of Internet Explorer as it is no longer supported by Microsoft.
No browser plugins, such as Java or Silverlight are required. Certain browser extensions, such as Zscaler, interfere with Files.com and may need to be disabled.
Customer Data Encryption
Files.com provides for data encrypted in motion and at rest.
We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.
Files.com uses SSL for encrypted data in transit which also includes support for TLS. TLS is an improved version of SSL, it works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry.
For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).
For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.
For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option.
Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.
File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.
All access and authentication credentials are stored in an encrypted state, using AES-256 and a random initialization vector. These items include:
- Storage Access Keys and Secrets (AWS S3, Azure Blob, Google Cloud Storage, etc.)
- SMTP passwords
- Active Directory / LDAP passwords
- SSL Certificate Private Keys
- PGP / GPG Private Keys
Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.
Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.
Encryption baselines are managed as part of the overall Risk Management Program, and are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Internal Encryption Key / Secrets Management
Files.com utilizes the Hashicorp Vault system for encryption key and secrets management.
Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.
Encryption Key Management is managed as part of the overall Risk Management Program, and is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Inbound / Outbound Customer Connectivity
Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.
Files.com by default makes no remote connection to customers system(s). Customers may choose to utilize features such as LDAP/SSO, remote sync/mounts, webhooks, etc. which make a remote connection to customers system(s). Feature(s) configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Internal Logging / Log Recording and Retention
Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage. Additionally, Files.com application logs are maintained for all file operations as well as settings changes and made available to customers in near real time.
The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.
End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Internal access and operational logs as well as Files.com application logs are "write once/read many", meaning that they are protected from tampering.
Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by Files.com to search for and alert on anomalous activities found in logs.
Application Development, Data Retention and Logging is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Customer History / Logging
Files.com maintains a comprehensive audit log of who, what, when, where and how your files are modified. This makes it easy to see exactly who is reading, changing, or deleting your files.
The following information is included in each history log entry:
| Column | Contents |
|---|---|
| Time | The date and time the action occurred, displayed in the time zone of the current user. |
| User | The user who performed the action. |
| Description | The action that was taken, and the file or folder the action was taken on. |
| IP | The IP address that the user connected from when performing this action. |
| Interface | The interface through which the user performed the action (Web, API, Desktop, FTP, SFTP, WebDAV, Robot). |
Please reference the History Feature documentation for more detailed information.
The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.
The Files.com API and Command Line (CLI) app allow customers to export site settings information such as a user/group/folder permissions matrix.
End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Portability
Files.com believes that data portability is an important goal. We only want to retain your business if we continue to earn it each and every day, and will never hold your data hostage. You can use our APIs and Command Line Interface app (CLI) to export all of your settings and data at any time. Additionally, you can use our File transfer and sync tools to transfer out your files at any time.
Files.com does not support the bulk import/export of data from/to portable media from any data center.
Please note that Files.com does not support the ability to export or retrieve user/counterparty credentials such as Passwords and Private Keys. Passwords are stored in a proprietary salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm.
Internal Data Backups
Internal services are backed up in real time to a replica service wherever possible. Where that isn't possible, Files.com conducts daily backups of critical internal data, such as employee authentication data, etc. These backups are moved to multiple regions for redundancy.
Backups are verified and fire drill restorations are performed regularly on this sort of data.
Backup and Restoration management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Network Security / Firewalls / Intrusion Detection / Intrusion Protection / Web Application Firewall
Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet. We use sophisticated internal firewall technology to segment our internal network into highly specific zones. Specific technologies used include AWS Security Groups, AWS VPC, and Terraform.
We use appropriate Intrusion Detection, Intrusion Protection and Web Application Firewall (WAF) systems as part of our Infrastructure and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.
Most internal systems are blocked from outbound internet access, however, there are a few exceptions. For example, the mount and sync systems are required to connect to other remote storage systems across the internet, the file transfer systems require outbound internet access, etc. A managed file transfer platform must be able to push files outbound to other systems. Whenever possible, these connections are made using proxy servers.
Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Secure Coding Practices
Files.com prides itself on putting security first when developing software. Practices in place at Files.com include: training to software engineers on secure coding practices, use of static code security analysis tools, and a Change Management process which includes things like pre-production testing and independent approval of changes. Files.com is using Dependabot on our public GitHub repositories, and Sonatype's Lift scanner on all our public SDK's and the Command Line (CLI) application.
Files.com maintains an internal development platform that includes secure code repositories and continuous integration automation.
Application SDLC, Change Management and Secure Coding Practices are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Code Escrow
Files.com does not use third-party code escrow services. The company is well capitalized, profitable, and growing.
Brute Force Protection
Brute Force Protection is covered as part of Intrusion Detection and Intrusion Protection.
Files.com employs appropriate Intrusion Detection and Intrusion Protection systems as part of our Application, Infrastructure, and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.
Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Additionally, these topics are heavily covered during our Penetration Testing and Bug Bounty programs. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Virus Scanning / Malware Protection / File Integrity Monitoring (FIM)
Files stored in Files.com are not scanned for malware or viruses.
End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Company laptops at Files.com have appropriate virus scanning and malware protection software (CrowdStrike Falcon) installed and configured. Servers are protected through the use of AWS GuardDuty Malware protection services, which has automated alerting. Wazuh agents on all internal servers perform automated FIM scanning and report any changes to installed software and configuration to a central alerting dashboard, which is monitored.
Antivirus and Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Email and Web Content Scanning
Neither customer data nor Emails sent from the Files.com platform are scanned for malware, viruses, or sensitive information. The internal employee email system scans for malware and viruses, and has spam filters in place with TLS encryption enabled.
End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Internal servers and workstations at Files.com have appropriate virus scanning and malware protection software installed and configured.
Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Internal Policies at Files.com
Files.com has implemented the following regulatory policies, which are reviewed regularly:
- Anti-Bribery and Anti-Corruption Policy
- Anti-Fraud Policy
- Anti-Slavery Policy
- Anti-Money Laundering Policy
- Conflict of Interest Policy
- Environmental, Social, and Governance (ESG) Policy
- Ethical Sourcing Policy
- Third Party and Governmental Requests Policy
- Whistle-Blowing Policy
- Employee Code of Conduct
- Export Controls Policy
Employee Controls are reviewed as part of the SOC 2 Audit process. Files.com internal policies are considered proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Legal and Regulatory Continuing Education
Files.com's General Counsel and Chief Information Security Officer (CISO) regularly attend continuing education courses to keep up with the latest legal and regulatory changes.
Files.com uses the latest changes in legal, regulatory and any contractual obligations to drive updates across all facets of the organization, including the InfoSec Program.
Legal and Regulatory Compliance is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Law Enforcement / Subpoena Disclosure Request
Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.
If a request for disclosure by Law Enforcement Authorities or a subpoena is received, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.
Log4j Vulnerability
Read the full response to the Log4j vulnerability here.
Questionnaires
Files.com will complete compliance and security questionnaires for Enterprise prospects and customers on our Premier plan and up. These questionnaires are completed by Files.com staff members and reviewed by a member of the Files.com in-house Legal team and/or Information Security Team for approval prior to sending to the customer/prospect.