Compliance Frameworks

---

Files.com actively reviews the landscape of compliance frameworks and audit regimes. This page provides relevant information about how various compliance frameworks apply to your use of Files.com. Please note that individual facts and circumstances are important to understanding how any given framework may apply to you.

Our most recent engagement for SOC 2 Type II audit began October 1, 2022 and ended March 31, 2023, with the final report provided on May 31st, 2023. We conduct a SOC 2 audit annually, with an audit period start date of April 1, and our SOC 2 auditor is Kirkpatrick Price.

In addition to this engagement, Files.com has successfully accomplished several prior SOC 2 engagements with Kirkpatrick Price.

We are happy to provide our customers or prospects with our SOC 2 report. Contact your Account Executive or Account Manager to obtain the latest SOC 2 report.

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model for more details.

FERPA is a US federal law governing access and disclosure of student education records. The Act gives parents and eligible students access rights to their children's educational records, a mechanism to amend the records, and some control over disclosure of student records and information. FERPA covers institutions and agencies receiving funding from the US Department of Education, such as public schools and school districts.

While there is no formal certification process for FERPA, Files.com provides tools and controls to help institutions and agencies comply with the Act's rules. Proper controls, configuration, and validation of the configuration are the responsibility of the customer; please refer to the Files.com Shared Responsibility Model for more information.

Files.com is not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age.

Files.com has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with many customer scenarios requiring HIPAA compliance.

Files.com offers a pre-written and pre-approved Business Associate Agreement ("BAA") that it will execute for any customer on a Premier or Enterprise plan. BAAs and HIPAA compliance are not available on the Power plan.

Our HIPAA BAA requires that you will comply with the instructions in our Configuring Files.com For Maximum Security document.

Files.com is compliant with General Data Protection Regulation (GDPR).

Files.com offers a pre-written and pre-approved Data Protection Agreement (DPA) that it will execute for any customer requiring a DPA under GDPR.

Files.com is self-certified under the Privacy Shield framework.

The Files.com Privacy Shield Self-Certification can be viewed here.

ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption.

Unlike SOC 2, there is no formal ITAR certification process. Because Files.com heavily relies on AWS and does not make use of the GovCloud capabilities of AWS, Files.com is unable to assert ITAR compliance.

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment Solutions and PayPal.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

This should not be misunderstood to mean that our customers may store payment card data in Files.com. The Files.com Terms of Service disallows the Files.com service to be used for that use case.

ISO 27001 is a framework governing information security. Files.com is not currently ISO 27001 certified, however, we plan to complete an ISO 27001 certification in the future.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details.

PIPEDA is a Canadian federal data privacy law that governs the collection, use, and disclosure of personal information in the course of commercial business within Canada, including international and interprovincial transfers of personal information.

The law applies in all provinces, except for those that have substantially similar privacy laws.

Customers are responsible for determining the application of PIPEDA and complying with it, however, Files.com has numerous settings and features to assist with that compliance.

Files.com is compliant with NDAA Section 889.

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from using or procuring certain covered telecommunications, video, or surveillance equipment or services. Such covered equipment or services are those from specific companies, including their subsidiaries and affiliates.

FIPS 140-3, which replaced FIPS 140-2, is required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Files.com is planning to launch FIPS 140-3 compliant endpoints in 2024.

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide parameters for the adoption and use of cloud services by the federal government.

Files.com is not FedRAMP authorized.

We have, however, successfully completed multiple SOC 2 audits; please reference our latest SOC 2 report for more details.

Files.com is proud to be compliant with the Americans with Disabilities Act (ADA).

We understand the importance of accessibility and are committed to ensuring that our platform is accessible to all users, including those with disabilities.

As part of this commitment, we have prepared an audited Voluntary Product Accessibility Template (VPAT) report based on the Web Content Accessibility Guidelines (WCAG).

Contact your Account Executive or Customer Support to obtain the latest VPAT report.

GxP and related acronyms refer to regulations and quality guidelines in the life sciences industry maintained by the Food and Drug Administration (FDA) in the United States and similar organizations in other countries. These acronyms stand for "Good [x] Practices", such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), etc.

21 CFR Part 11 refers to part 11 of Title 21 of the Code of Federal Regulations, which is a regulatory document about Electronic Records and Electronic Signatures.

Files.com provides tools and controls that allow Files.com to be used within organizations that are complying with FDA 21 CFR Part 11, however proper controls, configuration, and validation of the configuration are the responsibility of the customer.

Please refer to the Files.com Shared Responsibility Model for more information.

The ICO is the UK's independent body with a mission of upholding information rights for UK citizens. Subject to some limited exemptions, organizations processing personal information and operating out of the UK must register with the ICO and pay a data protection fee.

FIles.com does not have a place of business in the UK, nor regularly carries out business from within the UK, and therefore is not required to register with the ICO.

Files.com offers a pre-written and pre-approved Data Protection Agreement (DPA) that it will execute for any customer requiring a DPA under the UK GDPR/Data Protection Act 2018.

Files.com actively reviews the landscape of compliance frameworks and audit regimes. If your organization has a specific certification or compliance need, please reach out to us, and we are happy to explore the opportunity.