End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Customer Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer User Passwords and Security Capabilities

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy. Files.com platform access is managed by customers.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Passwords are stored in a salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm. Customers may neither see nor export user passwords, in either hashed or unhashed format.

Passwords may be imported into Files.com as a hash in raw MD5, SHA-1, or SHA-2 formats, and if they are imported, they will be converted to Files.com's internal format upon first use.

Customers can set length requirements, complexity requirements, and change timeframe on user account passwords according to their own password policy. Files.com has provided a password strength meter aligned with the NIST SP800-63B standard for reference as passwords are created.

Customers can require users to change their password on their next login.

Customers can restrict access to certain IPs or IP ranges, or certain countries, either on a per-user or site-wide basis.

Customers can require that inactive user accounts be disabled after any length of time or lock after a certain number of failed password attempts.

API access requires the use of keys.

Please reference the Files.com documentation for more detailed information.

Customer User Login / Provisioning / Customer use of Single Sign On

Files.com supports, but does not require, SAML, LDAP, and OAuth technologies for customers to implement Single Sign On and automatic user provisioning.

If you choose to implement Single Sign On, it can optionally be used for automatic user provisioning. Users can additionally be provisioned via our web interface, either individually or as a bulk upload, or through our API or Command Line Interface (CLI) app.

Please reference the Files.com documentation for more detailed information.

User login may occur via our web interface, desktop app, mobile apps, or Command Line Interface (CLI) app, each of which have their own login screen.

Idle Timeouts

Files.com web sessions normally time out after 6 hours of inactivity, but customers can customize this timeout period via the Session expiration security setting. Please reference the Files.com documentation for more detailed information.

Controlling Access By Location

Customers may create and maintain an IP whitelist covering their inbound connections to Files.com.

Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist. Please reference the Files.com documentation for more detailed information.

Two Factor Authentication (2FA) / Multi Factor Authentication (MFA)

Files.com offers a variety of 2FA/MFA options including SMS, Yubikey, U2F, and Google Authenticator on all plan levels. Customers on our Power, Premier, and Enterprise plans may optionally require that their users all use 2FA/MFA. Alternatively, customers may provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers. Please reference the Files.com documentation for more detailed information.

Internally, Files.com (the company) uses hardware 2FA devices for all employee access to the Files.com network and all internal applications used by employees.