Internal Network and Company IT

This page provides relevant information about Files.com's internal network and information technology policies to communicate our security and compliance posture. It is our hope that you will appreciate the company-wide investment we make in security.

Files.com uses a sophisticated internal Identity and Access Management system that provides Single-Sign-On authentication to most internal systems. This system was developed in-house and does not use a third party SaaS such as Okta. The system is hosted entirely within the Files.com network. This system requires unique identifiers, password complexity mandated by the Information Security policy, and integrated mandatory 2FA using physical hardware devices for all employees.

Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege.

All employee and contractor identities and assigned roles are audited at least quarterly.

Nearly all internal systems require access to our VPN, access to which is terminated immediately upon employee termination.

Identity and Access Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

By policy and through the use of technical controls, Files.com employees must only use company owned hardware devices to access our network.

All company owned hardware devices are Apple devices managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability.

Employees do not have local administrative rights to their device, and password requirements are enforced locally.

Local hard disk encryption is automatically enforced by MDM. Airdrop and removable media access is disabled by MDM.

No Windows-based systems are used anywhere within the internal network.

All access to Files.com's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices.

Employees are forced to use a password manager to store all passwords/secrets. System secrets are kept in the Hashicorp Vault product.

Files.com company owned devices route all traffic through a base layer VPN, providing protection against remote or compromised internet connections. Additional VPNs are required to access our internal applications, and those VPNs require Two-Factor Authentication, as well as an additional password. Our VPNs are scaled such to that they are easily able to accommodate all of our employees working remotely for an extended period of time.

The company does not use Remote Desktop, VNC, or Citrix remote services, but a small number of employees may access our production and staging environments via SSH (Secure Shell). SSH access requires yet another layer of VPN, and is then further mediated by an SSH bastion server authenticated via an additional layer of public/private key authentication. Session termination is dictated by policy and enforced through technical controls.

Access to any customer data is always limited to senior Files.com employees (not contractors) located in the United States who have signed agreements binding them to the terms of our Privacy Policy and other company policies. If they fail to preserve this confidence, they are subject to disciplinary action, including losing their job, and potential criminal prosecution. All access to our application servers by our employees is logged.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com only allows company-owned laptops to access internal systems. These laptops are protected by multiple defensive layers including a Mobile Device Policy which is part of the larger Information Security Policy, the use of a Mobile Device Management (MDM) system, drive encryption, host-based firewall enabled, anti-virus/anti-malware protection (XProtect), location tracking and remote wipe capabilities, regular patching, no external media through USB allowed, and connectivity only through multi-factor, certificate-based VPNs. No user has local administrative access, and all applications are managed through the existing Change Management process, and deployed through the MDM system.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com maintains a Mobile Device Policy which is part of the larger Information Security Policy. The use of personal devices (Bring Your Own Device - BYOD) is allowed only for access to a subset of 3rd party SaaS communications and alerting systems such as Slack, Gmail, PagerDuty, Zoom, and the like.

All access to Files.com's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices, which do not include BYODs.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

As a cloud-based company that leverages AWS heavily, Files.com doesn't typically engage in activities that require control or destruction of media. We leverage AWS for managing all physical storage.

Company laptops are prevented from using external storage media (flash drives, external hard drives, etc) through the Acceptable Use Policy and policy enforcement via Mobile Device Management (MDM) software.

Media Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does operate a physical office location which includes a wireless network. The wireless network exists to provide connectivity for our company owned devices and provide guest network connectivity through a separate Virtual Local Area Network (VLAN).

This office network is completely independent of the Files.com platform network, and does not provide any direct connectivity to it whatsoever.

Authentication to the wireless network at our office is managed using MDM and no on-site employee has any form of administrative access to the main wireless network, or even the ability to connect to it using a non-company owned device.

Computers at our office are treated as if they are remote workstations and required to use all of the same VPN technology as our remote employees.

The guest network at our office is protected using WPA and a captive portal, and is bandwidth restricted.