Security Architecture and Technical Operations are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Technology Stack / Network Diagram / Data Flow Diagrams

Files.com operates a fairly sophisticated cloud environment that leverages many different Amazon Web Services regions. We operate hundreds of server instances in total using industry standard systems and tools. All systems are time synchronized.

The Files.com SaaS is made up on smaller components that are developed in a variety of programming languages and environments, including Java, Ruby, Javascript, Go, .Net, and others.

For most process isolation, Files.com uses virtual-machine level isolation rather than containers. We do, however, use containers for additional isolation & security during certain high-risk processing activities related to customer data, such as when generating image and document previews, scanning for malware (note: this feature is not generally available yet), converting document types, and compression and extraction.

Files.com is a Software as a Service (SaaS) platform and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC, Network Diagrams and Data Flow diagrams are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Systems / Software Acquisition

All new systems/software requested for use must follow an established approval process. Once approved, software follows all standard processes and is deployed through Change Management.

Software Development Life Cycle (SDLC)

Files.com has sophisticated processes and controls around Application Development and the Software Development Life Cycle (SDLC).

These include separated development, staging, test, and production environments, code review processes, and integration and acceptance testing programs. All data used in development, staging and test is testing data, not production data. Testing is performed by automated processes, with additional manual testing as required.

Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege. This means that most employees do not have access to Production environments.

System and Application Updates

Files.com is a multi-tenant Software as a Service (SaaS) platform and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.

Every deployment updates the platform baseline that is used when adding new systems onto the platform.

All updates are designed to avoid any downtime or disruption in service wherever possible. Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance.

As such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process.

On-Premise / Internal vs External / Hybrid vs Public vs Private Cloud / Software Applications Included

Files.com is a Software as a Service (SaaS) platform and most of the software provided is hosted and maintained by Files.com and delivered as a service.

Files.com is accessed via the open Internet and does not require a VPN or private network connection. Files.com may not be run as a fully on-premise or internally hosted application.

However, Files.com does provide an agent application and SDKs that can be optionally run inside your on-premise environment to act as a bridge or gateway to your internal/hybrid/private storage and resources.

Additionally, Files.com includes a Desktop App for Windows and Mac, Mobile App for iOS and Android, Command Line App for Windows/Mac/Linux, and open source SDKs available for download. These applications are all covered by our SDLC.

This means that Files.com can optionally operate as a Hybrid cloud model.

Data Centers / Co-Location / Hardware Specifications

All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Amazon does not provide specific details about the hardware used for our server instances. Amazon is responsible for all system maintenance tasks.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

Physical Controls / Environmental Safeguards

All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Files.com does operate two physical office locations, however no servers nor privileged information is stored at either office. Computers at our offices are treated as if they are remote workstations and required to connect through a secure on-device VPN. Physical access to the offices is controlled by an Access Control system and only accessible to non-employees with an escort. A monitored alarm system protects the offices during non-working hours. All physical access is logged and audited routinely.

Configuration Management

Files.com uses the Center for Internet Security (CIS) industry standard hardening guidelines (removing services not needed, managing all service accounts, changing default passwords, etc.) for configuring company systems and inclusion in all company baselines. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Patch Management

We automatically install critical security updates as soon as possible using an automatic patch installation system. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.

Due to these continuous updates, it's not practical for us to provide specific lists of the internal software versions in use.

Change Management

Files.com has a detailed Change Management processes in place which includes things like pre-production testing and independent approval of changes. All changes to the system are logged and applied through strict processes which include role-based logical access restrictions on deployment to production. All Files.com (the company) assets are covered by Change Management processes, including audit review on at least a quarterly basis to ensure compliance with existing processes and identification of any process changes.

Use of Open Source Software

Files.com regularly leverages Open Source Software (OSS) in its development process. Use of OSS is subject to various controls to mitigate the security and compliance risks associated with OSS, including notification of security vulnerabilities from multiple sources. All vulnerabilities in OSS are handled through the existing Patch Management process.

Files.com leverages automated scanning technology to ensure that any OSS used in the Files.com application is available under an appropriate license.

Release Planning / Roadmap / Planned Updates

Files.com does not publicly share details of its roadmap or planned updates. However, Files.com does maintain a Customer Advisory Board.

These customers have signed appropriate NDAs, and therefore Files.com is able to share details about the roadmap and planned updates with customers who are members of the Customer Advisory Board.

If you would like to be considered for the Customer Advisory Board, please reach out to us.

Licensing Model / Requesting Capacity Changes / Upgrades

Files.com is a SaaS (Software-as-a-Service) and is priced using custom quotations based on your requirements. Quotations provide multi-year, annual or monthly pricing for a specific level of features, user/connection count, maximum number API calls, and Transfer and Storage usage. Should you go over your allocated User/Connection Count, or Usage, we will automatically invoice you based on the additional usage.

All of the details are provided in the quotation, proposal, and/or order form, as appropriate.

To make changes to your User/connection count or Usage commitment, please contact your Account Executive. Changes are very easy to process and we are happy to help you upgrade at any time during your contract term.

Internal Logging / Log Recording and Retention

Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage. Additionally, Files.com application logs are maintained for all file operations as well as settings changes and made available to customers in near real time.

The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal access and operational logs as well as Files.com application logs are "write once/read many", meaning that they are protected from tampering.

Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by Files.com to search for and alert on anomalous activities found in logs.

Secure Coding Practices

Files.com prides itself on putting security first when developing software. Practices in place at Files.com include: training to software engineers on secure coding practices, use of static code security analysis tools, and a Change Management process which includes things like pre-production testing and independent approval of changes. Files.com is using Dependabot on our public GitHub repositories, and Sonatype's Lift scanner on all our public SDK's and the Command Line (CLI) application.

Files.com maintains an internal development platform that includes secure code repositories and continuous integration automation.

Code Escrow

Files.com does not use third-party code escrow services. The company is well capitalized, profitable, and growing.

Log4j Vulnerability

Read the full response to the Log4j vulnerability here.

Mobile App

Files.com offers a Mobile App for iOS and Android that provides a subset of functionality as the web application.

API and SDKs

Files.com provides a REST API as well as SDKs in multiple languages. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.

Browser Requirements

Files.com supports all modern browsers (Chrome, Firefox, Edge, etc.) that were released within the last 4 years. As with nearly all websites today, support for Javascript and Cookies are required.

We no longer support the use of Internet Explorer as it is no longer supported by Microsoft.

No browser plugins, such as Java or Silverlight are required. Certain browser extensions, such as Zscaler, interfere with Files.com and may need to be disabled.