- Docs
- Compliance
- Shared Responsibility Model
Shared Responsibility Model
When an organization manages its own on-premises infrastructure, security is entirely their responsibility. They must maintain the CIA Triad—Confidentiality, Integrity, and Availability—across all systems and data.
In contrast, when using a cloud-based or hybrid environment, such as Files.com, this responsibility is shared. The Shared Responsibility Model defines which security obligations fall to the cloud service provider (CSP) and which remain with the customer.
In simple terms:
- Files.com is responsible for securing and operating the infrastructure, platform, and core services.
- Customers are responsible for how they configure and use those services, and for securing their data within the platform.
The CIA Triad and Customization
Effective protection of the Confidentiality, Integrity, and Availability of data is only possible when security controls are properly configured to match each organization’s unique needs.
Files.com provides extensive built-in security controls—but it's up to each customer to leverage and configure those controls appropriately.
Files.com Responsibilities
Files.com is responsible for securing and operating the underlying infrastructure on which the platform is built, including:
- Physical security of hardware and data center facilities
- Software, networking, and compute layers
- Availability and performance of Files.com services
- Maintenance of internal security controls and monitoring
- Delivery of customer-facing tools for secure data access, storage, and sharing
Files.com also ensures the reliability and functionality of the security features we provide to customers—enabling organizations to tailor their configuration to match their own internal policies.
Customer Responsibilities
Customers are responsible for configuring their Files.com environment in a way that meets their organization’s specific security, compliance, and governance requirements.
Customer responsibilities include—but are not limited to—the following areas:
- Data content stored on the platform
- File transfers and encryption options
- User provisioning and deprovisioning
- SSO / LDAP integration and settings
- Permission models
- File storage location settings
- File expiration, deletion, and retention
- SSL configuration
- IP whitelisting and geographic restrictions
- Session timeout and session control settings
- Automations and remote server configurations
- Public sharing settings (Share Links, Public Hosting, Inboxes)
- Virus scanning, content scanning, and data classification
- User security awareness and training
- Governance, DLP, and compliance tooling
These responsibilities mirror the level of control customers have over their Files.com environment.
Security Controls Provided by Files.com
Files.com offers a rich set of configurable controls and features to help customers meet their own security requirements. These include:
- File and folder-level controls
- File expiration
- Deleted file retention
- File hash value (via API)
- Folder-level storage region assignment
- Public sharing controls
- Authentication and access
- Multiple Two-Factor Authentication (2FA) options
- 2FA enforcement policies
- Password policy enforcement (length, complexity, expiration, history)
- Session IP pinning and session expiration
- SSO/LDAP integrations (multiple supported per site)
- Globally unique usernames
- Brute force protection
- Network controls
- IP whitelisting
- Allowed/disallowed countries
- Custom SSL certificates
- Storage and encryption
- Region selection (per account and per folder)
- PGP/GPG encryption (on supported plans)
- User and group management
- Role-based permissions (user, group, folder)
- Folder admins
- Automated provisioning/deprovisioning (SSO, LDAP, inactivity rules)
- Audit and visibility
- Customer history search and export
- API access to logs, hashes, and configuration data
These features enable customers to build secure workflows tailored to their operational and regulatory needs.
Need More Info?
Files.com policies and controls are assessed as part of our annual SOC 2 Type II audit. Proprietary documentation about our internal InfoSec program is not distributed externally, but customers may request access to our SOC 2 report under NDA.
Please reference the Files.com Documentation for more detailed information