At Files.com, we’re proud of the strength and maturity of our information security program. We are committed to earning and maintaining the trust of our customers through a mix of independently verified assessments, transparent public reporting, and responsible disclosure practices.

We’ve recently seen an increase in requests for internal security audit artifacts, particularly from customers seeking documents beyond our formal audit attestations or published summaries.

We want to take a moment to explain why we don’t provide internal audit artifacts, and how we instead deliver meaningful, enterprise-grade assurance.

What We Do Provide

Files.com is a SOC 2 Type II audited platform, with a long track record of successful annual audits. We maintain a wide range of controls that are independently assessed and verified.

Our SOC 2 report is detailed and is provided to customers under NDA.

In addition to our SOC 2 report:

• We undergo regular third-party penetration testing
• We operate a public bug bounty program on HackerOne, active since 2016
• We publish summary-level audit and test results
• We are regularly tested as part of:
  • Our PCI compliance
  • Our Google Partner Program membership
• We invite customers to perform their own penetration testing, and major enterprise customers have done so successfully

Why We Do Not Share Internal Audit Documents

Simply put, internal audit artifacts—including control matrices, vulnerability scans, and raw assessment outputs—are proprietary and sensitive. They contain detailed information about:

• Our infrastructure
• Our internal processes
• Security tooling and configurations
• Organizational risk assessments

Releasing this information would expose internal implementation details that are both business-critical and potentially exploitable, and we do not believe it is necessary or appropriate to share this level of detail broadly.

For the vast majority of customers, the assurances provided by our SOC 2 reports, HackerOne history, and third-party test results are more than sufficient to establish confidence in our security posture.

Access for True Enterprise Customers

For customers spending $100,000 or more annually with Files.com, we recognize that your Files.com usage likely represents a more critical part of your infrastructure, and that your internal review processes may require greater transparency.

For those customers, we’re happy to offer enhanced visibility and engagement. This may include:

• Extended discussions with our security team
• Additional documentation not provided by default
• Custom testing agreements or review sessions

If you're in that category, the limitations described in this article do not apply to you. Please reach out to your Account Manager to discuss further.

Our Track Record and Public Transparency

We believe trust is earned through performance and transparency.

• As of April 12, 2025, there are zero known vulnerabilities in the Files.com platform—no criticals, highs, mediums, or lows.
• We act swiftly and thoroughly on every report received through HackerOne or any penetration test.
• Our public HackerOne profile shows every vulnerability report ever submitted, how we handled it, and the current state of the program.

We are also proud to be:

• One of the longest-running public programs on HackerOne
• One of only two leading vendors in the Managed File Transfer space to have never had any sort of publicized security incident, nor have we ever been sued, been found at-fault for customer damages, or filed or paid any sort of insurance claim as it relates to information security
• A recognized leader in security, information security management, and responsible disclosure