Compliance and Security


At Files.com, we are committed to excellence in all aspects of our company and our platform. We have invested heavily in our internal controls and internal processes around security and compliance, and we are proud to share the details of our programs here.

It is our hope that you can use the information on this page to complete any security or compliance questionnaires that may be applicable to your use of Files.com.

We are able to complete Vendor Audit questionnaires for customers on our Premier or Enterprise plan levels. Please reach out to us if we can help you out in this way.

Company / Platform Description

Files.com is a Software as a Service (SaaS) platform providing one app and API through which you can manage, store, and transfer all files in your business. Notable features include granular permissions, integrations with numerous other services, no-code/low-code file automations, and a host of security and compliance tools.

Company Structure, Names, History, and Expertise

Files.com is operated by Action Verb LLC dba Files.com. We do not have any other DBAs. Our company was founded in 2008, giving us well over a decade of experience in the managed file transfer business. Our leadership team collectively have over 100 years of experience in the technology industry.

Company Ownership

Action Verb LLC dba Files.com is a Nevada Limited Liability Company. We are majority owned by affiliates of Riverwood Capital. View the full list of Riverwood portfolio companies here.

The company is well capitalized, profitable, and growing.

Company Financial Security

Files.com is well capitalized, profitable, and growing, with a working capital buffer sufficient to support operations in the event of a variety of contingencies identified in the risk management process.  We have reviewed banking system risks as part of the risk management process.

Our financial statements are audited annually by Grant Thornton LLP. Upon request, we will provide a letter attesting to the completion of our annual audit.

Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Company / Employee Location

Our physical address is: Files.com, 222 S Mill Ave, Suite 800, Tempe, AZ 85281. Our physical location does not accept visitors without an appointment. Please contact us to arrange any sort of visit.

Due to the changes in work preferences caused by COVID-19, Files.com has a substantial number of employees who work from home, the vast majority of which are based in the United States.

Our telephone number is: (800) 286-8372.

Employee Count

As a matter of policy, Files.com does not provide its employee count.

Competition

Files.com competes with companies such as Microsoft, Google, Amazon Web Services, IBM, Oracle, and others.

Customer Count

Files.com is trusted by over 6,000 businesses of all sizes, including dozens of the World's Largest Companies.

Customer Retention Rates

Files.com does not share customer retention rates.

Customer References

To protect the privacy of our customers, Files.com does not typically facilitate customer reference calls with other current customers. We recommend reading the dozens of real customer reviews posted on sites like G2Capterra, and Gartner Peer Insights. These are real reviews that we don't have any editorial control over.

We are able to make exceptions for large prospective deals ($250k+). Please contact your Account Executive to learn more.

Support Contact

Customers may contact the Files.com Customer Support team by phone at (800) 286-8372, by email at support@files.com, or by submitting an authenticated support request through the web application.

If you require a named support contact such as a Technical Account Manager, or a Support response time SLA, please speak to your Account Executive about upgrading to an Enterprise level of service. The Technical Account Manager contact details will be provided as part of your Enterprise agreement.

Customer Training

Although Files.com offers unlimited access to our Customer Support team, we do not include a formal training program with the service. Universally, our customers find Files.com easy to learn and our extensive documentation for both end users and administrators is very comprehensive. Additionally, our Sales Engineers are happy to help with proof of concept, testing, and validation during the pre sales phase.

Service Level Agreement (SLA)

Our Service Level Agreement page provides the details of our SLA.

Certifications and Audits

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details. Contact your Account Executive or Customer Support to obtain the latest SOC 2 report.

Files.com engaged with Kirkpatrick Price to enter into a SOC 2 Type II engagement beginning October 1, 2022 and ending March 31, 2023, with the final report provided on May 31st, 2023.

As a matter of policy, Files.com does not comment on pending or recent legal matters, even if there are none.

Insurance

Files.com has industry standard insurance policies in place.

As a matter of policy, we do not provide insurance certificates for customers.

Security Budget

Files.com's internal budgetary data is confidential and proprietary, and therefore we do not provide it to customers.

W9 Form

The W9 form is a USA tax form used to communicate the corporate structure and Tax ID number of a business. It is requested by customers and is not submitted to the IRS.

Click here to download the Form W9 for Action Verb LLC dba Files.com.

Phone and Zoom Call Recordings

Files.com uses Zoom for its phone and video conferencing system. Phone and video calls may be recorded for training and review purposes. If a phone or video call is being recorded, you will be notified of the recording and given the opportunity to disconnect. Recordings are retained for a maximum of six months.

Information Security Program

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

The InfoSec program is designed to support the business objectives, security requirements (IAM, encryption, monitoring, etc) and regulatory/compliance obligations, and is audited internally on a continual basis. The roles and responsibilities are clearly defined and communicated throughout the entire organization, and available on the internal company avOS intranet site.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer Information Security Program

Files.com provides world class tools that enable customers to manage their Information Security Program according to their unique business objectives, security requirements and regulatory/compliance obligations.

Customers are responsible for their own InfoSec Program. Please refer to the Files.com Shared Responsibility Model for more information.

Information Security Team

Files.com maintains a Security team dedicated to Information Security.

The Chief Information Security Officer is Sean E. Smith, HCISPP, CISM, CISSP who is a member of ICS2, ISACA, CSA and InfraGuard, and regularly participates in continuing education and awareness updates to keep abreast of the changing information security landscape.

The Security team, which benefits from multiple people throughout the organization participation, is represented in all architecture/project management efforts.

Information Security and Privacy Training

Employees and internal contractors receive training on the Information Security Program (includes the Acceptable Use Policy) and Privacy as part of the Onboarding process and receive refresher training at least annually.

Security Training is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Internal Information Security documentation, such as policies, procedures, standards, guidelines and baselines

Files.com InfoSec Program documentation includes proprietary information and is not provided to customers.

These documents include but are not limited to: Admin Access Reset Policy, Antivirus Policy, Asset Management Policy, Automated Network Drawings Procedures, Backup Policy, Backup/Restoration Test Procedures, Business Continuity Plan, Business Impact Analysis, Change Management Policy/Procedures, Data Breach Policy/Handling Procedures, Data Classification Policy/Listing, Data Retention Policy/Procedures, Document/Record Control Procedures, Employee Onboarding/Offboarding Policy/Procedures, Encryption Key Management Policy/Procedures, Incident Handling Policy/Management Plan/Identification Guideline/Alert Procedures, Information Security Policy (includes the Acceptable Use Policy), Laptop/Media Destruction Policy/Procedures, Network Monitoring Policy/Procedures, Penetration Testing Policy/Procedures, Phish Program Policy/Procedures, Risk Assessment/Risk Treatment Policy/Procedures, Risk Matrix, System Configuration Security Policy/Procedures, Vendor Management Policy/Procedures, Vulnerability Management Policy/Procedures.

This documentation is updated immediately as changes dictate, and receives an annual review, with all changes communicated and available immediately on the internal company avOS intranet site, and is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Past Breaches

Files.com has not been breached. No Files.com vendor has suffered a data loss or security breach that has impacted Files.com.

Files.com has not experienced a DDoS event.

Breach Notification

In the unlikely event of a breach, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Incident Management and Notification are reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Incident Management Program

Files.com has an Incident Management Program that includes an Incident Handling Policy, Incident Identification Guideline, Incident Alert Procedure, Incident Management Plan and an Incident Management Team. Incident Response is one phase of the Incident Management Plan. Employees and internal contractors receive training on the Incident Management Program as part of the Onboarding process and receive refresher training at least annually. The Incident Management Team receives more in-depth training specific to their roles and responsibilities and receive refresher training at least annually.

Files.com has never suffered a breach, though Incident Management is regularly invoked for smaller incidents, such as customer-impacting availability issues. Files.com conducts regular tests and applies the lessons learned to improve the Incident Management Program. All incidents are tracked and documented, including the root cause and any additional required remediation.

Files.com is often able to provide Incident Report on specific incidents when requested by customers.

Incident Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Evidence Collection

Files.com handles evidence identification and collection as part of the Incident Management Program.

High Availability

The Files.com service is designed for High Availability.

Our service is designed to withstand the loss of any single datacenter location with no impact whatsoever to the service. We operate redundant server instances in multiple datacenter locations ("Availability Zones") for every service in every region.

Every customer who purchases a dedicated IP from Files.com actually receives two separate IPs that are hosted on separate infrastructure in separate datacenter locations ("Availability Zones").

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple Availability Zones.

Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones. By launching instances in separate Availability Zones, applications are prevented from failure of a single location.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

DDoS Mitigation

Files.com uses sophisticated strategies for DDoS Mitigation, including the use of proxy servers that sit in front of application servers.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Business Continuity / Disaster Recovery - Service Operations

Files.com is designed for continuity of function in a variety of disaster scenarios.

The Files.com service is designed for High Availability.

Files.com conducts regular tests of its Business Continuity and Disaster Recovery procedures (including ransomware testing) at least annually. Results of testing are reviewed by senior management as part of the Risk Management Program.

As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason.  Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.

Files.com does not share the results of Business Continuity / Disaster Recovery testing, however, Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Business Continuity - People / Company Operations

Files.com is designed for continuity of function in a variety of disaster scenarios.

Files.com demonstrated during COVID-19 an ability to operate successfully with a fully remote workforce for an extended period of time.

All Files.com employees located at the physical office in Scottsdale, AZ would work from home should an incident/disaster occur.

Files.com also has a management continuity plan.

Business Continuity (including testing) is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Recovery Time Objective and Recovery Point Objectives

Files.com maintains different internal Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different components of the Files.com service offering. These timeframes are derived from the Business Impact Analysis (BIA) process which is reviewed at least semi-annually.

The BIA process, RTO and RPO are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Infrastructure Monitoring and Application Monitoring

Files.com has extensive infrastructure and application monitoring capabilities. Technologies used for monitoring include PagerDuty, Sensu, Sentry, and more.

Our monitoring systems will page and alert our Incident Management Team under a number of different scenarios requiring an alert. Our Incident Management Team will respond immediately to these alerts.

Infrastructure and Application Monitoring are reviewed as part of the SOC 2 audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Scheduled Maintenance

Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance. All system maintenance and activities are logged.

If any downtime is required for maintenance in the future, it will be scheduled for a Saturday or Sunday and announced 2 weeks in advance.

Risk Management Program / Risk Assessment / Risk Analysis

Files.com has a formal Risk Management Program based upon COBIT 5 Framework, and conducts risk assessments at least semi-annually. A centralized Risk Register is maintained that documents the likelihood and impact of compromise of the CIA Triad on all assets. The status of the Information Security Program is reviewed as part of this process. Senior Management is included in the risk assessment process, including providing key oversight of the Risk Register. The results from the risk assessment process (risk treatment options) drive improvements in controls, countermeasures, processes and business decisions resulting in lower overall risk to the organization.

Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Vendor Risk Management Program

Files.com has a Vendor Risk Management program in place, which is part of the larger Risk Management Program. Vendors deemed Critical to the organization have their security documentation reviewed at least annually. Vendor Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Data Governance

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data governance is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com (the company) has procedures to identify and label data that is Confidential, Protected, Sensitive and Public.

Data Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Governance Oversight

Files.com (the company) is managed by a 6 person board of directors which exercises regular oversight over the operations of the company. The board consists of representatives from affiliates of Riverwood Capital as well as other entities that have ownership in the company.

Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Asset Management

Files.com has an Asset Management program in place which includes semi-annual review/update of the Software and Hardware Assets listings. The asset listings are a basis of the Risk Management Program.

Asset Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation, such as a list of any hardware and software used, includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Change Management

Files.com has a detailed Change Management processes in place which includes things like pre-production testing and independent approval of changes. All changes to the system are logged and applied through strict processes which include role-based logical access restrictions on deployment to production. All Files.com (the company) assets are covered by Change Management processes, including audit review on at least a quarterly basis to ensure compliance with existing processes and identification of any process changes.

Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Systems / Software Acquisition

All new systems/software requested for use must follow an established approval process. Once approved, software follows all standard processes and is deployed through Change Management.

Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Data Classification / Data Retention

Files.com classifies all information assets into Confidential, Protected, Sensitive and Public categories, and uses those classification levels to ensure appropriate administrative, physical and logical controls are in place and an asset owner is identified. At no time will Confidential, Protected or Sensitive information be sent through the corporate email system. These classification levels are reviewed at least annually to ensure compliance with all Legal, Regulatory and Contractual obligations.

The Data Retention period of information assets are identified to ensure compliance with all Legal, Regulatory and Contractual obligations. Data deletion occurs through automated or manual methods, and is audited at least quarterly to ensure compliance the corresponding policies and procedures.

Data Classification and Data Retention are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Configuration Management

Files.com uses the Center for Internet Security (CIS) industry standard hardening guidelines for configuring company systems and inclusion in all company baselines. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Configuration Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Media Management

As a cloud-based company that leverages AWS heavily, Files.com doesn't typically engage in activities that require control or destruction of media. We leverage AWS for managing all physical storage.

Company laptops are prevented from using external storage media (flash drives, external hard drives, etc) through the Acceptable Use Policy and policy enforcement via Mobile Device Management (MDM) software.

Media Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Patch Management

We automatically install critical security updates as soon as possible using an automatic patch installation system. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.

Due to these continuous updates, it's not practical for us to provide specific lists of the internal software versions in use.

Patch Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Mobile App

Files.com offers a Mobile App for iOS and Android that provides a subset of functionality as the web application.

Software Development Life Cycle (SDLC)

Files.com has sophisticated processes and controls around Application Development and the Software Development Life Cycle (SDLC).

These include separated development, staging, test, and production environments, code review processes, and integration and acceptance testing programs. All data used in development, staging and test is testing data, not production data. Testing is performed by automated processes, with additional manual testing as required.

Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege. This means that most employees do not have access to Production environments.

Application Development and the Files.com SDLC are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee Job Descriptions

All positions are Files.com have written job descriptions, including providing protections for confidential and sensitive information. Job descriptions are adjusted as needed to address any skills gap. Existing employees are provided training to close any identified skills gap.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Background and Credential Checks

Files.com employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com does not currently utilize internal contractors, but our policies dictate they would be subjected to the same reviews as employees prior to onboarding.

Employee Onboarding

Files.com has a formal employee onboarding process that includes issuing unique identifiers to all employees appropriate to their job roles. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee Performance

Employee performance is regularly reviewed, including a formal performance review at least annually.

Employee Termination Process

Files.com has an employee termination and offboarding process, which includes immediate removal of access to all systems. Nearly all internal systems require access to our VPN, access to which is terminated immediately upon employee termination.

All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Upon termination the device is rendered useless to the terminated employee and the laptop is returned.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee and Contractor Disciplinary Policies

Discipline against employees and contractors is handled on a case-by-case basis depending on the facts and circumstances of any given incident. These outcomes can include termination.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee Identity and Access Management

Files.com uses a sophisticated internal Identity and Access Management system that provides Single Sign On authentication (unique identifiers, password complexity mandated by the Information Security policy then enforced systemically, integrated with mandatory 2FA) to most internal systems.

Files.com implements sophisticated Role Based Access Control (RBAC) for access to internal systems, based on the principles of Need to Know/Least Privilege. All employee identities and assigned roles are audited at least quarterly. Nearly all internal systems require access to our VPN, access to which is terminated immediately upon employee termination.

Identity and Access Management is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Internal Server and Machine Access Management

Files.com uses a sophisticated internal Identity and Access Management system that provides Single Sign On authentication (unique identifiers, password complexity mandated by policy then enforced systemically, integrated with mandatory 2FA) for machine and service authentication within our network. This system uses Role Based Access Control (RBAC), based on the principles of Need to Know/Least Privilege.

Identity and Access Management is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

Use of Vendors for Key Activities

Files.com has a team of full time employees and does not outsource any key components of its business. Should contractors/vendors be used, all personnel will be subjected to the same onboarding and access control processes as employees.

Files.com has one key/critical vendor: Amazon Web Services. All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Files.com reviews the SOC-2 report of Amazon Web Services at least semi-annually and finds it to be satisfactory with no deficiencies noted as of the most recent review. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

As part of its Business Continuity Planning, Files.com maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason.  Based upon a Risk Assessment, Files.com does not currently believe there to be a material risk of this in any of its key vendors.

Our Desktop app for Windows and Mac is developed in partnership with a 3rd party vendor, however that vendor has no privileged access to the Files.com platform.

Technology Stack / Network Diagram / Data Flow Diagrams

Files.com operates a fairly sophisticated cloud environment that leverages many different Amazon Web Services regions. We operate hundreds of server instances in total using industry standard systems and tools. All systems are time synchronized.

The Files.com SaaS is made up on smaller components that are developed in a variety of programming languages and environments, including Java, Ruby, Javascript, Go, .Net, and others.

For most process isolation, Files.com uses virtual-machine level isolation rather than containers.  We do, however, use containers for additional isolation & security during certain high-risk processing activities related to customer data, such as when generating image and document previews, scanning for malware (note: this feature is not generally available yet), converting document types, and compression and extraction.

Files.com is a Software as a Service (SaaS) platform and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC, Network Diagrams and Data Flow diagrams are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

System and Application Updates

Files.com is a multi-tenant Software as a Service (SaaS) platform and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.

Every deployment updates the platform baseline that is used when adding new systems onto the platform.

All updates are designed to avoid any downtime or disruption in service wherever possible. Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance.

As such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Use of Open Source Software

Files.com regularly leverages Open Source Software (OSS) in its development process. Use of OSS is subject to various controls to mitigate the security and compliance risks associated with OSS, including notification of security vulnerabilities from multiple sources. All vulnerabilities in OSS are handled through the existing Patch Management process.

Files.com leverages automated scanning technology to ensure that any OSS used in the Files.com application is available under an appropriate license.

Software Licensing, Vulnerability and Patch Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Release Planning / Roadmap / Planned Updates

Files.com does not publicly share details of its roadmap or planned updates. However, Files.com does maintain a Customer Advisory Board.

These customers have signed appropriate NDAs, and therefore Files.com is able to share details about the roadmap and planned updates with customers who are members of the Customer Advisory Board.

If you would like to be considered for the Customer Advisory Board, please reach out to us.

Application Development is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Licensing Model / Requesting Capacity Changes / Upgrades

Files.com is a SaaS (Software-as-a-Service) and is priced using custom quotations based on your requirements. Quotations provide multi-year, annual or monthly pricing for a specific level of features, user/connection count, maximum number API calls, and Transfer and Storage usage. Should you go over your allocated User/Connection Count, or Usage, we will automatically invoice you based on the additional usage.

All of the details are provided in the quotation, proposal, and/or order form, as appropriate.

To make changes to your User/connection count or Usage commitment, please contact your Account Executive. Changes are very easy to process and we are happy to help you upgrade at any time during your contract term.

On-Premise / Internal vs External / Hybrid vs Public vs Private Cloud / Software Applications Included

Files.com is a Software as a Service (SaaS) platform and most of the software provided is hosted and maintained by Files.com and delivered as a service.

Files.com is accessed via the open Internet and does not require a VPN or private network connection. Files.com may not be run as a fully on-premise or internally hosted application.

However, Files.com does provide an agent application and SDKs that can be optionally run inside your on-premise environment to act as a bridge or gateway to your internal/hybrid/private storage and resources.

Additionally, Files.com includes a Desktop App for Windows and Mac, Mobile App for iOS and Android, Command Line App for Windows/Mac/Linux, and open source SDKs available for download. These applications are all covered by our SDLC.

This means that Files.com can optionally operate as a Hybrid cloud model.

Data Centers / Co-Location / Hardware Specifications

All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least semi-annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Amazon does not provide specific details about the hardware used for our server instances. Amazon is responsible for all system maintenance tasks.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Physical Controls / Environmental Safeguards

All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits, which are reviewed by Files.com at least semi-annually as part of Vendor and Risk Management. Due to Non-Disclosure Agreements, we are unable to provide a copy of Amazon Web Services's SOC-2 report.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Files.com does operate a physical office location, however no servers nor privileged information is stored at the office. Computers at our office are treated as if they are remote workstations and required to connect through a secure on-device VPN. Physical access to the office is controlled by an Access Control system and only accessible to non-employees with an escort. A monitored alarm system protects the office during non-working hours. All physical access is logged and audited routinely.

Vendor and Risk Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Employee / Contractor Access To Customer Data

Files.com Customer Support and Engineering staff can access information related to configuration, logs, and file metadata (but not file contents) for the purpose of troubleshooting and ensuring system stability.

Most Files.com staff do not have access to passwords, file contents, passwords to remote servers, or other secure data. This data is stored safely in our production systems. Only senior Files.com Engineering and Infrastructure staff have "root" access to production systems that could allow them to access this information more directly. These staff are all full-time USA-based employees, and have all signed agreements to honor the Files.com Privacy Policy, and are subject to termination and other penalties in the event of any inappropriate actions. Additionally, unless otherwise approved by the CTO, staff will be employed by Files.com for at least one year before being given "root" access to production systems. Any direct access to servers is logged.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer Data Separation

Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.

Customer Data Classification / Data Handling

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification/data handling is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Customer Data Storage

We store all the actual contents of customer files in the Amazon S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.

Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

We save backups of files that are deleted and retain such backups for a period of time that is customizable by you. Our support staff is able to restore deleted files directly back to your account.

Files.com allows customers to choose where their data is stored. Files.com has customers worldwide, and multiple geographic locations are available to support each customer. You can even use several data storage locations within the same account on certain plans. Files.com does not support utilizing physical media for bulk uploads.

For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimately stored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature. For HIPAA accounts, disabling global acceleration is required and automatic because our HIPAA agreement with Amazon only covers USA-based server locations.

Please refer to the Files.com Shared Responsibility Model for more information.

Customer Data Backups

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple availability zones.

We have Point-in-time Restore capabilities such that we are able to restore our database to its state at any given time in the past 7 days (such as immediately before a service disruption).

Additionally, we take full database snapshots and store them in Amazon S3 every 24 hours. These snapshots are retained for at least 7 days. Backups are audited as part of the Backup and Restoration Test Procedure

We do not make backups of customer files other than the internal redundancy provided by Amazon S3. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

Learn more on the AWS Compliance programs website.

Backup Policy and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer Data Retention After Cancellation

Files.com does not retain customer data once a customer cancels their account. Customer data is deleted within 7 days of receipt of customer cancellation notice or termination due to nonpayment.

Customer Data Retention After Deletion By Customer

Files.com provides world class tools that allow customers to manage their accounts according to their own policy.

Backup retention periods for deleted customer data be configured to any setting the customer chooses to align with their internal security policies. Please refer to the Files.com Shared Responsibility Model for more information.

Customer Data Privacy

We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the Files.com website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.

These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.

Notwithstanding the foregoing, Files.com does not sell customer data or access or use customer data for any purpose other than providing the Files.com service to the customer. Files.com does not market directly to customers of our customers.

Files.com maintains a Privacy Policy. The Files.com Privacy Officer is our Chief Legal Counsel, Joseph Buszka. For any privacy-related inquiries, complaints, or questions, you can contact privacy@files.com.

Customer Data Logical Access Controls

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Files.com platform access is managed by customers. Please refer to the Files.com Shared Responsibility Model for more information.

Content Scanning or DLP of Customer Data

Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

Files.com eventually plans to allow customers to integrate their own DLP services into the Files.com system for content classification. If this capability would be of interest to you, please let us know.

Please refer to the Files.com Shared Responsibility Model for more information.

Customer User Passwords and Security Capabilities

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy. Files.com platform access is managed by customers.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Passwords are stored in a salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm. Customers may neither see nor export user passwords, in either hashed or unhashed format.

Passwords may be imported into Files.com as a hash in raw MD5, SHA-1, or SHA-2 formats, and if they are imported, they will be converted to Files.com's internal format upon first use.

Customers can set length requirements, complexity requirements, and change timeframe on user account passwords according to their own password policy. Files.com has provided a password strength meter aligned with the NIST SP800-63B standard for reference as passwords are created.

Customers can require users to change their password on their next login.

Customers can restrict access to certain IPs or IP ranges, or certain countries, either on a per-user or site-wide basis.

Customers can require that inactive user accounts be disabled after any length of time or lock after a certain number of failed password attempts.

API access requires the use of keys.

Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Customer User Login / Provisioning / Customer use of Single Sign On

Files.com supports, but does not require, SAML, LDAP, and OAuth technologies for customers to implement Single Sign On and automatic user provisioning.

If you choose to implement Single Sign On, it can optionally be used for automatic user provisioning. Users can additionally be provisioned via our web interface, either individually or as a bulk upload, or through our API or Command Line Interface (CLI) app.

Please reference the Files.com documentation for more detailed information.

User login may occur via our web interface, desktop app, mobile apps, or Command Line Interface (CLI) app, each of which have their own login screen.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Idle Timeouts

Files.com web sessions normally time out after 6 hours of inactivity, but customers can customize this timeout period via the Session expiration security setting. Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Controlling Access By Location

Customers may create and maintain an IP whitelist covering their inbound connections to Files.com.

Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist. Please reference the Files.com documentation for more detailed information.

Two Factor Authentication (2FA) / Multi Factor Authentication (MFA)

Files.com offers a variety of 2FA/MFA options including SMS, Yubikey, U2F, and Google Authenticator on all plan levels. Customers on our Power, Premier, and Enterprise plans may optionally require that their users all use 2FA/MFA. Alternatively, customers may provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers. Please reference the Files.com documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internally, Files.com (the company) uses hardware 2FA devices for all employee access to the Files.com network and all internal applications used by employees.

Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

API and SDKs

Files.com provides a REST API as well as SDKs in multiple languages. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.

Browser Requirements

Files.com supports all modern browsers (Chrome, Firefox, Edge, etc.) that were released within the last 4 years. As with nearly all websites today, support for Javascript and Cookies are required.

We no longer support the use of Internet Explorer as it is no longer supported by Microsoft.

No browser plugins, such as Java or Silverlight are required. Certain browser extensions, such as Zscaler, interfere with Files.com and may need to be disabled.

Customer Data Encryption

Files.com provides for data encrypted in motion and at rest.

We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.

Files.com uses SSL for encrypted data in transit which also includes support for TLS. TLS is an improved version of SSL, it works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry.

For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).

For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.

For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option in the Security tab of the Settings page.

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.

All access and authentication credentials are stored in an encrypted state, using AES-256 and a random initialization vector. These items include:

  • Storage Access Keys and Secrets (AWS S3, Azure Blob, Google Cloud Storage, etc.)
  • SMTP passwords
  • Active Directory / LDAP passwords
  • SSL Certificate Private Keys
  • PGP / GPG Private Keys

Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Encryption baselines are managed as part of the overall Risk Management Program, and are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Internal Encryption Key Management

Files.com utilizes the Hashicorp Vault system for encryption key management.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Encryption Key Management is managed as part of the overall Risk Management Program, and is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Inbound / Outbound Customer Connectivity

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com by default makes no remote connection to customers system(s). Customers may choose to utilize features such as LDAP/SSO, remote sync/mounts, webhooks, etc. which make a remote connection to customers system(s). Feature(s) configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal Logging / Log Recording and Retention

Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage. Additionally, Files.com application logs are maintained for all file operations as well as settings changes and made available to customers in near real time.

The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal access and operational logs as well as Files.com application logs are "write once/read many", meaning that they are protected from tampering.

Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by Files.com to search for and alert on anomalous activities found in logs.

Application Development, Data Retention and Logging is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer History / Logging

Files.com maintains a comprehensive audit log of who, what, when, where and how your files are modified. This makes it easy to see exactly who is reading, changing, or deleting your files.

The following information is included in each history log entry:

Time

The date and time the action occurred, displayed in the time zone of the current user.

User

The user who performed the action.

Description

The action that was taken, and the file or folder the action was taken on.

IP

The IP address that the user connected from when performing this action.

Interface

The interface through which the user performed the action (Web,API,Desktop,FTP,SFTP,WebDAV,Robot).

Please reference the History Feature documentation for more detailed information.

The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.

The Files.com API and Command Line (CLI) app allow customers to export site settings information such as a user/group/folder permissions matrix.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Customer Data Portability

Files.com believes that data portability is an important goal. We only want to retain your business if we continue to earn it each and every day, and will never hold your data hostage. You can use our APIs and Command Line Interface app (CLI) to export all of your settings and data at any time. Additionally, you can use our File transfer and sync tools to transfer out your files at any time.

Files.com does not support the bulk import/export of data from/to portable media from any data center.

Please note that Files.com does not support the ability to export or retrieve user/counterparty credentials such as Passwords and Private Keys. Passwords are stored in a proprietary salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm.

Internal Data Backups

Internal services are backed up in real time to a replica service wherever possible. Where that isn't possible, Files.com conducts daily backups of critical internal data, such as employee authentication data, etc. These backups are moved to multiple regions for redundancy.

Backups are verified and fire drill restorations are performed regularly on this sort of data.

Backup and Restoration management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Network Security / Firewalls / Intrusion Detection / Intrusion Protection

Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet. We use sophisticated internal firewall technology to segment our internal network into highly specific zones. Specific technologies used include AWS Security Groups, AWS VPC, and Terraform.

We use appropriate Intrusion Detection and Intrusion Protection systems as part of our Infrastructure and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Most internal systems are blocked from outbound internet access, however, there are a few exceptions. For example, the mount and sync systems are required to connect to other remote storage systems across the internet, the file transfer systems requite outbound internet access, etc. A managed file transfer platform must be able to push files outbound to other systems. Whenever possible, these connections are made using proxy servers.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Internal VPN / Mobile Device Management (MDM) / Remote Access / Work From Home

By policy and through the use of technical controls, Files.com employees must only use company owned hardware devices to access our network.

All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Employees do not have local administrative rights to their device, and password requirements are enforced locally. Local hard disk encryption is automatically enforced by MDM. Airdrop and removable media access is disabled by MDM.

All access to Files.com's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices.

Employees are forced to use a password manager to store all passwords/secrets. System secrets are kept in the Hashicorp Vault product.

Files.com company owned devices route all traffic through a base layer VPN, providing protection against remote or compromised internet connections. Additional VPNs are required to access our internal applications, and those VPNs require Two-Factor Authentication, as well as an additional password. Our VPNs are scaled such to that they are easily able to accommodate all of our employees working remotely for an extended period of time.

The company does not use Remote Desktop, VNC, or Citrix remote services, but a small number of employees may access our production and staging environments via SSH (Secure Shell). SSH access requires yet another layer of VPN, and is then further mediated by an SSH bastion server authenticated via an additional layer of public/private key authentication. Session termination is dictated by policy and enforced through technical controls.

Access to any customer data is always limited to senior Files.com employees (not contractors) located in the United States who have signed agreements binding them to the terms of our Privacy Policy and other company policies. If they fail to preserve this confidence, they are subject to disciplinary action, including losing their job, and potential criminal prosecution. All access to our application servers by our employees is logged.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Company Laptops

Files.com only allows company-owned laptops to access internal systems. These laptops are protected by multiple defensive layers including a Mobile Device Policy which is part of the larger Information Security Policy, the use of a Mobile Device Management (MDM) system, drive encryption, host-based firewall enabled, anti-virus/anti-malware protection (XProtect), location tracking and remote wipe capabilities, regular patching, no external media through USB allowed, and connectivity only through multi-factor, certificate-based vpn's. No user has local administrative access, and all applications are managed through the existing Change Management process, and deployed through the MDM system.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Mobile Device Policy / Personal Devices

Files.com maintains a Mobile Device Policy which is part of the larger Information Security Policy. The use of personal devices (Bring Your Own Device - BYOD) is limited to a small subset of periphery systems such as Slack, company email, PagerDuty, etc. These periphery systems force device encryption and the use of a pin.

All access to Files.com's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices.

Infrastructure, Network and Access Controls are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Secure Coding Practices

Files.com prides itself on putting security first when developing software. Practices in place at Files.com include: training to software engineers on secure coding practices, use of static code security analysis tools, and a Change Management process which includes things like pre-production testing and independent approval of changes. Files.com is using Dependabot on our public GitHub repositories, and Sonatype's Lift scanner on all our public SDK's and the Command Line (CLI) application.

Files.com maintains an internal development platform that includes secure code repositories and continuous integration automation.

Application SDLC, Change Management and Secure Coding Practices are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Code Escrow

Files.com does not use third-party code escrow services. The company is well capitalized, profitable, and growing.

Penetration Testing

Files.com undergoes third-party penetration testing on at least an annual basis. The scope of penetration testing includes the Files.com application, APIs, SDKs, marketing website, desktop and mobile clients, and starting in 2022 the Files.com internal network. By policy, Files.com must use a different penetration testing vendor for each penetration test.

In addition to other standards, we specifically require our testers to include testing related to the OWASP Top 10 vulnerabilities when conducting testing. The OWASP Top 10 includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc.

Download the latest PenTest Completion Letter.

Files.com also offers the security research community a Security Bug Bounty to help identify weaknesses to be addressed. Customers are welcome to participate in the Bug Bounty Program.

Penetration Testing and Vulnerability Management are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Automated Vulnerability Scan Testing

Files.com undergoes regular automated vulnerability scans. These scans include our external public facing systems and the entire internal network. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing Patch Management and Change Management processes.

Files.com undergoes automated web application scanning, including for OWASP Top 10 vulnerabilities. The OWASP Top 10 includes testing for a multitude of risks, including injections, cache controls, hijacking, browser weaknesses, etc. Any identified vulnerabilities are closed as soon as possible after detection utilizing the existing development lifecycle processes.

Vulnerability Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Log4j Vulnerability

Read the full response to the Log4j vulnerability here.

Customer-Performed Penetration Testing

In our experience, customer-performed penetration testing often uses cheap vendors and tends to result in false positive alerts (ex: finding passive FTP ports 40000-50000) and no actual discoveries. Many of these vendors use automated scanners that can place high loads on our systems.

For these and other reasons, we limit customer-performed penetration testing.

We do allow it for customers on Premier and Enterprise plans, however you must coordinate with us before performing any testing. You must also agree to share with us the results of your testing.

In most cases, we will quickly detect and ban your IP addresses if you attempt a penetration test against us without coordinating with us in advance.

Brute Force Protection

Brute Force Protection is covered as part of Intrusion Detection and Intrusion Protection.

Files.com employs appropriate Intrusion Detection and Intrusion Protection systems as part of our Application, Infrastructure, and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Additionally, these topics are heavily covered during our Penetration Testing and Bug Bounty programs. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Virus Scanning / Malware Protection / File Integrity Monitoring (FIM)

Files stored in Files.com are not scanned for malware or viruses.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Company laptops at Files.com have appropriate virus scanning and malware protection software (XProtect) installed and configured. Servers are protected through the use of AWS GuardDuty Malware protection services, which has automated alerting. Wazuh agents on all internal servers perform automated FIM scanning and report any changes to installed software and configuration to a central alerting dashboard, which is monitored.

Antivirus and Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Email and Web Content Scanning

Neither customer data nor Emails sent from the Files.com platform are scanned for malware, viruses, or sensitive information. The internal employee email system does scan for malware and viruses, and has spam filters in place.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Internal servers and workstations at Files.com have appropriate virus scanning and malware protection software installed and configured.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Wireless Networks

Files.com does operate a physical office location which includes a wireless network. The wireless network exists to provide connectivity for our company owned devices and provide guest network connectivity through a separate Virtual Local Area Network (VLAN). The network is not required, nor does it offer, any direct connectivity to any Files.com platform systems directly.

Computers at our office are treated as if they are remote workstations and required to connect through a secure on-device VPN.

Will Files.com Be Storing Data Subject To PCI/HIPAA/GDPR/etc

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Federal Privacy Regulations

HIPAA: Files.com provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model for more details.

Law Enforcement / Subpoena Disclosure Request

Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

If a request for disclosure by Law Enforcement Authorities or a subpoena is received, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

HIPAA / BAA

Customers on Premier and Enterprise plans can execute Files.com's BAA if needed.

Files.com has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with many customer scenarios requiring HIPAA compliance.

Files.com offers a pre-written and pre-approved Business Associate Agreement ("BAA") that it will execute for any customer on a Premier or Enterprise plan. BAAs and HIPAA compliance are not available on the Starter or Power plan levels.

Our HIPAA BAA requires that you will comply with the instructions in our Configuring Files.com For Maximum Security document.

GDPR / DPA

Files.com offers a pre-written and pre-approved Data Protection Agreement ("DPA") that it will execute for any customer requiring a DPA under GDPR.

Privacy Shield Self-Certification

The Files.com Privacy Shield Self-Certification can be viewed here.

ITAR

ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption.

Unlike SOC 2, there is no formal ITAR certification process. Because Files.com heavily relies on AWS and does not make use of the GovCloud capabilities of AWS, Files.com is unable to assert ITAR compliance.

PCI

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment Solutions and PayPal.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

This should not be misunderstood to mean that our customers may store payment card data in Files.com. The Files.com Terms of Service disallows the Files.com service to be used for that use case.

ISO 27001

ISO 27001 is a framework governing information security. Files.com is not currently ISO 27001 certified, however, we plan to complete an ISO 27001 certification in the future.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal data privacy law that governs the collection, use, and disclosure of personal information in the course of commercial business within Canada, including international and interprovincial transfers of personal information. The law applies in all provinces, except for those that have "substantially similar" privacy laws. Customers are responsible for determining the application of PIPEDA and complying with it, however, Files.com has numerous settings and features to assist with that compliance.

National Defense Authorization Act Section 889 (NDAA Section 889)

Files.com is compliant with NDAA Section 889.

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from using or procuring certain covered telecommunications, video, or surveillance equipment or services. Such "covered" equipment or services are those from specific companies, including their subsidiaries and affiliates.

FIPS 140-2 Compliance

FIPS 140-2 is required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Files.com is planning to launch FIPS 140-2 compliant endpoints in 2023.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide parameters for the adoption and use of cloud services by the federal government.  

Files.com is not FedRAMP authorized.  

We have successfully completed multiple SOC 2 audits; please reference our latest SOC 2 report for more details.  

ADA Compliance - VPAT

Files.com is compliant with the Americans with Disabilities Act (ADA). We understand the importance of accessibility and are committed to ensuring that our platform is accessible to all users, including those with disabilities. As part of this commitment, we have prepared an audited Voluntary Product Accessibility Template (VPAT) report based on the Web Content Accessibility Guidelines (WCAG).

Contact your Account Executive or Customer Support to obtain the latest VPAT report.

NIST 800-53

NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Institute of Standards in Technology.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Please reference our latest SOC 2 report for more details.

GxP and FDA 21 CFR Part 11

GxP and related acronyms refer to regulations and quality guidelines in the life sciences industry maintained by the Food and Drug Administration (FDA) in the United States and similar organizations in other countries. These acronyms stand for "Good [x] Practices", such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), etc.

21 CFR Part 11 refers to part 11 of Title 21 of the Code of Federal Regulations, which is a regulatory document about Electronic Records and Electronic Signatures.

Files.com provides tools and controls that allow Files.com to be used within organizations that are complying with FDA 21 CFR Part 11, however proper controls, configuration, and validation of the configuration are the responsibility of the customer.

Please refer to the Files.com Shared Responsibility Model for more information.

Other Compliance Frameworks

Files.com actively reviews the landscape of compliance frameworks and audit regimes. If your organization has a specific certification or compliance need, please reach out to us, and we are happy to explore the opportunity.

Internal Policies at Files.com

Files.com has implemented the following regulatory policies, which are reviewed regularly:

  • Anti-Bribery and Anti-Corruption Policy
  • Anti-Fraud Policy
  • Anti-Slavery Policy
  • Anti-Money Laundering Policy
  • Third Party and Governmental Requests Policy
  • Whistle-Blowing Policy
  • Employee Code of Conduct
  • Export Controls Policy

Employee Controls are reviewed as part of the SOC 2 Audit process. Files.com internal policies are considered proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Files.com's General Counsel and Chief Information Security Officer (CISO) regularly attend continuing education courses to keep up with the latest legal and regulatory changes.

Files.com uses the latest changes in legal, regulatory and any contractual obligations to drive updates across all facets of the organization, including the InfoSec Program.

Legal and Regulatory Compliance is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Questionnaires

Files.com will complete compliance and security questionnaires for Enterprise prospects and customers on our Premier plan and up. These questionnaires are completed by Files.com staff members and reviewed by a member of the Files.com in-house Legal team and/or Information Security Team for approval prior to sending to the customer/prospect.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2023 Files.com. All right reserved

FILES.COM

  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact

CONTACT & SUPPORT

support@files.com

(800) 286-8372

Monday–Friday

9am–8pm Eastern