Compliance and Security

At Files.com, we are committed to excellence in all aspects of our company and our product. We have invested heavily in our internal controls and internal processes around security and compliance and we are proud to share the details of our programs here.

It is our hope that you can use the information on this page to complete any security or compliance questionnaires that may be applicable to your use of Files.com.

We are able to complete Vendor Audit questionnaires for customers on our Premier or Enterprise plan levels. Please reach out to us if we can help you out in this way.

Company / Product Description

Files.com is a Software as a Service (SaaS) product providing one app and API through which you can manage, store, and transfer all files in your business. Notable features include granular permissions, integrations with numerous other services, no-code/low-code file automations, and a host of security and compliance tools.

Company Ownership

Action Verb LLC dba Files.com is a Nevada Limited Liability Company. We are majority owned by affiliates of Riverwood Capital. View the full list of Riverwood portfolio companies here.

The company is well captialized, profitable, and growing.

Company / Employee Location

For security purposes, we do not disclose our office address. Files.com employees are all based in the USA and perform all work from the USA.

Our physical office location is audited as part of our SOC 2 audit.

Our mailing address is: PO Box 29502 #20898, Las Vegas, NV 89126.

Our telephone number is: (800) 286-8372.

Competition

Files.com competes with companies such as Microsoft, Google, Amazon Web Services, IBM, Oracle, and others.

Customer Count / Retention

Files.com is trusted by over 1,700 businesses of all sizes, including dozens of the World's Largest Companies.

Files.com does not share customer retention rates.

Support Contact

Customers may contact the Files.com Customer Success team by phone at (800) 286-8372, by email at support@files.com, or by submitting an authenticated support request through the web application.

Service Level Agreement (SLA)

Our Service Level Agreement page provides the details of our SLA.

Certifications and Audits

Files.com participated in a SOC 2 Type 1 engagement with Kirkpatrick Price which was successfully completed. Please reference our SOC 2 Type 1 report for more details.

Insurance

Files.com has industry standard insurance policies in place.

As a matter of policy, we do not provide insurance certificates for customers.

Financial Statements

Our financial statements are audited annually by Aprio LLP. Upon request we will provide an attestation letter attesting to the completion of our annual audit.

Information Security Program

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT5 and covers the Files.com product and our company as a whole.

Files.com participated in a SOC 2 Type 1 engagement with Kirkpatrick Price which was successfully completed. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Please reference our SOC 2 Type 1 report for more details.

Information Security Team

Files.com maintains a Security team dedicated to Information Security.

The Chief Information Security Officer is Sean E. Smith, CISM, CISSP.

The Security team is represented in all architecture/project management efforts.

Information Security Training

Employees and internal contractors receive training on the Information Security Program as part of the Onboarding process and receive refresher training at least annually.

Security Training is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Internal Information Security documentation, such as policies, procedures, standards, guidelines and baselines

Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. All of this documentation is reviewed as part of the SOC 2 Audit process. Please reference our SOC 2 Type 1 report for more details.

Past Breaches

Files.com has not been breached.

Breach Notification

In the unlikely event of a breach, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Incident response and notification are reviewed as part of the SOC 2 Audit process. Please reference our SOC 2 Type 1 report for more details.

Incident Response Plan

Files.com has an Incident Response Plan and an Incident Response Team.

Files.com has never suffered a breach, though the Incident Response Plan is regularly invoked for smaller incidents, such as customer-impacting availability issues. Files.com conducts regular tabletop exercises to test and improve the Incident Response Plan.

Files.com is often able to provide Incident Report on specific incidents when requested by customers.

Incident Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

High Availability

The Files.com service is designed for High Availability.

Our service is designed to withstand the loss of any single datacenter location with no impact whatsoever to the service. We operate redundant server instances in multiple datacenter locations ("Availability Zones") for every service in every region.

Every customer who purchases a dedicated IP from Files.com actually receives two separate IPs that are hosted on separate infrastructure in separate datacenter locations ("Availability Zones").

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple Availability Zones.

Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones. By launching instances in separate Availability Zones, applications are prevented from failure of a single location.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Business Continuity

Files.com (both the service and the company) is designed for continuity of function in a variety of disaster scenarios.

The Files.com service is designed for High Availability.

Our service is designed to withstand the loss of any single datacenter location with no impact whatsoever to the service. We operate redundant server instances in multiple datacenter locations ("Availability Zones") for every service in every region.

Every customer who purchases a dedicated IP from Files.com actually receives two separate IPs that are hosted on separate infrastructure in separate datacenter locations ("Availability Zones").

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple Availability Zones.

Availability Zones are distinct locations that are engineered to be insulated from failures in other Availability Zones. By launching instances in separate Availability Zones, applications are prevented from failure of a single location.

Files.com also has a management continuity plan.

Business Continuity is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Infrastrucutre Monitoring and Application Monitoring

Files.com has extensive infrastruture and application monitoring capabilities. Technologies used for monitoring include PagerDuty, Sensu, Sentry, and more.

Our monitoring systems will page and alert our Incident Response Team under a number of different scenarios requiring an alert. Our Incident Response Team will respond immediately to these alerts.

Infrastructure Monitoring is reviewed as part of the SOC 2 audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Scheduled Maintenance

Due to its High Availability design, Files.com has never in the past had to take down production systems to perform system maintenance.

If any downtime is required for maintenance in the future, it will be scheduled for a Saturday or Sunday and announced 2 weeks in advance.

Risk Management Program / Risk Assessment / Risk Analysis

Files.com has a Risk Management Program. Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Vendor Risk Management Program

Files.com has a Vendor Risk Management program in place. Vendor Risk Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Data Governance

Files.com has procedures to identify and label data that is Confidential, Private, and Sensitive.

Data Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Governance Oversight

Files.com (the company) is managed by a 6 person board of directors which exercises regular oversight over the operations of the company. The board consists of representatives from affiliates of Riverwood Capital as well as other entities that have ownership in the company.

Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Asset Management

Files.com has an Asset Management program in place. Asset Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation, such as a list of any hardware and software used, includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Change Management

Files.com has a detailed Change Management process in place which includes things like pre-production testing and independent approval of changes.

Change Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference the provided Files.com SOC 2 Type 1 report for more details.

Configuration Management

Files.com uses industry standard hardening guidelines for configuring company systems.

Configuration Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference the provided Files.com SOC 2 Type 1 report for more details.

Media Management

As a cloud-based company that leverages AWS heavily, Files.com doesn't typically engage in activities that require control or destruction of media. We leverage AWS for managing all physical storage.

Regardless, Media Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Patch Management

We automatically install critical security updates as soon as possible using an automatic patch installation system.

Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.

Patch Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Software Development Life Cycle (SDLC)

Files.com is a Software as a Service (SaaS) product and as such all of the system is covered by SDLC. Application Development is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Background and Credential Checks

Files.com employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Files.com does not currently utilize internal contractors, but our policies dictate they would be subjected to the same reviews as employees prior to onboarding.

Employee Onboarding

Files.com has a formal employee onboarding process that includes issuing unique identifiers to all employees.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Employee Termination Process

Files.com has an employee termination and offboarding process, which includes immediate removal of access to all systems. Nearly all internal systems require access to our VPN, access to which is terminated immediately upon employee termination.

Human Resource policies and procedures are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Employee Identity and Access Management

Files.com uses a sophisticated internal Identity and Access Management system that provides Single Sign On authentication to most internal systems.

Files.com implements sophisticated Role Based Access Control for access to internal systems, based on the priciples of Need to Know/Least Privilege.

Identity and Access Management is reviewed as part of the SOC 2 Audit process. Please reference our SOC2 Type 1 report for more details.

Use of Outsourced Vendors for Key Activities

Files.com has a team of USA-based full time employees and does not outsource any key components of its business.

Our Desktop app for Windows and Mac is developed in partnership with a 3rd party vendor, however that vendor has no privileged access to the Files.com platform.

Technology Stack / Network Diagram

Files.com operates a fairly sophisticated cloud environment that leverages many different Amazon Web Services regions. We operate hundreds of server instances in total using industry standard systems and tools.

The Files.com SaaS is made up on smaller components that are developed in a variety of programming langauges and environments, including Java, Ruby, Javascript, Go, .Net, and others.

Files.com is a Software as a Service (SaaS) product and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

System and Application Updates

Files.com is a multi-tenant Software as a Service (SaaS) product and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.

All updates are designed to avoid any downtime or disruption in service wherever possible.

Files.com is a Software as a Service (SaaS) product and as such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Use of Open Source Software

Files.com regularly leverages Open Source Software (OSS) in its development process. Use of OSS is subject to various controls to mitigate the security and compliance risks associated with OSS.

Files.com leverages automated scanning technology to ensure that any OSS used in the Files.com application is available under an appropriate license.

Software Licensing is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Release Planning / Roadmap / Planned Updates

Files.com does not publicly share details of its roadmap or planned updates. However, Files.com does maintain a Customer Advisory Board.

These customers have signed appropriate NDAs, and therefore Files.com is able to share details about the roadmap and planned updates with customers who are members of the Customer Advisory Board.

If you would like to be considered for the Customer Advisory Board, please reach out to us.

Data Centers / Co-Location / Hardware Specifications

All of our server instances, file storage, and database hosting are provided by Amazon Web Services (AWS), a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Amazon does not provide specific details about the hardware used for our server instances.

Our agreement with Amazon ensures that they will act within the scope of our Privacy Policy. Learn more on the AWS Compliance programs website.

Please reference our SOC 2 Type 1 report for more details.

Physical Controls / Environmental Safeguards

All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.

Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits.

Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Files.com does operate a physical office location, however no servers nor privileged information is stored at the office. There is no network infrastruture at our office. Computers at our office are treated as if they are remote workstations and required to connect through a secure on-device VPN. The office is in a secure location which is locked outside of business hours and is only accessible to non-employees with an escort.

Please reference our SOC 2 Type 1 report for more details.

Employee/Contractor Access To Customer Data

Files.com Customer Success staff may access your metadata (not file data) and log information for support purposes only with explicit permission initiated by your site admins following a validation process built into the administration system.

Files.com Infrastructure staff has access to the underlying technology that can access metadata and log information and the storage locations of the actual data. The encryption keys required to decrypt the actual data are stored in a key-management escrow service operated by AWS.

Only Files.com employees with a legitimate business need have the ability to log-in to our servers or databases directly.

Customer Data Separation

Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.

Customer Data Storage

We store all the actual contents of customer files in the Amazon S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.

Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

We save backups of files that are deleted and retain such backups for a period of time that is customizable by you. Our support staff is able to restore deleted files directly back to your account.

Files.com allows customers to choose where their data is stored. Files.com has customers worldwide, and multiple geographic locations are available to support each customer. You can even use several data storage locations within the same account on certain plans.

For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimately stored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature. For HIPAA accounts, disabling global acceleration is required and automatic because our HIPAA agreement with Amazon only covers USA-based server locations.

Please refer to the Files.com Shared Responsibility Model document for more information.

Customer Data Backups

We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple availability zones.

We have Point-in-time Restore capabilities such that we are able to restore our database to its state at any given time in the past 7 days (such as immediately before a service disruption).

Additionally, we take full database snapshots and store them in Amazon S3 every 24 hours. These snapshots are retained for at least 7 days.

We do not make backups of customer files other than the internal redundancy provided by Amazon S3. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.

Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.

Learn more on the AWS Compliance programs website. Please reference our SOC 2 Type 1 report for more details.

Customer Data Retention After Cancellation

Files.com does not retain customer data once they a customer cancells their account. Customer data is deleted within 7 days of receipt of customer cancellation notice or termination due to nonpayment.

Customer Data Retention After Deletion By Customer

Files.com provides world class tools that allow customers to manage their accounts according to their own policy.

Backup retention periods for deleted customer data be configured to any setting the customer chooses to align with their internal security policies. Please refer to the Files.com Shared Responsibility Model document for more information.

Customer Data Privacy

We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the Files.com website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.

These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.

Notwithstanding the foregoing, Files.com does not sell customer data or access or use customer data for any purpose other than providing the Files.com service to the customer.

Customer Data Access Controls

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.

Customers can choose to use local application accounts (including multiple 2FA options) or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Files.com platform access is managed by customers. Please refer to the Files.com Shared Responsibility Model document for more information.

Content Scanning of Customer Data

Files.com does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

Please refer to the Files.com Shared Responsibility Model document for more information.

User Passwords and Security Capabilities

Files.com provides world class tools that allow the customer to manage their logical access according to their own policy. Files.com platform access is managed by customers.

Customers can choose to use local application accounts (including multiple 2FA options) or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

Passwords are stored in a salted encrypted format, and customers cannot see user passwords.

Customers can set length requirements, complexity requirements, and change timeframe on user account passwords according to their own password policy.

Customers can require users to change their password on their next login.

Customers can restrict access to certain IPs or IP ranges, or certain countries, either on a per-user or site-wide basis.

Customers can require that inactive user accounts be disabled after any length of time or lock after a certain number of failed password attempts.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model document for more information.

Idle Timeouts

Files.com web sessions normally time out after 6 hours of inactivity, but customers can customize this timeout period via the Session expiration security setting.

Controlling Access By Location

Customers may create and maintain an IP whitelist covering their inbound connections to Files.com.

Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist.

Two Factor Authentication (2FA) / Multi Factor Authentication (MFA)

Files.com offers a variety of 2FA/MFA options including SMS, Yubikey, U2F, and Google Authenticator on all plan levels. Customers on our Power, Premier, and Enterprise plans may optionally require that their users all use 2FA/MFA. Alternatively, customers may provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.

End user security configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model document for more information.

Internally, Files.com uses hardware 2FA devices for all employee access to the Files.com network and all internal applications used by employees.

API and SDKs

Files.com provides a REST API as well as SDKs in multiple languages. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.

Encryption

Files.com provides for data encrypted in motion and at rest.

We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.

For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).

For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.

For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option in the Security tab of the Settings page.

File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.

Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Encryption baselines are reviewed as part of the SOC 2 Audit process Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Encryption Key Management

Encryption Key Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Logging / Log Recording and Retention

Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage.

Data Retention is reviewed as part of the SOC 2 Audit process. Please reference our SOC2 Type 1 report for more details.

Additionally, Files.com application logs are maintained for all file operations and made available to customers in near real time.

The Files.com interface and API offer customers powerful search and export functionality for application logs.

End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model document for more information.

Internal access and operational logs as well as Files.com application logs are "write once/read many", meaning that they are protected from tampering.

Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by Files.com to search for and alert on anomalous activities found in logs.

Application Development and Logging is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Internal Data Backups

Internal services are backed up in real time to a replica service wherever possible. Where that isn't possible, Files.com conducts daily backups of critical internal data, such as employee authentication data, etc.

Backups are verified and fire drill restorations are performed regularly on this sort of data.

Backup and Restoration management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Network Security / Firewalls / Intrusion Detection / Intrusion Protection

Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet. We use sophisticated internal firewall technology to segment our internal network into highly specific zones. Specific technologies used include AWS Security Groups, AWS VPC, and Terraform.

We use appropriate Intrusion Detection and Intrusion Protection systems as part of our Infrastructure and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Penetration Testing

Files.com undergoes third-party penetration testing on at least an annual basis.

The PenTest Completion Letter can be provided if requested.

Files.com also offers the security research community a Security Bug Bounty to help identify weaknesses to be addressed.

Vulnerability Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details

Automated Vulnerability Scan Testing

Files.com undergoes regular automated vulnerability scans. These scans include our entire network, including employee laptops (workstations). Any identified vulnerabilities are closed as soon as possible after detection.

Vulnerability Management is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details

Customer-Performed Penetration Testing

In our experience, customer-performed penetration testing often uses cheap vendors and tends to result in false positive alerts and no actual discoveries. Many of these vendors use automated scanners that can place high loads on our systems.

For these and other reasons, we limit customer-performed penetration testing.

We do allow it for customers on an Enterprise plan, however you must coordinate with us before performing any testing. You must also agree to share with us the results of your testing.

In most cases, we will quickly detect and ban your IP addresses if you attempt a penetration test against us without coordinating with us in advance.

Virus Scanning and Malware Protection

Files stored in Files.com are not scanned for malware or viruses.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model document for more information.

Internal servers and workstations at Files.com have appropriate virus scanning and malware protection software installed and configured.

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC 2 Type 1 report for more details.

Federal Privacy Regulations

HIPAA: Files.com provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model document for more details.

HIPAA / BAA

Customers on the Premier plan can execute Files.com's BAA if needed.

Files.com has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with many customer scenarios requiring HIPAA compliance.

Files.com offers a pre-written and pre-approved Business Associate Agreement ("BAA") that it will execute for any customer on a Premier or Enterprise plan. BAAs and HIPAA compliance are not available on the Starter or Power plan levels.

Our HIPAA BAA requires that you will comply with the instructions in our Configuring Files.com For Maximum Security document.

GDPR / DPA

Files.com offers a pre-written and pre-approved Data Protection Agreement ("DPA") that it will execute for any customer requiring a DPA under GDPR.

ITAR

ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption.

Unlike SOC 2, there is no formal ITAR certification process. Because Files.com heavily relies on AWS and does not make use of the GovCloud capabilities of AWS, Files.com is unable to assert ITAR compliance.

PCI

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment Solutions and PayPal.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

This should not be misunderstood to mean that our customers may store payment card data in Files.com. The Files.com Terms of Service disallows the Files.com service to be used for that use case.

ISO 27001

ISO 27001 is a framework governing information security. Files.com is not currently ISO 27001 certified, however, we plan to complete an ISO 27001 certification in the future.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT5 and covers the Files.com product and our company as a whole.

Files.com participated in a SOC 2 Type 1 engagement with Kirkpatrick Price which was successfully completed. The Files.com InfoSec Program is reviewed as part of the SOC 2 Audit process. Please reference our SOC 2 Type 1 report for more details.

Files.com's General Counsel and Chief Information Security Officer (CISO) regularly attend continuing education courses to keep up with the latest legal and regulatory changes.

Legal and Regulatory Compliance is reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our SOC2 Type 1 report for more details.

Get Instant Access to Files.com and Start Collaborating and Automating

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, fill out the short form on the next page, get your account activated instantly, and start setting up your Files and Workflows immediately.

Start My Free Trial