This printed/PDF document is a snapshot of https://www.files.com/legal/security.html, which is subject to change at any time. For the current version, please visit https://www.files.com/legal/security.html
Last Updated: August 12, 2019
User Account Security Capabilities
Passwords are stored in a salted encrypted format, unless you specify otherwise. Unless cleartext passwords are enabled, site administrators cannot see user passwords.
Administrators can require users to change their password on their next login.
Administrators can restrict access to certain IPs or IP ranges, either on a per-user or site-wide basis.
We support 2048-bit SSL encryption for all FTP and HTTP connections to the Service. This is an extremely high level of encryption.
For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).
For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.
For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option in the Security tab of the Configuration page.
Files are encrypted-at-rest, with all encryption keys stored in a key-management escrow service operated by Amazon S3. Applies to all files uploaded after October 5, 2011.
All of our server instances, file storage, and database hosting are provided by Amazon Web Services, a subsidiary of Amazon.com.
Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SAS70 Type II audits.
Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the Amazon platform and infrastructure. Amazon datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two- factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by Amazon employees is logged and audited routinely.
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
Server Software Updates and Patches
Our web and file servers run the Ubuntu Linux operating system distribution (currently, version 18.04 LTS). Our web application is developed using the latest version (version 4.2) of Ruby on Rails. We use MySQL 5.6 for our database servers.
We subscribe to the security announcement mailing lists for Linux, Ubuntu and Ruby on Rails and install critical security updates as soon as possible after they are released using an automatic package upgrade installation system.
We install non-critical and non-security related software updates to Ubuntu automatically on a rolling basis.
Updates to MySQL are managed by Amazon, and they install critical security updates as quickly as possible.
Our servers are Amazon EC2 Server Instances.
Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet.
Files are hosted using Amazon's S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.
Only Files.com employees with a legitimate business need have the ability to log-in to our servers or databases directly.
Access is removed from employees immediately if they leave the company or no longer have a business need to access the servers.
Credit Card Information
Our billing and signup processes are also PCI-compliant. PCI is the Payment Card Industry standard for cardholder data security.
This should not be misunderstood to mean that you may store protected cardholder data in Files.com. We have NOT attempted to ensure PCI-compliance for the data that our customers upload.
For Maximum Security
To ensure that nobody accidentally transfers a file on your account using insecure FTP or HTTP, enable the "Require SSL" option in the Security tab of the Configuration page. This is especially important if you are using your own domain name, as we will otherwise disable SSL by default on the web interface.
Do not enable the Insecure Ciphers option on the Security Tab of the Configuration page.
On the Security tab of the Configuration page, set the backup retention period as low as possible to minimize the amount of your data we retain as backups. For maximum security, you should set this value to be no higher than 30 days. Many of our customers enter lower values such as 7 days or even 0 days.
Files.com has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with HIPAA compliance.
Depending on your exact use of Files.com, you may need to enter into a Business Associate Agreement (BAA) with Files.com. We provide a pre-written and pre-approved agreement that you will need to use. To request a BAA, contact us.
The rest of this document explains the various physical and technical measures we use to protect your data. You may refer to it in any internal auditing that you perform.
Please be sure to follow the steps in the For Maximum Security section above to ensure that you have configured Files.com to be compliant.
Security Bug Bounty
We continually improve the security of Files.com by using automated vulnerability scanning tools. In addition we offer the security research community a Security Bug Bounty.
Changes and Evolution
Files.com strives to stay up-to-date with the latest best practices, and as such reserves the right to change the exact implementation of our technology platform at any time. If we make a substantial change that affects security matters, we will alert Files.com™ paying customers of such change via E-Mail. Your continued use of the Service following such changes will indicate your acceptance of those changes.
This document was last updated according to the date at the top of this page.
If you are evaluating Files.com, or you need assistance to complete a security/compliance/due-diligence questionnaire regarding Files.com, we have put together the below FAQ. If you have a question not answered below, please contact us.
Is there staff dedicated to information security?
Yes. Files.com has a named Chief Information Security Officer who is a full-time employee and independent of the product development process.
Are there risk management procedures?
Yes. Files.com uses management procedures, including identification of threats, vulnerabilities and consequences and using treatment options to reduce residual risk to an acceptable level.
Is there an Information Security Policy?
Yes. Files.com utilizes multiple policies to cover InfoSec assets and include topics such as Acceptable Use, Access Control, Encryption, etc.
Is there a Business Continuity Plan?
Yes. Files.com was engineered to take advantage of the Amazon Web Services (AWS) native infrastructure for automated continuity using multiple zones and infrastructure.
The Files.com implementation on AWS is designed to have zero downtime in the event of a total loss of a single availability zone (AZ) per region and minimal downtime as long as at least one AZ is operating properly in each region.
Files.com also has a management continuity plan.
How do program updates get installed?
Files.com is a Software as a Service (SaaS) platform and as such is continuously updated to address bug fixes and add new features.
Is there a Change Management process?
Yes. Files.com follows procedures which include pre-production testing and independent approval.
Is there a policy to ensure all employees are pre-screened, including a background check?
Yes. Files.com employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.
Is there an employee termination process?
Yes. Files.com uses an employee offboarding process includes immediate removal of access to all systems.
What physical/environmental controls are in place for Files.com?
Files.com was engineered to take advantage of the Amazon Web Services (AWS) native infrastructure that includes multiple physical and environment controls as reported in both ISO 27001 and SOC 2 AWS audit documents reviewed annually.
Is Files.com access logged?
Yes. Separate access and operational logs are maintained on all underlying systems. Files.com application logs are available to clients in near real time.
Can we manage our own data retention?
Each client is free to set the file backup retention time frame, including file backup retention according to their own retention policy.
What is the password policy on Files.com accounts?
Files.com allows each client to set length, complexity and change timeframe on user account passwords according to their own password policy.
Can we use 2FA/MFA on our account?
Files.com allows the use of 2FA/MFA in all plans and provides the ability to force 2FA/MFA in the Enterprise plan.
Can we control access to our account from only our office(s)?
Customers may create and maintain an IP whitelist covering their inbound connections to Files.com. Files.com publishes a list of IP addresses that it uses when making outbound connections (such as webhooks, LDAP, etc.), which you can add to your internal whitelist.
Can our users stay connected all day?
Files.com web sessions normally time out after 6 hours of inactivity, but we can customize this timeout period for your site if you contact us.
Is our data encrypted?
Files.com provides for data encrypted in motion and at rest. Files.com supports 2048-bit SSL/TLS encryption on FTP and HTTP connections through the web interface or via Rest API interactions. Data is encrypted at rest (including backups) with all keys stored in a key-management escrow service operated by AWS. Clients can also choose to ‘Require SSL’ via system configuration and remove support for insecure ciphers. Enterprise level and above can utilize their own encryption keys on a per folder basis.
Custom SSL certificates are provided for free to customers, or they are free to provide their own from their vendor of choice.
Does Files.com undergo penetration testing?
Files.com undergoes continuous vulnerability testing and annually undergoes third-party penetration testing. Files.com also offers the security research community a security bug bounty to help identify weaknesses to be addressed.
Can we do our own penetration test against Files.com?
Because of the load this places on our systems, we limit this activity to clients on our Enterprise plan and above and you must coordinate with us before performing any testing. You must also agree to share with us the results of your testing.
Is our data stored outside the US?
Files.com allows clients to choose where their data is stored. Files.com has clients worldwide, and multiple geographic locations are available to support each client. You can even use several data storage locations within the same account on certain plans.
For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimatelystored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature. For HIPAA accounts, disabling global acceleration is required and automatic because our HIPAA agreement with Amazon only covers USA-based server locations.
How is our data kept secured from other users?
Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.
If we leave will you keep our data?
No. Files.com will purge your client site information and data after seven (7) days. Purged data is not recoverable. The cancellation procedure is built into the Files.com interface and is initiated by your administrators.
Do you sell our data?
No. Files.com does not sell client information, metadata, or data.
What about our credit card data?
Files.com does not store credit card data. Client credit card information is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment Solutions and PayPal.
Can your staff access our data?
Files.com Customer Success staff may access your metadata (not file data) and log information for support purposes only with explicit permission initiated by your site admins following a validation process built into the administration system.
Files.com Infrastructure staff has access to the underlying technology that can access metadata and log information and the storage locations of the actual data. The encryption keys required to decrypt the actual data are stored in a key-management escrow service operated by AWS.
Do you have any third-party audits?
Files.com was engineered to take advantage of the Amazon Web Services (AWS) native infrastructure which includes annual ISO 27001 and SOC 2 reviews. Our agreement with Amazon contains the requirements we have determined are necessary for Amazon's compliance with our security policies.
Can we get copies of all the policies, procedures, standards, etc. that govern Files.com?
Files.com InfoSec program documentation includes proprietary information and as such is not provided to clients. However, we provide documentation as required by law and will try to assist with any security-related questions you may have that are not covered on this page.