Overview & Responsibilities

Files.com treats security as the foundation of the platform, not a layer added on top. The platform has operated for over 15 years with zero breaches, runs independently verified controls, and is engineered for resilience at every layer.

The Files.com Security Promise

Files.com acts as an extension of your security team. Every feature, system, and workflow is designed to keep your data safe without slowing your business down.

• Zero breaches in more than 15 years of production operation.
• Audited by independent third parties under SOC 2 Type II, PCI DSS Level 2, CSA STAR, and CAIQ v4.
• HackerOne bug bounty program running continuously since 2016, with no currently known vulnerabilities.

Customers recommend Files.com to boards, regulators, and auditors because we treat every deployment as if our own reputation is on the line.

Information Security Program

The Files.com security program is CISO-led, board-reviewed, and aligned to the COBIT 5 risk framework. Controls are anchored in SSAE-18 SOC 2 Type II trust services criteria and extended with attestations including PCI DSS, CSA STAR, and CAIQ.

Files.com supports customer compliance with HIPAA, GDPR, ITAR, and other frameworks under a clear Shared Responsibility Model, so enterprise controls integrate cleanly with our own.

Four principles guide the program:

• Defense in Depth. Multiple layers of infrastructure, application, and personnel safeguards.
• Zero Trust Everywhere. Every connection is verified; access is always least-privilege.
• Shared Success. Security is a board-level KPI, reviewed weekly at the executive level.
• Transparency. Audit reports, pen-test summaries, and policies are available under NDA.

Independent Assurance & Testing

External validation is the foundation of trust.

• Multiple third-party penetration tests run annually, scoped beyond the OWASP Top 10 to include business logic and abuse scenarios.
• Files.com was one of the first SaaS MFT vendors to launch a public HackerOne bug bounty program, active since 2016.
• Full assurance artifacts (SOC 2 reports, PCI AOC, pen-test letters, CAIQ responses) are available under NDA.

Secure-by-Design Architecture

Cloud Infrastructure

Files.com is delivered 100% as SaaS, hosted on Amazon Web Services. The platform operates in seven global regions plus a dedicated disaster recovery region, each spread across multiple availability zones.

• File contents are stored in Amazon S3 with AES-256 encryption.
• Metadata is stored in multi-AZ Amazon Aurora and self-hosted Elasticsearch.
• The platform is built on a microservices architecture written in Go, Java, Ruby, Python, and JavaScript.

Network Segmentation & Zero Trust

• Default-deny security groups, managed via Terraform.
• No public SSH; short-lived credentials stored in a secrets vault.
• Outbound traffic is tightly proxied and restricted.
• All access is logged and retained for 7+ years in WORM format.
• Published public IP ranges support secure allow-listing.

Data Protection & Privacy

• Encryption in transit (TLS 1.2/1.3) and at rest (AES-256).
• Role-based access controls, path-scoped permissions, SAML/Okta SSO, and mandatory MFA.
• Seven data residency zones to meet local compliance mandates.
• No mining, scanning, or resale of customer data.

Secure Development Lifecycle

Security starts at the code level.

• Separate development, staging, and production environments.
• No test data in production.
• GitLab Ultimate CI/CD with static analysis, dependency scanning, and container checks.
• Peer-reviewed Terraform commits for infrastructure changes.
• Same-day remediation of critical vulnerabilities, with automated patching across operating systems and libraries.
• Continuous scanning with AWS Security Hub, GuardDuty, Nessus, and independent monthly scans.

Operational Resilience

The platform is engineered for business continuity.

• Multi-AZ tolerance: proven to withstand regional outages with zero customer impact.
• BC/DR testing annually: RTO of 15 minutes; RPO of 0 (no data loss).
• Workforce continuity was validated under COVID-19 conditions with no disruption to operations.

File Flow Reliability

• Chunked, resumable transfers with SHA-256 integrity checks.
• Idempotent operations prevent duplication.
• Automated retries with exponential backoff.
• Archive-based automation replay via API or UI.
• Over 1 billion file transfers processed annually with a success rate above 99.99%.

Incident Response & Communication

Security Operations runs 24×7, with defined severity levels, root-cause analysis, and post-mortem documentation. All employees are trained annually in incident response.

Customer communication is aligned to regulatory obligations. Files.com has never had a breach.

Vendor & Third-Party Risk

Every vendor relationship is treated as an extension of our own security posture.

• Vendors are risk-tiered on onboarding and reviewed annually.
• Security clauses are embedded in all critical provider contracts.
• SOC 2 reports are reviewed as part of diligence.
• AWS is the sole IaaS provider; Files.com intentionally avoids cascading fourth-party dependencies.

Continuous Improvement

Security metrics are tracked and reviewed weekly, including:

• Vulnerability mean time to remediate (MTTR).
• Patch latency.
• Pen-test closure rates.

Input from the Customer Advisory Board shapes roadmap priorities so that Files.com continues to meet enterprise requirements.