Skip to main content

Compliance Frameworks

Files.com actively reviews the landscape of compliance frameworks and audit regimes. This page provides relevant information about how various compliance frameworks apply to your use of Files.com. Please note that individual facts and circumstances are important to understanding how any given framework may apply to you.

Will Files.com Be Storing Data Subject To PCI/HIPAA/GDPR

Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Federal Privacy Regulations

Files.com provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model for more details.

Family Educational Rights and Privacy Act (FERPA)

FERPA is a US federal law governing access and disclosure of student education records. The Act gives parents and eligible students access rights to their children's educational records, a mechanism to amend the records, and some control over disclosure of student records and information. FERPA covers institutions and agencies receiving funding from the US Department of Education, such as public schools and school districts.

While there is no formal certification process for FERPA, Files.com provides tools and controls to help institutions and agencies comply with the Act's rules. Proper controls, configuration, and validation of the configuration are the responsibility of the customer; please refer to the Files.com Shared Responsibility Model for more information.

Children's Online Privacy Protection Act (COPPA)

Files.com is not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age.

Health Insurance Portability and Accountability Act (HIPAA) / Business Associate Agreement (BAA)

Files.com has many customers who are subject to the Health Insurance Portability and Accountability Act (HIPAA). As such, we are aware of the relevant requirements and have designed our service to be compatible with many customer scenarios requiring HIPAA compliance.

Files.com offers a pre-written and pre-approved Business Associate Agreement ("BAA") that it will execute for any customer on a Premier or Enterprise plan. BAAs and HIPAA compliance are not available on the Power plan.

Our HIPAA BAA requires that you will comply with the instructions in our Configuring Files.com For Maximum Security document.

General Data Protection Regulation (GDPR) / Data Protection Agreement (DPA)

Files.com is compliant with General Data Protection Regulation (GDPR).

Files.com offers a pre-written and pre-approved Data Protection Agreement (DPA) that it will execute for any customer requiring a DPA under GDPR.

Privacy Shield Framework

Files.com is self-certified under the Privacy Shield framework.

The Files.com Privacy Shield Self-Certification can be viewed hereExternal LinkThis link leads to an external website and will open in a new tab.

Payment Card Industry (PCI)

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Braintree Payment SolutionsExternal LinkThis link leads to an external website and will open in a new tab and PayPalExternal LinkThis link leads to an external website and will open in a new tab.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

ISO 27001

ISO 27001 is a framework governing information security. Files.com is not currently ISO 27001 certified, however, we plan to complete an ISO 27001 certification in the future.

Files.com's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the Files.com platform and our company as a whole.

Files.com has participated in multiple SOC 2 engagements with Kirkpatrick Price which were successfully completed. Please reference our latest SOC 2 report for more details.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal data privacy law that governs the collection, use, and disclosure of personal information in the course of commercial business within Canada, including international and interprovincial transfers of personal information.

The law applies in all provinces, except for those that have substantially similar privacy laws.

Customers are responsible for determining the application of PIPEDA and complying with it, however, Files.com has numerous settings and features to assist with that compliance.

National Defense Authorization Act Section 889 (NDAA Section 889)

Files.com is compliant with NDAA Section 889.

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from using or procuring certain covered telecommunications, video, or surveillance equipment or services. Such covered equipment or services are those from specific companies, including their subsidiaries and affiliates.

Federal Risk and Authorization Management Program (FedRAMP)

The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide parameters for the adoption and use of cloud services by the federal government.

Files.com is not FedRAMP authorized.

We have, however, successfully completed multiple SOC 2 audits; please reference our latest SOC 2 report for more details.

FIPS 140-3

FIPS 140-3, which replaced FIPS 140-2, is required under multiple compliance regimes, such as Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act of 2002 (FISMA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Files.com is planning to launch FIPS 140-3 compliant endpoints in 2025.

Americans with Disabilities Act (ADA) and Voluntary Product Accessibility Template (VPAT)

Files.com is proud to be compliant with the Americans with Disabilities Act (ADA).

We understand the importance of accessibility and are committed to ensuring that our platform is accessible to all users, including those with disabilities.

As part of this commitment, we have prepared an audited Voluntary Product Accessibility Template (VPAT) report based on the Web Content Accessibility Guidelines (WCAG).

Contact your Account Executive or Customer Support to obtain the latest VPAT report.

GxP and Food and Drug Administration (FDA) 21 CFR Part 11

GxP and related acronyms refer to regulations and quality guidelines in the life sciences industry maintained by the Food and Drug Administration (FDA) in the United States and similar organizations in other countries. These acronyms stand for "Good [x] Practices", such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), etc.

21 CFR Part 11 refers to part 11 of Title 21 of the Code of Federal Regulations, which is a regulatory document about Electronic Records and Electronic Signatures.

Files.com provides tools and controls that allow Files.com to be used within organizations that are complying with FDA 21 CFR Part 11, however proper controls, configuration, and validation of the configuration are the responsibility of the customer.

Please refer to the Files.com Shared Responsibility Model for more information.

Information Commissioner's Office (ICO) Registration

The ICO is the UK's independent body with a mission of upholding information rights for UK citizens. Subject to some limited exemptions, organizations processing personal information and operating out of the UK must register with the ICO and pay a data protection fee.

FIles.com does not have a place of business in the UK, nor regularly carries out business from within the UK, and therefore is not required to register with the ICO.

Files.com offers a pre-written and pre-approved Data Protection Agreement (DPA) that it will execute for any customer requiring a DPA under the UK GDPR/Data Protection Act 2018.

Other Compliance Frameworks

Files.com actively reviews the landscape of compliance frameworks and audit regimes. If your organization has a specific certification or compliance need, please reach out to us, and we are happy to explore the opportunity.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.