Data Privacy & Customer Data
Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data governance is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Files.com (the company) has procedures to identify and label data that is Confidential, Protected, Sensitive and Public.
Data Governance oversight functions are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.
Customer Data Separation
Files.com is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.
Employee / Contractor Access To Customer Data
Files.com Customer Support and Engineering staff can access information related to configuration, logs, and file metadata (but not file contents) for the purpose of troubleshooting and ensuring system stability.
Most Files.com staff do not have access to passwords, file contents, passwords to remote servers, or other secure data. This data is stored safely in our production systems. Only senior Files.com Engineering and Infrastructure staff have "root" access to production systems that could allow them to access this information more directly. These staff are all full-time USA-based employees, passed background/references/certification checks, and have all signed agreements to honor the Files.com Privacy Policy, and are subject to termination and other penalties in the event of any inappropriate actions. Additionally, unless otherwise approved by the CTO, staff will be employed by Files.com for at least one year before being given "root" access to production systems. Any direct access to servers is logged.
Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.
Customer Data Classification / Data Handling
Files.com is not in a position to know what data you are storing in the platform. This understanding and proper data classification/data handling is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Storage
We store all the actual contents of customer files in the Amazon S3 Simple Storage Service. Amazon S3 provides a highly durable storage infrastructure designed for mission-critical and primary data storage.
Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.
Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.
We save backups of files that are deleted and retain such backups for a period of time that is customizable by you. Our support staff is able to restore deleted files directly back to your account.
Files.com allows customers to choose where their data is stored. Files.com has customers worldwide, and multiple geographic locations are available to support each customer. You can even use several data storage locations within the same account on certain plans. Files.com does not support utilizing physical media for bulk uploads.
For speed acceleration purposes, data will typically pass through the region closest to a user before being ultimately stored in the region that was selected for storage. For example if a user from Australia is uploading a file to a folder with a storage location of Germany, that data may be sent to our server location in Sydney (in transit) and then sent to our server location in Germany. You can disable this acceleration and ensure that the data is only ever sent to Germany (or whatever storage region you choose) by disabling our Global Acceleration feature.
Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Backups
We use Amazon Aurora for primary storage of customer metadata. Within Amazon Aurora, we operate multiple hot-backup servers across multiple availability zones.
We have Point-in-time Restore capabilities such that we are able to restore our database to its state at any given time in the past 7 days (such as immediately before a service disruption).
Additionally, we take full database snapshots and store them in Amazon S3 every 24 hours. These snapshots are retained for at least 7 days. Backups are audited as part of the Backup and Restoration Test Procedure
We do not make backups of customer files other than the internal redundancy provided by Amazon S3. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. Once stored, Amazon S3 maintains the durability of your objects by quickly detecting and repairing any lost redundancy.
Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data.
Learn more on the AWS Compliance programs website.
Customer Data Retention After Cancellation
Files.com does not retain customer data once a customer cancels their account. Customer data is deleted within 7 days of receipt of customer cancellation notice or termination due to nonpayment.
Customer Data Retention After Deletion By Customer
Files.com provides world class tools that allow customers to manage their accounts according to their own policy.
Customer Data Privacy
We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the Files.com website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.
These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.
Notwithstanding the foregoing, Files.com does not sell customer data or access or use customer data for any purpose other than providing the Files.com service to the customer. Files.com does not market directly to customers of our customers.
Files.com maintains a Privacy Policy. The Files.com Privacy Officer is our Chief Legal Counsel, Joseph Buszka. For any privacy-related inquiries, complaints, or questions, you can contact privacy@files.com.
Customer Data Logical Access Controls
Files.com provides world class tools that allow the customer to manage their logical access according to their own policy.
Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP, Active Directory, Azure, ADFS, Okta, OneLogin, Auth0, and many other identity providers.
Files.com platform access is managed by customers. Please refer to the Files.com Shared Responsibility Model for more information.
Content Scanning or DLP of Customer Data
Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.
Files.com eventually plans to allow customers to integrate their own DLP services into the Files.com system for content classification. If this capability would be of interest to you, please let us know.
Please refer to the Files.com Shared Responsibility Model for more information.
Customer History / Logging
Files.com maintains a comprehensive audit log of who, what, when, where and how your files are modified. This makes it easy to see exactly who is reading, changing, or deleting your files.
The following information is included in each history log entry:
| Column | Contents |
|---|---|
| Time | The date and time the action occurred, displayed in the time zone of the current user. |
| User | The user who performed the action. |
| Description | The action that was taken, and the file or folder the action was taken on. |
| IP | The IP address that the user connected from when performing this action. |
| Interface | The interface through which the user performed the action (Web, API, Desktop, FTP, SFTP, WebDAV, Robot). |
Please reference the History Feature documentation for more detailed information.
The Files.com interface and API offer customers powerful search and export functionality for application logs. These logs are retained for a minimum of 7 years. If you would like to have these logs retained for a shorter period of time, please contact us.
The Files.com API and Command Line (CLI) app allow customers to export site settings information such as a user/group/folder permissions matrix.
End user logging is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.
Customer Data Portability
Files.com believes that data portability is an important goal. We only want to retain your business if we continue to earn it each and every day, and will never hold your data hostage. You can use our APIs and Command Line Interface app (CLI) to export all of your settings and data at any time. Additionally, you can use our File transfer and sync tools to transfer out your files at any time.
Files.com does not support the bulk import/export of data from/to portable media from any data center.
Please note that Files.com does not support the ability to export or retrieve user/counterparty credentials such as Passwords and Private Keys. Passwords are stored in a proprietary salted encrypted format based on PKCS5 and PBKDF2 with SHA-512 (part of the SHA-2 family) used internally as the underlying hash algorithm.
Data Classification / Data Retention
Files.com classifies all information assets into Confidential, Protected, Sensitive and Public categories, and uses those classification levels to ensure appropriate administrative, physical and logical controls are in place and an asset owner is identified. At no time will Confidential, Protected or Sensitive information be sent through the corporate email system. These classification levels are reviewed at least annually to ensure compliance with all Legal, Regulatory and Contractual obligations.
The Data Retention period of information assets are identified to ensure compliance with all Legal, Regulatory and Contractual obligations. Data deletion occurs through automated or manual methods, and is audited at least quarterly to ensure compliance the corresponding policies and procedures.
Internal Data Backups
Internal services are backed up in real time to a replica service wherever possible. Where that isn't possible, Files.com conducts daily backups of critical internal data, such as employee authentication data, etc. These backups are moved to multiple regions for redundancy.
Backups are verified and fire drill restorations are performed regularly on this sort of data.
Law Enforcement / Subpoena Disclosure Request
Files.com is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.
If a request for disclosure by Law Enforcement Authorities or a subpoena is received, Files.com will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.