Encryption & Network Security

Infrastructure Controls are reviewed as part of the SOC 2 Audit process. Files.com InfoSec Program documentation includes proprietary information and is not provided to customers. Please reference our latest SOC 2 report for more details.

Customer Data Encryption

Files.com provides for data encrypted in motion and at rest.

We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.

Files.com uses SSL for encrypted data in transit which also includes support for TLS. TLS is an improved version of SSL, it works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry.

For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).

For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.

For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option.

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

File contents (including backups) are encrypted at rest using AES-256 with all keys stored in a key-management escrow service operated by AWS.

All access and authentication credentials are stored in an encrypted state, using AES-256 and a random initialization vector. These items include:

Storage Access Keys and Secrets (AWS S3, Azure Blob, Google Cloud Storage, etc.)
SMTP passwords
Active Directory / LDAP passwords
SSL Certificate Private Keys
PGP / GPG Private Keys

Custom SSL certificates are provided for free to customers who use their own Custom Domain, or they are free to provide their own from their vendor of choice.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Internal Encryption Key / Secrets Management

Files.com utilizes the Hashicorp Vault system for encryption key and secrets management.

Customers on the Power, Premier, and Enterprise plans can choose to utilize their own GPG encryption keys to provide an extra layer of customer-controlled encryption on a per folder basis.

Inbound / Outbound Customer Connectivity

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the Files.com Shared Responsibility Model for more information.

Files.com by default makes no remote connection to customers system(s). Customers may choose to utilize features such as LDAP/SSO, remote sync/mounts, webhooks, etc. which make a remote connection to customers system(s). Feature(s) configuration is the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Network Security / Firewalls / Intrusion Detection / Intrusion Protection / Web Application Firewall

Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet. We use sophisticated internal firewall technology to segment our internal network into highly specific zones. Specific technologies used include AWS Security Groups, AWS VPC, and Terraform.

We use appropriate Intrusion Detection, Intrusion Protection and Web Application Firewall (WAF) systems as part of our Infrastructure and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Most internal systems are blocked from outbound internet access, however, there are a few exceptions. For example, the mount and sync systems are required to connect to other remote storage systems across the internet, the file transfer systems require outbound internet access, etc. A managed file transfer platform must be able to push files outbound to other systems. Whenever possible, these connections are made using proxy servers.

Brute Force Protection

Brute Force Protection is covered as part of Intrusion Detection and Intrusion Protection.

Files.com employs appropriate Intrusion Detection and Intrusion Protection systems as part of our Application, Infrastructure, and Network Controls. Specific technologies used include AWS GuardDuty and ModSecurity.

Infrastructure and Network Controls are reviewed as part of the SOC 2 Audit process. Additionally, these topics are heavily covered during our Penetration Testing and Bug Bounty programs.

Virus Scanning / Malware Protection / File Integrity Monitoring (FIM)

Files stored in Files.com are not scanned for malware or viruses.

End user controls are the responsibility of the customer. Please refer to the Files.com Shared Responsibility Model for more information.

Company laptops at Files.com have appropriate virus scanning and malware protection software (CrowdStrike Falcon) installed and configured. Servers are protected through the use of AWS GuardDuty Malware protection services, which has automated alerting. Wazuh agents on all internal servers perform automated FIM scanning and report any changes to installed software and configuration to a central alerting dashboard, which is monitored.

Email and Web Content Scanning

Neither customer data nor Emails sent from the Files.com platform are scanned for malware, viruses, or sensitive information. The internal employee email system scans for malware and viruses, and has spam filters in place with TLS encryption enabled.