ShareFile Security Overview ShareFile Company Policy All ShareFile employees undergo full background checks and sign our information security policy prior to beginning employment with the company. The handbook includes an agreement to maintain the privacy and security of account information. Account information and support functions are accessible only from the IP address of ShareFile s physical office locations. Company policy prohibits employees from accessing accounts or client data except where they have been expressly granted permission by an account administrator for the purpose of support. Any logins or activity by ShareFile Support will be logged in the account activity reports and available for review by account administrators. Servers and Storage Security Files are stored on servers maintained by Amazon Web Services in multiple locations in the United States, Europe, Asia, and South America. A customer s files are generally stored at the server location that is geographically nearest to the administrator and backed up in North Carolina. Contact your ShareFile representative if you require custom geographical storage requirements. All data centers containing ShareFile servers are SSAE-16 (Formerly SAS 70 Type II) compliant, proving that they meet high standards for security. Statements of Compliance (SOC-1) reports are available for your review provided you sign the requisite Non- Disclosure Agreements (NDAs). Physical access is tightly controlled, and double verification is required to proceed to any areas housing data. Our servers are firewall protected and regularly updated to ensure that all of the latest security patches and updates are in place. On Professional and Enterprise plans, files are stored with 128-bit RC4 encryption, and this can also be enabled for Basic plans for an additional monthly fee. In case of disaster, ShareFile has multiple backup strategies in place to protect against loss of data. Files are frequently backed up to a disaster recovery data center, and mirrored in real time to a secondary server location to ensure that service can be quickly resumed in the case of a disruption at an account s primary server location.
Encryption Encryption is a method for transforming data during either in transit or storage so that it requires permission to access. The data is transformed (encrypted) using an algorithm that generates a decryption key which must be used in order to decrypt the data. When transferring sensitive files, it is important to use encryption to ensure that any outside sources cannot read the data contained within the files. Encryption of Data in Transit All file transfers through the ShareFile service are encrypted using 256 bit SSL (Secure Sockets Layer). This is the same security used by banks and many e-commerce sites such as Amazon.com. SSL works by establishing a private connection and each end of the connection is authenticated before transfer begins. Data traveling between these endpoints can only be decrypted by the intended recipient by using unique decryption keys. Encryption of Data at Rest Files uploaded to ShareFile servers are saved with 128-bit RC4 encryption. Each file saved in our system has a unique encryption key. When a file is uploaded, it is encrypted before being copied to its permanent storage location. Downloaded files are decrypted before their contents are sent to your browser. The file encryption keys are not stored on the same server with the files themselves, ensuring that someone with physical access to our storage servers has no access to the files contained on their hard drives. Note: Stored File Encryption is included on Professional, Enterprise, Enterprise Gold, and VDR plans and can be added to a Basic account for an additional monthly fee. Secure User Access Each user on an account is given a unique username and password to login. Passwords are hashed using 128-bit MD5 so that not even ShareFile employees can access this information. If a user enters an incorrect password five times in a row, the system will lock that user account for five minutes before they can login again. ShareFile account users will only see folders where they have been granted permissions and are listed in the Folder Access list. Folders where they have not been granted permissions will be invisible to them in the folder view and on any reports that they can access. By default, client users do not have access to information about other users on the account. All activity in an account is logged and available to employee users who have access to the Reporting section. Reports can include activities (such as logins, downloads, deletions, etc.),
storage contents, and user access audits. Professional and Enterprise accounts also allow users to run recurring reports at certain intervals and to request email notifications whenever a new report is created automatically. On the Basic and Professional plans, usage reports can include data for the last 90 days. Enterprise and Enterprise Gold accounts can retrieve data for the life of the account. Note: The policy to save data older than 90 days for Enterprise and Enterprise Gold accounts was put in place fall, 2009. Activity before this time may not be available. Safe Harbor Policy ShareFile is certified under the U.S. Department of Commerce's Safe Harbor program: http://export.gov/safeharbor See the excerpt below: "The European Commission's Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-european Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework and this website to provide the information an organization should need to evaluate - and then join - the Safe Harbor" Secure and Standard File Transfer Protocol (FTPS/FTP) You can connect to your account using an FTP client such as WS-FTP or FileZilla. FTP Access allows you to connect to your ShareFile account and upload and download using a typical FTP client, useful if you have clients already familiar with FTP, or business processes scheduled to run over FTP. Your ShareFile administrators can enable or disable FTP as required by your policy. FTPS Access allows you to use FTP with SSL/TLS encryption, for an extra layer of security. If FTPS is enabled but regular FTP Access is disabled, you can ensure that transfers over FTP will always be encrypted. Note: Connections using FTPS should be made using 'Implicit SSL/TLS' mode over Port 990. ShareFile is compatible with most well-known FTP clients and supports Windows and Mac. This means you can connect to your ShareFile account using an FTP program. You
Account Wide Password Policy Configurable settings include: Password expiration Password history Minimum length Password complexity Password complexity requirements force users to use personal passwords that match a certain set of rules allowing the administrator to force users to use passwords that conform to the entity s security requirements. (See figure 2). Figure 2 Manage ShareFile Password Policy
File Retention Policy Administrators have the ability to retain files indefinitely or delete after 1, 7, 14, 30, 60, 90 days, 6 months, 1 year, or after 2 years. Internet Protocol (IP) Address Restrictions IP restrictions can be put in place to restrict use of an account to users logging in from certain IP addresses. These restrictions can be set to allow or deny certain IP ranges for employee logins, client logins, and/or recipient of send/request operations. By default, IP restrictions are not enabled. To implement IP restrictions contact a ShareFile representative Distribution Groups ShareFile provides the administrator with the capability to create, manage, and delete distribution groups. To delete distribution groups, place check marks next to the groups that you would like to delete and click the 'Delete Selected Groups' button. To add or remove members from a group, click the group name. Single sign-on / SAML 2.0 Configuration ShareFile supports single sign-on via Security Assertion Markup Language (SAML) 2.0 assertions. SAML is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). SAML 2.0 introduced a number of features not available in previous versions of the specification ShareFile requires SAML assertions to include a NameID in the format emailaddress. Assertion Consumer Service (ACS) URL: https://.sharefile.com/saml/acs SP-Initiated Login URL: https://.sharefile.com/saml/login Identity providers include Microsoft ADFS (Active Directory Federation Services), Ping Identity, PingFederate, IBM Tivoli Access Manager, and CA SiteMinder.