Security & Compliance
Military-grade encryption and industry-leading security practices protect your team's files
AES-256-GCM
Military-grade encryption used by governments worldwide
Zero-Knowledge
End-to-end encryption ensures we can't read your files
Compliant
GDPR, CCPA, and HIPAA-compatible encryption
Encryption Standards
AES-256-GCM Algorithm
FileShare uses Advanced Encryption Standard (AES) with 256-bit keys in Galois/Counter Mode (GCM), the same encryption standard trusted by governments, military, and financial institutions worldwide.
Technical Specifications
- •256-bit keys: 2256 possible combinations (practically unbreakable)
- •Authenticated encryption: GCM mode provides both confidentiality and integrity
- •NIST approved: Federal Information Processing Standard (FIPS 197)
- •Forward secrecy: Compromising one key doesn't affect other encrypted files
Security Benefits
- ✓Resistant to brute-force attacks
- ✓Protects against tampering and modification
- ✓Fast encryption/decryption performance
- ✓Industry standard with proven security record
End-to-End Encryption (E2E-AES-256-GCM)
Files are encrypted on your device before upload. Only you and authorized team members with the encryption keys can decrypt them.
When to use:
- Healthcare records (HIPAA compliance required)
- Legal client documents (attorney-client privilege)
- Financial data and trade secrets
- Any data where maximum privacy is critical
Zero-Knowledge Architecture
Even with legal compulsion, FileShare cannot decrypt your E2E files because we never have access to your encryption keys.
Server-Side Encryption (AES-256-GCM)
Files are encrypted after upload using keys managed by FileShare. Enables advanced features like shareable links.
When to use:
- Team collaboration and file sharing
- Creating time-limited download links
- Marketing assets and public-facing files
- General business documents
Balanced Security
Files are still encrypted at rest with AES-256-GCM. FileShare has technical access to decrypt for service features but implements strict internal access controls.
Comprehensive Data Protection
Encryption at Rest
All files stored in our database are encrypted with AES-256-GCM. Database backups are also encrypted with separate keys for defense in depth.
Encryption in Transit
All data transmitted between your device and our servers uses TLS 1.3 encryption. This prevents man-in-the-middle attacks and eavesdropping.
Secure Key Management
Encryption keys are stored separately from data, with regular key rotation. E2E encryption keys never leave your devices. Server-side keys are protected with hardware security modules (HSM).
Encrypted Backups
Regular automated backups with geographic redundancy. All backups are encrypted and tested regularly for reliability. Retention period: 90 days.
Compliance & Standards
GDPR Compliant
Full compliance with the European Union's General Data Protection Regulation for all EU customers.
- Right to access and data portability
- Right to be forgotten (account deletion)
- Data processing transparency
- Privacy by design and default
CCPA Compliant
Compliant with the California Consumer Privacy Act for all California residents.
- Right to know what data is collected
- Right to delete personal information
- We do not sell personal information
- Non-discrimination for privacy rights
SOC 2 Type II
Currently undergoing SOC 2 Type II certification for security, availability, and confidentiality.
- →Security controls audit
- →Data availability verification
- →Confidentiality assessment
- →Expected completion: Q2 2026
HIPAA Compatible
End-to-end encryption mode is designed to meet HIPAA requirements for healthcare organizations.
- PHI encryption at rest and in transit
- Access controls and audit logs
- Business Associate Agreement (BAA) available
- ⚠Requires E2E encryption mode for PHI
Infrastructure Security
DDoS Protection
Multi-layered DDoS mitigation protects against volumetric attacks, ensuring service availability even under attack conditions.
Firewall & Access Control
Strict firewall rules limit access to only necessary ports. All administrative access requires multi-factor authentication and is logged.
Monitoring & Alerts
24/7 intrusion detection with real-time alerts. Security operations team responds to anomalies immediately.
Regular Audits
Quarterly security audits and annual penetration testing by third-party security firms to identify and remediate vulnerabilities.
Incident Response
Documented incident response procedures with defined escalation paths. Security incidents are reported to affected users within 72 hours.
Secure Development
Security-first development lifecycle with code reviews, automated security scanning, and vulnerability management.
Security Best Practices for Users
While FileShare implements industry-leading security, you play a critical role in protecting your data. Follow these best practices:
1. Use E2E Encryption for Sensitive Files
Always use end-to-end encryption for healthcare records, legal documents, financial data, or any files containing personally identifiable information (PII).
2. Strong Passwords
Use passwords with at least 12 characters including uppercase, lowercase, numbers, and special characters. Consider using a password manager.
3. Regular Password Rotation
Change your password every 90 days. Never reuse passwords across different services.
4. Review Audit Logs
Configurators should regularly review audit logs for unusual access patterns or unauthorized activity.
5. Limit Share Link Duration
Use the shortest necessary expiration time for share links. Single-use links (1 download) provide maximum security.
6. Role-Based Access
Grant users the minimum role necessary for their responsibilities. Not everyone needs Configurator access.
Responsible Security Disclosure
We value the security research community and welcome responsible disclosure of potential vulnerabilities.
Report Security Issues:
Email: security@fileshare.example.com
PGP Key: Available upon request
What to Expect:
- • Response within 48 hours
- • Public acknowledgment (if desired)
- • Coordinated disclosure timeline
We do not currently offer a bug bounty program but deeply appreciate responsible disclosure.
Questions about our security?
Our security team is available to answer questions about our encryption, compliance, or infrastructure.