Compliance and Security

At SmartFile, we are committed to excellence in all aspects of our company and our platform. We have invested heavily in our internal controls and internal processes around security and compliance, and we are proud to share the details of our programs here. The below information covers the cloud hosted version of SmartFile.

It is our hope that you can use the information on this page to complete any security or compliance questionnaires that may be applicable to your use of SmartFile.

Company / Platform Description

SmartFile is a Secure File Sharing & Transfer Solution for Business and Enterprise. The perfect blend of simplicity for users and control for IT.

Company Structure, Names, History, and Expertise

SmartFile is operated by Orange Platform LLC. Our company was founded in 2008, giving us well over a decade of experience in the managed file transfer business. Our leadership team collectively have over 100 years of experience in the technology industry.

Company Financial Security

SmartFile is well capitalized, profitable, and growing, with a working capital buffer sufficient to support operations in the event of a variety of contingencies identified in the risk management process. We have reviewed banking system risks as part of the risk management process.

Risk Management is reviewed as part of the internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Employee Count

As a matter of policy, SmartFile does not provide its employee count.

Customer Retention Rates

SmartFile does not share customer retention rates.

Support Contact

Customers may contact the SmartFile Customer Support team by phone at (510) 956-3342 or by email at support@smartfile.com.

Customer Training

Although SmartFile offers unlimited access to our Customer Support team, we do not include a formal training program with the service. Universally, our customers find SmartFile easy to learn and our extensive documentation for both end users and administrators is very comprehensive. Additionally, our Sales Engineers are happy to help with proof of concept, testing, and validation during the pre sales phase.

Pending or Recent Legal Matters

As a matter of policy, SmartFile does not comment on pending or recent legal matters, even if there are none.

Insurance

SmartFile has industry standard insurance policies in place.

As a matter of policy, we do not provide insurance certificates for customers.

Security Budget

SmartFile's internal budgetary data is confidential and proprietary, and therefore we do not provide it to customers.

W9 Form

The W9 form is a USA tax form used to communicate the corporate structure and Tax ID number of a business. It is requested by customers and is not submitted to the IRS.

Click below to download the Form W9 for Orange Platform LLC dba SmartFile.

Phone and Zoom Call Recordings

SmartFile uses Zoom for its phone and video conferencing system. Phone and video calls may be recorded for training and review purposes. If a phone or video call is being recorded, you will be notified of the recording and given the opportunity to disconnect. Recordings are retained for a maximum of six months.

Information Security Program

SmartFile's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the SmartFile platform and our company as a whole.

The InfoSec program is designed to support the business objectives, security requirements (IAM, encryption, monitoring, etc) and regulatory/compliance obligations, and is audited internally on a continual basis. The roles and responsibilities are clearly defined and communicated throughout the entire organization, and available on the internal company intranet site.

Customer Information Security Program

SmartFile provides world class tools that enable customers to manage their Information Security Program according to their unique business objectives, security requirements and regulatory/compliance obligations.

Customers are responsible for their own InfoSec Program. Please refer to the SmartFile Shared Responsibility Model for more information.

Information Security Team

SmartFile maintains a Security team dedicated to Information Security.

The Chief Information Security Officer is Sean E. Smith, HCISPP, CISM, CISSP who is a member of ICS2, ISACA, CSA and InfraGuard, and regularly participates in continuing education and awareness updates to keep abreast of the changing information security landscape.

The Security team, which benefits from multiple people throughout the organization participation, is represented in all architecture/project management efforts.

Information Security and Privacy Training

Employees and internal contractors receive training on the Information Security Program (includes the Acceptable Use Policy, Work From Home Policy, etc.) and Privacy as part of the Onboarding process and receive refresher training at least annually.

Security Training is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Internal Information Security documentation, such as policies, procedures, standards, guidelines and baselines

SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

These documents include but are not limited to: Admin Access Reset Policy, Antivirus Policy, Asset Management Policy, Automated Network Drawings Procedures, Backup Policy, Backup/Restoration Test Procedures, Business Continuity Plan, Business Impact Analysis, Change Management Policy/Procedures, Data Breach Policy/Handling Procedures, Data Classification Policy/Listing, Data Retention Policy/Procedures, Document/Record Control Procedures, Employee Onboarding/Offboarding Policy/Procedures, Encryption Key Management Policy/Procedures, Incident Handling Policy/Management Plan/Identification Guideline/Alert Procedures, Information Security Policy (includes the Acceptable Use Policy), Laptop/Media Destruction Policy/Procedures, Network Monitoring Policy/Procedures, Penetration Testing Policy/Procedures, Phish Program Policy/Procedures, Risk Assessment/Risk Treatment Policy/Procedures, Risk Matrix, System Configuration Security Policy/Procedures, Vendor Management Policy/Procedures, Vulnerability Management Policy/Procedures.

Past Breaches

SmartFile has not been breached. No SmartFile vendor has suffered a data loss or security breach that has impacted SmartFile.

SmartFile has not experienced a DDoS event.

Breach Notification

In the unlikely event of a breach, SmartFile will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Incident Management and Notification are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Incident Management Program

SmartFile has an Incident Management Program that includes an Incident Handling Policy, Incident Identification Guideline, Incident Alert Procedure, Incident Management Plan and an Incident Management Team. Incident Response is one phase of the Incident Management Plan. Employees and internal contractors receive training on the Incident Management Program as part of the Onboarding process and receive refresher training at least annually. The Incident Management Team receives more in-depth training specific to their roles and responsibilities and receive refresher training at least annually.

SmartFile has never suffered a breach, though Incident Management is regularly invoked for smaller incidents, such as customer-impacting availability issues. SmartFile conducts regular tests and applies the lessons learned to improve the Incident Management Program. All incidents are tracked and documented, including the root cause and any additional required remediation.

SmartFile is often able to provide Incident Report on specific incidents when requested by customers.

Incident Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Evidence Collection

SmartFile handles evidence identification and collection as part of the Incident Management Program.

Business Continuity / Disaster Recovery - Service Operations

SmartFile is designed for continuity of function in a variety of disaster scenarios.

SmartFile conducts regular tests of its Business Continuity and Disaster Recovery procedures (including ransomware testing) at least annually. Results of testing are reviewed by senior management as part of the Risk Management Program.

As part of its Business Continuity Planning, SmartFile maintains a list of alternate vendors who could replace key vendors if a key vendor were to become unusable for any reason. Based upon a Risk Assessment, SmartFile does not currently believe there to be a material risk of this in any of its key vendors.

SmartFile does not share the results of Business Continuity / Disaster Recovery testing, however, Business Continuity (including testing) is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Business Continuity - People / Company Operations

SmartFile is designed for continuity of function in a variety of disaster scenarios.

SmartFile demonstrated during COVID-19 an ability to operate successfully with a fully remote workforce for an extended period of time.

SmartFile also has a management continuity plan.

Business Continuity (including testing) is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Recovery Time Objective and Recovery Point Objectives

SmartFile maintains different internal Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for different components of the SmartFile service offering. These timeframes are derived from the Business Impact Analysis (BIA) process which is reviewed at least semi-annually.

The BIA process, RTO and RPO are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Infrastructure Monitoring and Application Monitoring

SmartFile has extensive infrastructure and application monitoring capabilities. Technologies used for monitoring include PagerDuty, Sensu, Sentry, and more.

Our monitoring systems will page and alert our Incident Management Team under a number of different scenarios requiring an alert. Our Incident Management Team will respond immediately to these alerts.

Infrastructure and Application Monitoring are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Vendor Risk Management Program

SmartFile has a Vendor Risk Management program in place, which is part of the larger Risk Management Program. Vendors deemed Critical to the organization have their security documentation reviewed at least annually. Vendor Risk Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Data Governance

SmartFile is not in a position to know what data you are storing in the platform. This understanding and proper data governance is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

SmartFile (the company) has procedures to identify and label data that is Confidential, Protected, Sensitive and Public.

Data Governance oversight functions are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Governance Oversight

SmartFile (the company) is managed by a 6 person board of directors which exercises regular oversight over the operations of the company. The board consists of representatives from affiliates of Riverwood Capital as well as other entities that have ownership in the company.

Governance oversight functions are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Asset Management

SmartFile has an Asset Management program in place which includes semi-annual review/update of the Software and Hardware Assets listings. The asset listings are a basis of the Risk Management Program.

Asset Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Change Management

SmartFile has a detailed Change Management processes in place which includes things like pre-production testing and independent approval of changes. All changes to the system are logged and applied through strict processes which include role-based logical access restrictions on deployment to production. All SmartFile (the company) assets are covered by Change Management processes, including audit review on at least a quarterly basis to ensure compliance with existing processes and identification of any process changes.

Change Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Systems / Software Acquisition

All new systems/software requested for use must follow an established approval process. Once approved, software follows all standard processes and is deployed through Change Management.

Change Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Data Classification / Data Retention

SmartFile classifies all information assets into Confidential, Protected, Sensitive and Public categories, and uses those classification levels to ensure appropriate administrative, physical and logical controls are in place and an asset owner is identified. At no time will Confidential, Protected or Sensitive information be sent through the corporate email system. These classification levels are reviewed at least annually to ensure compliance with all Legal, Regulatory and Contractual obligations.

The Data Retention period of information assets are identified to ensure compliance with all Legal, Regulatory and Contractual obligations. Data deletion occurs through automated or manual methods, and is audited at least quarterly to ensure compliance the corresponding policies and procedures.

Data Classification and Data Retention are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Configuration Management

SmartFile uses the Center for Internet Security (CIS) industry standard hardening guidelines (removing services not needed, managing all service accounts, changing default passwords, etc.) for configuring company systems and inclusion in all company baselines. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Configuration Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Media Management

Company laptops are prevented from using external storage media (flash drives, external hard drives, etc) through the Acceptable Use Policy and policy enforcement via Mobile Device Management (MDM) software.

Media Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Patch Management

We automatically install critical security updates as soon as possible using an automatic patch installation system. All configuration changes are applied through existing Change Management processes, with appropriate logging and automated updates to the baselines.

Many pieces of our infrastructure (such as databases and S3 storage) are managed directly by Amazon Web Services. Those updates are performed by Amazon, who is committed to install critical security updates as quickly as possible.

Due to these continuous updates, it's not practical for us to provide specific lists of the internal software versions in use.

Patch Management is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Background and Credential Checks

SmartFile employees are pre-screened using a process that includes checking professional references, background, education, certification(s) prior to employment. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

SmartFile does not currently utilize internal contractors, but our policies dictate they would be subjected to the same reviews as employees prior to onboarding.

Employee Onboarding

SmartFile has a formal employee onboarding process that includes issuing unique identifiers to all employees appropriate to their job roles. All employees sign confidentiality agreements and undergo standardized security awareness training as part of the onboarding process.

Human Resource policies and procedures are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Employee Performance

Employee performance is regularly reviewed, including a formal performance review at least annually.

Employee Termination Process

SmartFile has an employee termination and offboarding process, which includes immediate removal of access to all systems. Nearly all internal systems require access to our VPN, access to which is removed immediately upon employee termination. As a matter of policy, SmartFile does not discuss employee terminations.

All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Upon termination the device is rendered useless to the terminated employee and the laptop is returned.

Human Resource policies and procedures are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Employee and Contractor Disciplinary Policies

Discipline against employees and contractors is handled on a case-by-case basis depending on the facts and circumstances of any given incident. These outcomes can include termination.

Human Resource policies and procedures are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

System and Application Updates

SmartFile is a multi-tenant Software as a Service (SaaS) platform and utilizes a Continuous Improvement/Continuous Deployment (CI/CD) development model which includes multiple production deployments during the day. These frequent changes preclude customer notification.

Every deployment updates the platform baseline that is used when adding new systems onto the platform.

As such all of the system is covered by Software Development Life Cycle (SDLC). Application development SDLC is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Licensing Model / Requesting Capacity Changes / Upgrades

SmartFile is a SaaS (Software-as-a-Service) and is priced using custom quotations based on your requirements. Quotations provide multi-year, annual or monthly pricing for a specific level of features, user/connection count, maximum number API calls, and Transfer and Storage usage. Should you go over your allocated User/Connection Count, or Usage, we will automatically invoice you based on the additional usage.

All of the details are provided in the quotation, proposal, and/or order form, as appropriate.

To make changes to your User/connection count or Usage commitment, please contact your Account Executive. Changes are very easy to process and we are happy to help you upgrade at any time during your contract term.

Customer Data Separation

SmartFile is a multi-tenant Software as a Service (SaaS) and logically separates all customer data.

Customer Data Classification / Data Handling

SmartFile is not in a position to know what data you are storing in the platform. This understanding and proper data classification/data handling is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Customer Data Privacy

We use device identifiers (like cookies, beacons, Ad IDs, and IP addresses) to understand how people use the SmartFile website and applications. We collect this information for any website visitor. We don't "sell" this information for money, but we do provide it to other companies such as Google and Facebook to help us market our services.

These device identifiers aren't what you might traditionally think of as personal information, like your name or phone number, and they don't directly identify you. Under the California Consumer Privacy Act ("CCPA"), this type of sharing may be considered "selling" of personal information.

Notwithstanding the foregoing, SmartFile does not sell customer data or access or use customer data for any purpose other than providing the SmartFile service to the customer. SmartFile does not market directly to customers of our customers.

For any privacy-related inquiries, complaints, or questions, you can contact legal@smartfile.com.

Customer Data Logical Access Controls

SmartFile provides world class tools that allow the customer to manage their logical access according to their own policy.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP or Active Directory.

SmartFile platform access is managed by customers. Please refer to the SmartFile Shared Responsibility Model for more information.

Customer User Passwords and Security Capabilities

SmartFile provides world class tools that allow the customer to manage their logical access according to their own policy. SmartFile platform access is managed by customers.

Customers can choose to use local application user/group accounts supporting Role Based Access Control (RBAC) including multiple 2FA options, or provision, authenticate, and authorize users via LDAP or Active Directory.

API access requires the use of keys.

Please reference the SmartFile documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Customer User Login / Provisioning / Customer use of Single Sign On

SmartFile supports, but does not require, LDAP and Active Directory for customers to implement Single Sign On and automatic user provisioning.

Please reference the SmartFile documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Two Factor Authentication (2FA) / Multi Factor Authentication (MFA)

SmartFile offers a variety of 2FA/MFA options. Alternatively, customers may provision, authenticate, and authorize users via LDAP or Active Directory. Please reference the SmartFile documentation for more detailed information.

End user security configuration is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Internally, SmartFile (the company) uses hardware 2FA devices for all employee access to the SmartFile network and all internal applications used by employees.

Access Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

API

SmartFile provides a REST API. Our API Documentation website lists the available endpoints, API authentication information, as well as links to download our SDKs.

Browser Requirements

SmartFile supports all modern browsers (Chrome, Firefox, Edge, etc.) that were released within the last 4 years. As with nearly all websites today, support for Javascript and Cookies are required.

We no longer support the use of Internet Explorer as it is no longer supported by Microsoft.

No browser plugins, such as Java or Silverlight are required. Certain browser extensions, such as Zscaler, interfere with SmartFile and may need to be disabled.

Customer Data Encryption

SmartFile provides for data encrypted in motion and at rest.

We support 2048-bit SSL encryption for all inbound and outbound FTP and HTTP connections as well as modern SSH encryption for inbound and outbound SFTP connections.

SmartFile uses SSL for encrypted data in transit which also includes support for TLS. TLS is an improved version of SSL, it works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry.

For HTTP (web workspace) connections, SSL encryption (https://) is required for all connections. If a user attempts to connect to the web workspace via unsecured HTTP (http://), we will automatically redirect them to the secure HTTP address (https://).

For FTP (file transfer protocol) connections via port 990, 2048-bit SSL encryption is supported and required on all connections.

For FTP (file transfer protocol) connections via port 21, 2048-bit SSL encryption is supported and required by default. You may configure your account to allow insecure FTP connections by setting an option.

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the SmartFile Shared Responsibility Model for more information.

File contents (including backups) are encrypted at rest using AES-256.

Encryption baselines are managed as part of the overall Risk Management Program and reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Inbound / Outbound Customer Connectivity

Customers initiate upload and download processes, utilizing the method and protocol which matches their needs. Please refer to the SmartFile Shared Responsibility Model for more information.

Internal Logging / Log Recording and Retention

Internal access and operational logs are maintained on all underlying systems. These logs are retained in hot searchable format for a period of time and are then retained for a much longer period of time in cold storage. Additionally, SmartFile application logs are maintained for all file operations as well as settings changes and made available to customers in near real time.

End user logging is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Internal access and operational logs as well as SmartFile application logs are "write once/read many", meaning that they are protected from tampering.

Logs are not regularly manually reviewed, however we leverage automated tools, including Wazuh, as well as custom tools built by SmartFile to search for and alert on anomalous activities found in logs.

Application Development, Data Retention and Logging is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Customer History / Logging

SmartFile maintains a comprehensive audit log of who, what, when, where and how your files are modified. This makes it easy to see exactly who is reading, changing, or deleting your files.

The following information may be included in each history log entry:

User Access

Connection Method

Location and IP Addresses

Time and Date Stamps

Shared Link Data

Folder and File Actions

Please reference the SmartFile documentation for more detailed information.

The SmartFile interface and API offer customers powerful search and export functionality for application logs. Logs can exported for Syslog, CSV or XML formats.

The SmartFile API allows customers to export site settings information such as a user/group/folder permissions matrix.

End user logging is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Customer Data Portability

SmartFile believes that data portability is an important goal. We only want to retain your business if we continue to earn it each and every day, and will never hold your data hostage. You can use our API to export all of your settings and data at any time. Additionally, you can use our File transfer and sync tools to transfer out your files at any time.

SmartFile does not support the bulk import/export of data from/to portable media from any data center.

Network Security / Firewalls / Intrusion Detection / Intrusion Protection

Our servers are kept behind a firewall (configured in a default deny mode) and only the ports necessary for operation are exposed to the public Internet.

We use appropriate Intrusion Detection and Intrusion Protection systems as part of our Infrastructure and Network Controls

Most internal systems are blocked from outbound internet access.

Infrastructure and Network Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Internal VPN / Mobile Device Management (MDM) / Remote Access / Work From Home

By policy and through the use of technical controls, SmartFile employees must only use company owned hardware devices to access our network.

All company owned hardware devices are managed using Mobile Device Management (MDM), including managed software updates and remote wipe capability. Employees do not have local administrative rights to their device, and password requirements are enforced locally. Local hard disk encryption is automatically enforced by MDM. Airdrop and removable media access is disabled by MDM.

All access to SmartFile's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices.

SmartFile company owned devices route all traffic through a base layer VPN, providing protection against remote or compromised internet connections. Additional VPNs are required to access our internal applications, and those VPNs require Two-Factor Authentication, as well as an additional password. Our VPNs are scaled such to that they are easily able to accommodate all of our employees working remotely for an extended period of time.

The company does not use Remote Desktop, VNC, or Citrix remote services, but a small number of employees may access our production and staging environments via SSH (Secure Shell). SSH access requires yet another layer of VPN, and is then further mediated by an SSH bastion server authenticated via an additional layer of public/private key authentication. Session termination is dictated by policy and enforced through technical controls.

Access to any customer data is always limited to senior SmartFile employees (not contractors) located in the United States who have signed agreements binding them to the terms of our Privacy Policy and other company policies. If they fail to preserve this confidence, they are subject to disciplinary action, including losing their job, and potential criminal prosecution. All access to our application servers by our employees is logged.

Infrastructure, Network and Access Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Company Laptops

SmartFile only allows company-owned laptops to access internal systems. These laptops are protected by multiple defensive layers including a Mobile Device Policy which is part of the larger Information Security Policy, the use of a Mobile Device Management (MDM) system, drive encryption, host-based firewall enabled, anti-virus/anti-malware protection (XProtect), location tracking and remote wipe capabilities, regular patching, no external media through USB allowed, and connectivity only through multi-factor, certificate-based vpn's. No user has local administrative access, and all applications are managed through the existing Change Management process, and deployed through the MDM system.

Infrastructure, Network and Access Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Mobile Device Policy / Personal Devices

SmartFile maintains a Mobile Device Policy which is part of the larger Information Security Policy. The use of personal devices (Bring Your Own Device - BYOD) is limited to a small subset of periphery systems such as Slack, company email, PagerDuty, etc. These periphery systems force device encryption and the use of a pin.

All access to SmartFile's network for employees requires access via a set of layered VPNs. Technical controls are in place to ensure that the VPNs may only be accessed by company owned hardware devices.

Infrastructure, Network and Access Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Code Escrow

SmartFile does not use third-party code escrow services. The company is well capitalized, profitable, and growing.

Brute Force Protection

Brute Force Protection is covered as part of Intrusion Detection and Intrusion Protection.

SmartFile employs appropriate Intrusion Detection and Intrusion Protection systems as part of our Application, Infrastructure, and Network Controls.

Infrastructure and Network Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Virus Scanning / Malware Protection / File Integrity Monitoring (FIM)

Files stored in SmartFile are not scanned for malware or viruses.

End user controls are the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Company laptops at SmartFile have appropriate virus scanning and malware protection software (XProtect) installed and configured.

Antivirus and Infrastructure Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Email and Web Content Scanning

Neither customer data nor Emails sent from the SmartFile platform are scanned for malware, viruses, or sensitive information. The internal employee email system does scan for malware and viruses, and has spam filters in place.

End user controls are the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Internal servers and workstations at SmartFile have appropriate virus scanning and malware protection software installed and configured.

Infrastructure Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Wireless Networks

SmartFile does operate a physical office location which includes a wireless network. The wireless network exists to provide connectivity for our company owned devices and provide guest network connectivity through a separate Virtual Local Area Network (VLAN). The network is not required, nor does it offer, any direct connectivity to any SmartFile platform systems directly.

Computers at our office are treated as if they are remote workstations and required to connect through a secure on-device VPN.

Will SmartFile Be Storing Data Subject To PCI/HIPAA/GDPR/etc

SmartFile is not in a position to know what data you are storing in the platform. This understanding and proper data classification is the responsibility of the customer. Please refer to the SmartFile Shared Responsibility Model for more information.

Federal Privacy Regulations

HIPAA: SmartFile provides world class tools that allow customers to assist in meeting their legal, regulatory and contractual obligations. Please reference the provided Shared Responsibility Model for more details.

Law Enforcement / Subpoena Disclosure Request

SmartFile is not in a position to know what data you are storing in the platform and does not read the contents of customer data for the purpose of detecting private information, copywritten information, PII, PHI, etc.

If a request for disclosure by Law Enforcement Authorities or a subpoena is received, SmartFile will notify impacted customers using an official contact method on file, subject to any applicable laws and regulations.

Children's Online Privacy Protection Act (COPPA)

SmartFile is not intended for use by children, especially those under 13. We do not knowingly collect personally identifiable information from children under 18 years of age.

GDPR / DPA

SmartFile offers a pre-written and pre-approved Data Protection Agreement ("DPA") that it will execute for any customer requiring a DPA under GDPR.

PCI

All credit card information provided to us by our customers is stored in a highly secure, PCI-compliant system by our payment vendors Stripe and PayPal.

PCI is the Payment Card Industry standard for cardholder data security. Our billing and signup processes are also PCI-compliant.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian federal data privacy law that governs the collection, use, and disclosure of personal information in the course of commercial business within Canada, including international and interprovincial transfers of personal information. The law applies in all provinces, except for those that have "substantially similar" privacy laws. Customers are responsible for determining the application of PIPEDA and complying with it, however, SmartFile has numerous settings and features to assist with that compliance.

National Defense Authorization Act Section 889 (NDAA Section 889)

SmartFile is compliant with NDAA Section 889.

Section 889 of the 2019 National Defense Authorization Act (NDAA) prohibits US federal government agencies, contractors, and grant and loan recipients from using or procuring certain covered telecommunications, video, or surveillance equipment or services. Such "covered" equipment or services are those from specific companies, including their subsidiaries and affiliates.

NIST 800-53

NIST 800-53 is a security compliance standard created by the U.S. Department of Commerce and the National Institute of Standards in Technology.

SmartFile's Information Security Program ("InfoSec Program") is based on SSAE-18 SOC 2 and COBIT 5 Framework and covers the SmartFile platform and our company as a whole.

GxP and FDA 21 CFR Part 11

GxP and related acronyms refer to regulations and quality guidelines in the life sciences industry maintained by the Food and Drug Administration (FDA) in the United States and similar organizations in other countries. These acronyms stand for "Good [x] Practices", such as Good Manufacturing Practices (GMP), Good Laboratory Practices (GLP), etc.

21 CFR Part 11 refers to part 11 of Title 21 of the Code of Federal Regulations, which is a regulatory document about Electronic Records and Electronic Signatures.

SmartFile provides tools and controls that allow SmartFile to be used within organizations that are complying with FDA 21 CFR Part 11, however proper controls, configuration, and validation of the configuration are the responsibility of the customer.

Please refer to the SmartFile Shared Responsibility Model for more information.

Other Compliance Frameworks

SmartFile actively reviews the landscape of compliance frameworks and audit regimes. If your organization has a specific certification or compliance need, please reach out to us, and we are happy to explore the opportunity.

Internal Policies at SmartFile

SmartFile has implemented the following regulatory policies, which are reviewed regularly:

Anti-Bribery and Anti-Corruption Policy

Anti-Fraud Policy

Anti-Slavery Policy

Anti-Money Laundering Policy

Environmental, Social, and Governance (ESG) Policy

Third Party and Governmental Requests Policy

Whistle-Blowing Policy

Employee Code of Conduct

Export Controls Policy

Employee Controls are reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.

Legal and Regulatory Continuing Education

SmartFile's General Counsel and Chief Information Security Officer (CISO) regularly attend continuing education courses to keep up with the latest legal and regulatory changes.

SmartFile uses the latest changes in legal, regulatory and any contractual obligations to drive updates across all facets of the organization, including the InfoSec Program.

Legal and Regulatory Compliance is reviewed as part of internal audit processes. SmartFile InfoSec Program documentation includes proprietary information and is not provided to customers.