We built Fileson so that your team's workspace is secure by design, not by promise. The security architecture means we cannot access your content, even under legal compulsion.
Your workspace content is encrypted on your device before it reaches our servers. Keys are derived from your credentials using Argon2id and never leave your team's devices. We store only encrypted data. If our servers were seized tomorrow, the attacker would find nothing readable.
We use AES-256-GCM for content protection and X25519 for key exchange when collaborating between team members. The full protocol is documented in our security whitepaper.
All workspace data is stored in Hetzner data centres in Frankfurt and Helsinki. Both facilities hold ISO 27001 certification. No data leaves the European Union unless you explicitly choose a different residency option on an Enterprise plan.
Fileson completed its first SOC 2 Type II audit in March 2023. The audit covers security, availability, and confidentiality trust service criteria. Enterprise customers can request the full report under NDA.
We are an EU-based company subject to GDPR by default. Every customer receives a signed Data Processing Agreement. We process the minimum personal data required to operate the workspace platform: email address, hashed password, and billing information.
All traffic is encrypted in transit with TLS 1.3. Our API enforces certificate transparency monitoring. Server access requires hardware security keys and is logged in an immutable audit trail. We run quarterly penetration tests through an independent firm.
Our incident response plan follows the NIST framework. We commit to notifying affected customers within 72 hours of confirming a breach, in line with GDPR Article 33 requirements. In five years of operation, we have not had a reportable incident.
If you find a vulnerability in Fileson, we want to hear about it. Report issues to security@fileson.cloud and we will respond within two business days. We do not pursue legal action against researchers who act in good faith.
We recognize valid reports on our Hall of Thanks and offer bounties for critical and high-severity findings. See our Vulnerability Disclosure Policy for scope and rules of engagement.