We built Fileson so that you never have to take our word for it. The encryption architecture means we cannot access your data, even under legal compulsion.
Your encryption keys are derived from your password on your device using Argon2id. The derived key encrypts and decrypts files locally. We store only ciphertext. If our servers were seized tomorrow, the attacker would find nothing readable.
We use AES-256-GCM for file encryption and X25519 for key exchange when sharing between users. The full protocol is documented in our security whitepaper.
All customer data is stored in Hetzner data centres in Frankfurt and Helsinki. Both facilities hold ISO 27001 certification. No data leaves the European Union unless you explicitly choose a different residency option on an Enterprise plan.
Fileson completed its first SOC 2 Type II audit in March 2023. The audit covers security, availability, and confidentiality trust service criteria. Enterprise customers can request the full report under NDA.
We are an EU-based company subject to GDPR by default. Every customer receives a signed Data Processing Agreement. We process the minimum personal data required to operate the service: email address, hashed password, and billing information.
All traffic is encrypted in transit with TLS 1.3. Our API enforces certificate transparency monitoring. Server access requires hardware security keys and is logged in an immutable audit trail. We run quarterly penetration tests through an independent firm.
Our incident response plan follows the NIST framework. We commit to notifying affected customers within 72 hours of confirming a breach, in line with GDPR Article 33 requirements. In five years of operation, we have not had a reportable incident.
If you find a vulnerability in Fileson, we want to hear about it. Report issues to security@fileson.cloud and we will respond within two business days. We do not pursue legal action against researchers who act in good faith.
We recognize valid reports on our Hall of Thanks and offer bounties for critical and high-severity findings. See our Vulnerability Disclosure Policy for scope and rules of engagement.