M-Files Security in a Nutshell

Information security and privacy are of essential importance at M-Files. Our approach toward security and compliance have been summarized in this document along with the organizational and technical controls implemented to keep your data and information safe.

Our Commitments:

We maintain Security principles within the fundamental designs of the Service. M-Files is designed to permit system users to only access information they need and are entitled to, based on their role.

We drive continuous improvement and maintain a certified information Security Management System and Quality System as well as operate a SOC2 attested Security Compliance Program.

We use encryption technologies to protect customer data both at rest and in transit.

Physical Security

M-Files Cloud is hosted on the Microsoft Azure platform, and customer data is in Azure data centers.

Customer data is replicated from the primary Azure region to datacenters in the secondary Azure region.

Microsoft Azure data centers have been certified to operate an Information Security Management System that confirms to the requirements of ISO/IEC 27017:2013and ISO/IEC 27018:2014. Microsoft Azure has achievedSOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports and their Business Continuity Management System is ISO22301:2012 certified.

Physical security measures related to M-Files office locations in all countries have been documented. In order to provide secure facilities and a secure environment for M-Files operations, the following aspects shall be followed:

Entry from public areas to offices is restricted by locks or monitored by reception staff

Main offices are monitored for unauthorized entry by surveillance monitoring during nights

Area categorizations are applied, and procedures enforced by the office managers

Service personnel and third parties are not allowed to leave doors open and by-pass the categoriesLogical Access

Logical access of M-Files Cloud Operations to M-FilesCloud services is controlled by M-Files Cloud service credentials. The credentials are stored in the cloud management vault and access to the credentials required VPN and multi-factor authentication.

Access control in M-Files is set up as layers. Access can be granted based on the user needs, thus limiting the access only to those assets and systems needed, even to the level of individual documents within a project.

This enables M-Files to protect the data with the best combination of technical means needed.

Network Security Measures

Our network is segregated in several separate segments using firewalls and/or routers, based on their principal purpose. All traffic to and from the Internet is controlled and actively monitored. Third-party monitored endpoint detection and response (EDR) is in place at all endpoints.

Geographically distant offices belonging into the same core network are connected through site-to-site VPN.

It is imperative that your data is fully protected whether it’s being transmitted over a network or at rest so that no one gains unauthorized access to your information.

M-Files encrypts network communication between M-Files clients (M-Files Desktop, M-Files Web and M-FilesMobile) and M-Files Server via HTTPS, gRPC, VPN or IPSec.

Data at rest is encrypted with the AES-256 Microsoft SQL Server Transparent Data Encryption (TDE) is always enabled in M-Files Cloud.

Back-up and DataStorage

Scheduled backups are performed to recover from logical errors. Document vaults are backed up every day, and the backup data is hosted in a different storage than the actual production data. The data is replicated and geographically distributed. Features included in the backup plan vary between Standard Backup Plan and Premium Backup Plan.

Microsoft Azure SQL Database stores all the permanent data to a redundant storage to mitigate outages causedby potential failures of individual server components.

Database backups and transaction logs are stored to ageo-redundant storage to enable recovery to another data center in case of a major disaster.

Files stored in the M-Files Cloud service are automatically geo-replicated with Microsoft Azure Storage services.

Geo-replication maintains six copies of your data. Your data is replicated three times within the primary region and three times within a secondary region hundreds of miles away from the primary region, providing high-level durability. Azure Key Vault can be used to manage and store encryption keys for file and database data.

Product Security

M-Files applies an agile Secure Development Lifecycle(SDL) based process in product development. Software requirements are described as user stories, features and epics consisting of one or more user stories. Each delivered feature goes through a Feature Readiness Gateprocess consisting of concept, design, implementation,and testing phases. Readiness Gate approval includes following signoffs from Product Management, Architectural, Security and Verification.

Monthly releases are managed through Branch and Release Gates with dedicated gate criteria to be fulfilled before approval. Branch gate verifies that each feature to be released has passed Feature Readiness Gate, and checks that there are no outstanding issues to be fixed.

Release gate serves as a final quality checkpoint for the delivery before publication.

SDL (Secure Development Lifecycle) is applied throughout the whole development process to protect against possible security threats. Manual and automated third-party component checks are done for each release to protect against vulnerabilities in third-party software.

Release acceptance testing includes non-functional testing as well, for example, performance and security testing. The tools used in security testing include but are not limited to HackerGuardian, Synopsys ProtecodeSC, Burp and OWASP ZAP. Development and testing environments are segregated from production and no production data is used for testing purposes.

M-Files regularly conducts third-party security assessments, including penetration testing. These assessments are focused on critical service components and prioritized by the security team according to the technical testing plan.

Incident management process is in place to identify, analyze, and to apply corrective actions. Incidents are classified according to urgency and MIM process for critical incidents. Lessors learned are gathered to prevent a future re-occurrence. M-Files holds CNA (CVE NumberAuthority) status and issues CVE numbers for M-Filesproduct-related vulnerabilities. Vulnerability disclosures and security bulleting’s are published on the SecurityAdvisories page.

Data Privacy

As a data processor M-Files complies with applicable GDPR regulations for all the relevant services delivered to customers. M-Files will co-operate with our customers,to help them meet their GDPR obligations as data controllers. We have collected our privacy notices andother GDPR documentation in our Privacy Policy page.

Corporate Security

M-Files has implemented and maintains policies and procedures that cover essential security and compliance topics. All employees are expected to adhere to theM-Files policies and procedures that define how servicess hould be delivered. A review cycle has been implemented to keep policies and procedures up to date.

All M-Files employees and subcontractors receive annual information security training in addition to which specialized role-based training is provided. Third-party-provided continuous phishing awareness training is enabled for M-Files employees.

Compliance

M-Files has been certified by an independent third party to comply with the requirements of the standard ISO/IEC 27001:2013. Certification covers development maintenance of M-Files document management platform and M-Files Cloud Operations. We also maintain ISO9001:2015 Certified quality management system which covers design, development, delivery and support ofM-Files management platform and related services.

Our security compliance framework has been designed and operated to meet the requirements defined by AICPA’s Trust Service Principles and Criteria. M-Filescompliance and adherence to best practices is annually audited by external CPA auditor and based on that auditSOC 2 type II report is issued annually.

To read more about our compliance endeavours please see our compliance webpage.

To obtain latest copies of our SOC 2 report and ISOcertificatesplease contact support@m-files.com.

For more information on how we can help your organisation please email: peter@documentmanagementsoftware.com.auor visit www.documentmanagementsoftware.com.au


Peter Ellyard

Having spent over 20 years immersed in the document management software industry I have found that by offering a simple to use, highly effective electronic document management solution (knowledge management software) we increase productivity dramatically. Typically by an hour per person, per day! This is not rocket science, just a simple way to streamline your day to day information needs.