M-Files Security Information in a Nutshell

Information security and privacy are of essential importance at M-Files. Our approach towards security and compliance have been summarised in this document along with the organizational and technical controls implemented to keep your data and information safe.

We maintain security principles within the fundamental designs of the Service. M-Files is designed to permit system users to only access the information they need and are entitled to, based on their role.

We drive continuous improvement and maintain a certified Information Security Management System and Quality System as well as operate a SOC2-attested Security Compliance Program.



We use encryption technologies to protect customer data both at rest and in transit.

M-Files Cloud is hosted on the Microsoft Azure platform, and customer data is located in Azure data centers. Customer data is replicated from the primary Azure region to datacentres in the secondary Azure region. Microsoft Azure data centers have been certified to operate an Information Security Management System that conforms to the requirements if ISO/IEC 27017:2013 and ISO/IEC 27018:2014. Microsoft Azure has achieved SOC 1 Type 2, SOC 2 Type 2 and SOC 3 reports and their Business Continuity Management System is ISO 22301:2012 certified.

Physical security measures related to M-Files office locations in all countries have been documented. In order to provide secure facilities and a secure environment for M-Files operations, the following aspects have been followed:

Entry from public areas to offices is restricted by locks or monitored by reception staff.

Main offices are monitored for unauthorized entry by surveillance monitoring during nights.

Area categorisations are applied, and procedures enforced by the office managers.

Service personnel and third parties are not allowed to leave doors open and bypass the categories.

Logical access of M-Files Cloud Operations to M-Files Cloud services is controlled by M-Files Cloud service credentials. The credentials are stored in the Cloud Management vault and access to the credentials in required VPN and multi-factor authentication.

Access control in M-Files is set up in layers. Access can be granted based on the user’s needs, thus limiting the access only to those assets and systems needed, even to the level of individual documents within a project. This enables M-Files to protect data with the best combination of technical means needed.

Our network is segregated in several separate segments using firewalls and/or routers, based on their principal purpose. All traffic to and from the Internet is controlled and actively monitored. Third-party monitored endpoint detection and response (EDR) is in place at all endpoints. Geographically distant offices belonging into the same core network are connected through site-to-site VPN.

It is imperative that your data is fully protected whether it’s being transmitted over a network or at rest so that no one gains unauthorized access to your information. M-Files encrypts network communication between M-Files clients (M-Files Desktop, M-Files Web, and M-Files Mobile) and M-Files Server via HTTPS, gRPC, VPN, or IPSec. Data at rest is encrypted with AES-256 Microsoft SQL Server Transparent Data Encryption (TDE) is always enabled in M-Files Cloud.

Schedules backups are performed to recover from logical errors. Document vaults are backed up every day, and the backup data is hosted in a different storage than the actual production data. The data is replicated and geographically distributed. Features included in the backup plan vary between Standard Backup Plan and Premium Backup Plan.

Microsoft Azure SQL Database stores all the permanent data to a redundant storage to mitigate outages caused by potential failures of individual server components. Database backups and transaction logs are stored to a geo-redundant storage to enable recovery to another data center in case of a major disaster.

Files stored in the M-Files Cloud service are automatically geo-replicated with Microsoft Azure Storage services. Geo-replication maintains six copies of your data. Your data is replicated three times within the primary region and three times within a secondary region hundreds of kilometers away from the primary region, providing high-level durability. Azure Key Vault can e used to manage and store encryption keys for file and database data.

M-Files maintains a documented business continuity and disaster recovery plans and conducts periodic testing to confirm applicability.

M-Files applies an agile Secure Development Lifecycle (SDL) based process in product development. Software requirements are described as user stories, features, and epics consisting of one or more user stories. Each delivery feature goes through a Feature Readiness Gate process consisting of concept, design, implementation, and testing phases. Readiness Gate approval includes following signoffs from Product Management, Architectural, Security, and Verification.

Monthly releases are managed through Branch and Release Gates with dedicated gate criteria to be fulfilled before approval. Branch gate verifies that each feature to be released has passed Feature Readiness Gate, and checks that there are no outstanding issues to be fixed. Release gate serves as a final quality checkpoint for the delivery before publication.

SDL (Secure Development Lifecycle) is applied throughout the whole development process to protect against possible security threats. Manual and automated third-party component checks are done for each release to protect against vulnerabilities in third-party software. Release acceptance testing includes non-functional testing as well, for example, performance and security testing. The tools used in security testing include but are not limited to HackerGuardian, Synopsys Protecode SC, Burp, and OWASP ZAP. Development and testing environments are segregated from production and no production data is used for testing purposes.

M-Files regularly conducts third-party security assessments, including penetration testing. These assessments are focused on critical service components and prioritised by the security team according to the technical testing plan.

Incident management process is in place to identify, analyse and to apply corrective actions. Incidents are classified according to urgency and MIM process for critical incidents. Lessons learned are gathered to prevent a future re-occurrence. M-Files holds CAN (CVE Number Authority) status and issues CVE numbers for M-Files product-related vulnerabilities.

As a data processor M-Files complies with applicable GDPR regulations for all the relevant services delivered to customers. M-Files with co-operate with our customers, to help them meet their GDPR obligations as data controllers. We have collected our privacy notes and other GDPR documentation in our Privacy Policy page.

M-Files has implemented and maintains policies and procedures that cover essential security and compliance topics. All employees are expected to adhere to the M-Files policies and procedures that define how services should be delivered. A review cycle has been implemented to keep policies and procedures up to date.

All M-Files employees and subcontractors receive annual information security training in addition to which specialized role-based training is provided. Third-party-provided continuous phishing awareness training is enabled for M-Files employees.