Secure FTP

Customer & User Security Options

It starts with you. Every account includes a number of security specific features that can be enabled, letting you limit access to only authorized users.

Whether you transfer files via automated secure FTP connection or log in and download files through our secure web interface, you can lock your data down as much as you’d like.

• Add IP address restrictions to allow connections from only those devices you specify.
• Optional complex password enforcement keeps your users from creating accounts with easy-to-guess passwords.
• Secure-only mode forces connections on secure file transfer protocols ( e.g. SFTP ) and disallows connections on legacy protocols such as FTP.
• Home directories restrict your users to only the information you want them to see.
• Shares and users can be set to expire on a certain date, to prevent future access.

File & Data Integrity

Keeping data safe, whether in transit or at rest, is critical to the smooth operation of your business file transfers. We back up data to servers in multiple locations in near-real time, and have a number of features to ensure your files are transmitted safely and securely.

• All files are backed up in realtime to our primary data center.
• All data is backed up in near-real time to our secondary disaster recovery data center.
• Data is encrypted in transit via SFTP, FTPS or HTTP. (Unencrypted plain FTP is also available, but can be disabled to only allow secure file transfer protocols).
• All protocols support resume functionality if a file transfer is interrupted.

Computer & Network Security

ExaVault is designed with security as a core requirement. We run a custom-built cloud infrastructure, which we fully control all the way down to the hardware.

Multiple firewalls, monitoring and intrusion detection systems are employed. Each customer’s data is isolated, which ensures your files are safe and completely secure on our servers.

• ExaVault servers run only our data storage platform and keep a high security profile (e.g., minimum number of ports open).
• Access to all equipment (servers, firewalls, etc.) is logged and monitored for intrusions or other anomalies.
• A multi-layered set of monitoring and intrusion protection systems is in place, including firewalls at the edge and internal controls on access to databases, customer data storage, and other key resources.
• All encrypted traffic uses an SSL certificate with a 2048 bit private key, employing TLS v1.2+
• Regular security audits are conducted by internal staff and a third-party audit firm.

Physical Security

ExaVault owns and physically controls all of our own infrastructure. All equipment and servers are housed in best-in-class carrier-grade data centers. Each data center is SOC 2 Type 1/2 Compliant and ISO 27001 Certified, and has a bevy of infrastructure and on-site security features.

• Data center staff onsite 24/7/365.
• Sign-in/sign-out required for all personnel.
• CCTV / IP-DVR systems cover all aspects of each facility.
• Four-factor biometric verification is required to access the data center floor.
• Regular and randomized security patrols conducted.
• Data centers are SOC 2 Type 1/2 Compliant and ISO 27001 Certified.
• Data centers employ N+1 redundant electrical, mechanical, and life safety systems.

Uptime & Redundancy

File storage and transfer is only useful when it’s accessible. With this fact in mind, we’ve structured our secure FTP and file transfer service to maximize available uptime.

Our network and server infrastructure is fully redundant, from our incoming network feeds all the way down to data on disk. Our deployment processes allow upgrades to be performed with no downtime.

• Redundancy at every level: Firewall, network, application servers, database servers, storage layer, and more.
• Secondary disaster recovery facility able to take over for a primary facility failure.
• Software maintenance process is designed to allow for upgrades without downtime.
• Disaster recovery plans are in place, reviewed, and updated regularly.
• Third party monitoring for ExaVault services provided via Pingdom.

Audit & Control

Audit logs are critical for both informational and compliance purposes. ExaVault provides immutable audit logs for every transaction in your account, which means that no one can change logs, even if they are an account administrator.

• Every transaction by every user is recorded - upload, download, move, copy, rename, share, delete & more.
• Audit logs are immutable. No one, including account administrators, may change or delete them.
• Search and filter capabilities are provided to quickly find a transaction in question.

Governance

Building a secure system is only half the battle. Keeping it secure is equally important. ExaVault performs regular audits and trainings using internal and third-party tools to make sure our platform is secure.

• Code audits conducted on all new code to ensure security and compatibility.
• Regular internal training on security best practices.
• Regular infrastructure tests using internal and third-party tools to identify and patch vulnerabilities.
• Third party testing performed monthly, with intensive testing performed annually.
• Strong terms of service and data privacy policy, with customization available for enterprise clients.

GDPR Compliance

The European Union's GDPR (General Data Protection Regulation) affects every business processing data for customers in the EU & UK. ExaVault and its sub-processors are GDPR-compliant.

• ExaVault is Privacy Shield certified, and we can lawfully collect, receive, and process personal data from the EU & UK.
• ExaVault is committed to maintaining privacy and data security through privacy by design.
• ExaVault regularly reviews and updates our internal processes, policies, and technical safeguards to ensure our ongoing compliance. For more information, see our GDPR page.