Compliance
FileSafety is built with regulatory compliance in mind. This page covers our approach to GDPR, SOC 2, data processing agreements, and related compliance topics.
GDPR readiness
Section titled “GDPR readiness”FileSafety is designed to support GDPR compliance for customers who process personal data from EU residents.
Data processing
Section titled “Data processing”When you upload a file to FileSafety for scanning, we act as a data processor on your behalf. You remain the data controller and determine what files are submitted for scanning.
| GDPR role | Entity |
|---|---|
| Data controller | You (the customer) |
| Data processor | FileSafety |
| Sub-processors | Cloud infrastructure provider, Stripe (billing) |
Lawful basis
Section titled “Lawful basis”FileSafety processes files solely for the purpose of providing the scanning service you request. The lawful basis for processing is the performance of a contract (Article 6(1)(b) GDPR) — specifically, the service agreement between you and FileSafety.
Data minimization
Section titled “Data minimization”FileSafety follows data minimization principles:
- Files are processed only for the purpose of scanning
- File content is retained for a maximum of 24 hours, then automatically deleted
- Only scan results (verdict, hash, metadata) are retained long-term
- No file content is logged or stored in application logs
- Only the minimum metadata necessary for the service is collected
Right to erasure
Section titled “Right to erasure”The 24-hour auto-delete policy on uploaded files means that file content is automatically erased without any action required. For scan result records (verdict, hash, metadata), you can request deletion by contacting support.
| Data type | Erasure method |
|---|---|
| Uploaded file content | Automatic — deleted 24 hours after upload |
| Scan result records | On request — contact support |
| Account data | On request — account deletion removes all associated records |
| Billing data | Managed by Stripe — subject to Stripe’s retention policies |
Data residency
Section titled “Data residency”All data processing and storage occurs in Australia. No data is transferred to or replicated in other regions.
Cross-border data transfers
Section titled “Cross-border data transfers”Files and scan results remain within Australia. The only external data flow is:
- Webhook delivery — Scan results are POSTed to the webhook URL you provide, which may be in any region. You control where this endpoint is hosted.
- Stripe billing — Billing information (email, plan, payment method) is processed by Stripe, which operates globally. Stripe’s data handling is governed by their own GDPR compliance measures.
Data breach notification
Section titled “Data breach notification”In the event of a data breach affecting your data, FileSafety will notify affected customers within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
FileSafety is built on infrastructure that is SOC 2 Type II certified. Our application-level security controls include:
| Control area | Implementation |
|---|---|
| Access control | API key authentication, hashed key storage, no plaintext credentials |
| Encryption | AES-256 at rest, TLS 1.3 in transit |
| Network security | Private network with no internet access for scan workers |
| Data retention | 24-hour automatic file deletion, configurable record deletion |
| Monitoring | Logging and metrics, API access logging |
| Change management | Infrastructure as code, version-controlled deployments |
FileSafety does not currently hold an independent SOC 2 Type II certification. If this is a requirement for your organization, please contact us to discuss your needs.
Data Processing Agreement (DPA)
Section titled “Data Processing Agreement (DPA)”A Data Processing Agreement is available for customers who need one for GDPR compliance or internal procurement requirements.
The DPA covers:
- Nature and purpose of data processing
- Types of personal data processed
- Data subject categories
- Processing duration and data retention
- Security obligations
- Sub-processor list and notification procedures
- Data breach notification commitments
- Data subject rights assistance
- Data deletion and return procedures
To request a DPA, contact support with your organization details. We will provide a pre-signed DPA or work with your legal team on a custom agreement.
Sub-processors
Section titled “Sub-processors”FileSafety uses the following sub-processors:
| Sub-processor | Purpose | Data accessed |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, networking, and managed services | File content (temporary), scan results, account data |
| Payment processing provider (Stripe) | Payment processing and subscription management | Email address, billing information, payment method |
Changes to sub-processors are communicated to DPA holders in advance.
Security certifications of underlying infrastructure
Section titled “Security certifications of underlying infrastructure”Our cloud infrastructure provider maintains the following certifications relevant to data security:
- SOC 1, SOC 2, SOC 3
- ISO 27001, ISO 27017, ISO 27018
- PCI DSS Level 1
- HIPAA eligible services
- FedRAMP
- IRAP (relevant for Australian government data)
These certifications cover the physical infrastructure and managed services that FileSafety uses. They do not automatically extend to the FileSafety application itself.
Contact
Section titled “Contact”For compliance questions, DPA requests, or security inquiries, contact us at the email address listed in your dashboard.
See also
Section titled “See also”- Security Overview — Architecture and network isolation details
- Data Handling — File lifecycle, encryption, and retention details