The Citrix ShareFile system has many security and privacy measures in place to protect your data. These security measures can be divided into four main categories —software, backups, servers and policies.
ShareFile software was created with security in mind. Each user in the system has a unique login and password and all user-created passwords are hashed in the ShareFile database. Additionally, granular access permissions allow users to be given access to information in an account on a need-to-know basis.
ShareFile has a daily third-party security scan through McAfee ® SECURE. The appearance of the McAfee ® SECURE seal on our login page indicates that ShareFile has passed the security audit.
All uploaded files are scanned by anti-virus software. Any files that are flagged as potential viruses are denoted with a red exclamation point icon within the application, and a warning will be displayed before attempting to download these files.
All communications between ShareFile and the user are encrypted using either Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption protocols and up to AES 256-bit encryption and no less than 128-bit encryption. These are the same industry standard protocols used by online banking and popular e-commerce services such as Amazon.com for secure communication over the Internet. All user files and file content is protected at rest using AES 256-bit encryption.
ShareFile employs multiple backup measures to minimize data loss in the event of natural disaster, terrorism, fire or any other unexpected event that could result in the destruction of the hardware that hosts the service. Client files are stored in replicate within the storage tier and backed up to ShareFile’s file backup and recovery center on a daily basis. Client and file attributes and metadata is backed up to a hot disaster recovery site every 15 minutes.
Citrix ShareFile maintains a primary and hot disaster recovery site. The disaster recovery site is readily available to assume primary responsibilities in the event the primary site is unavailable.
Redundant File Storage
ShareFile maintains the capability to leverage alternate regions to store files if any one region is rendered unavailable. Additionally, ShareFile maintains a geographically separate backup and file recovery site that facilitates recovery of client files in case of accidental client-side file deletion. All client files are backed up to our alternate site on a daily basis.
Lazy File Deletion
To protect against the accidental deletion of files, ShareFile maintains copies of all deleted files for 28 days before permanently purging the files from the backup and file recovery center. This helps protect clients from file loss due to user error. If a file is deleted in error, the file can be restored through the ShareFile Recycle Bin for seven days. Past seven days, users can contact ShareFile support to restore a file within the 28-day limit.
ShareFile datacenters have attained third-party SSAE 16 Type II certification, which verifies that all datacenter facilities operate with strict security procedures. Physical access is strictly controlled at the perimeter and building entrance points, and access to each datacenter requires two-factor authorization.
Additionally, ShareFile servers are protected by dedicated firewalls, which constantly scan for and protect against malicious threats. The firewalls provide zero-day protection against any traffic that does not conform to standard Internet protocols, behaviors or patterns.
All ShareFile servers are automatically updated with the latest vendor-supplied security patches for the operating system and other applications.
ShareFile also has several corporate policies in place to help protect the security of data in the ShareFile system. ShareFile employees conduct all support functions, and access is restricted by IP address so that support functions can only be performed from within the secure ShareFile physical office facilities.
Furthermore, it is a company policy that ShareFile support engineers may only access client data when such support has been specifically requested by a user. All login and upload/download activity by ShareFile support engineers is logged in the system activity log, which is fully viewable by administrators on each account.
For security questions not addressed in this document, please contact support@ShareFile.com.