LiquidFiles provides the technical controls your organisation needs to satisfy ISO 27001, SOC 2, HIPAA, Sarbanes-Oxley and PCI DSS requirements for secure file transfer.
Compliance standards share common themes: encrypt data, control access, log everything and keep systems patched. LiquidFiles covers these across the board.
ISO 27001:2022 is the international standard for information security management. LiquidFiles maps to the Annex A Technological Controls (A.8), covering encryption, access control, logging, malware protection, secure development and change management.
| Control Area | LiquidFiles Capability |
|---|---|
| Secure Authentication (A.8.5) | Password policy with CrackLib validation, LDAP/AD, SAML2 SSO, MFA (TOTP, SMS, Duo) enforceable per group. Bcrypt password storage. |
| Malware Protection (A.8.7) | Built-in ClamAV with 2-hourly updates. Custom scanning via Actionscripts for additional AV or DLP integration. |
| Vulnerability Management (A.8.8) | Automatic security updates. Ubuntu CVE monitoring. 24–48 hour vulnerability response. |
| Cryptography (A.8.24) | TLS 1.2/1.3 (AES-256) in transit. LUKS full disk encryption at rest. FIPS 140-3 available. |
| Secure Development (A.8.25–A.8.28) | TDD, automated security scanning (Brakeman, RuboCop, ESLint), CI/CD via GitHub Actions, OWASP Top 10 compliance. |
SOC 2 evaluates controls across five Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity and Privacy. LiquidFiles addresses the Security Common Criteria and Confidentiality controls that auditors look for in a file transfer system.
| Criteria | LiquidFiles Capability |
|---|---|
| Logical Access (CC6) | Role-based access, LDAP/AD, SAML2 SSO, MFA enforceable per group, admin network restrictions, brute force protection. |
| System Operations (CC7) | ClamAV antivirus, automatic security updates, built-in firewall, hardened appliance, comprehensive logging. |
| Change Management (CC8) | TDD, automated CI/CD, security scanning on every build, versioned releases with documented release notes. |
| Confidentiality (C1) | TLS 1.2/1.3 in transit, full disk encryption at rest, FIPS 140-3 mode, configurable data retention and automatic deletion. |
The HIPAA Security Rule (45 CFR §164.312) defines technical safeguards for protecting electronic Protected Health Information (ePHI). LiquidFiles addresses all five technical safeguard standards.
| Safeguard | LiquidFiles Capability |
|---|---|
| Access Control — §164.312(a) | Unique user accounts, LDAP/AD, SAML2 SSO, configurable session timeout, full disk encryption (LUKS/AES-256). |
| Audit Controls — §164.312(b) | All uploads, downloads, logins and admin actions logged. Syslog forwarding for SIEM and long-term retention. |
| Integrity — §164.312(c) | TLS 1.2/1.3 with authenticated encryption ensures data integrity in transit. ClamAV scanning on all uploads. |
| Authentication — §164.312(d) | Password policy with CrackLib validation, MFA (TOTP, SMS, Duo), SAML2 SSO, brute force protection. |
| Transmission Security — §164.312(e) | TLS 1.2/1.3 (AES-256) with strong cipher suites. HSTS enforced. A+ rating on SSL Labs. FIPS 140-3 available. |
SOX Section 404 requires IT General Controls (ITGCs) around any system that processes financial data. LiquidFiles provides the technical capabilities SOX auditors look for in a file transfer system.
| ITGC Domain | LiquidFiles Capability |
|---|---|
| Access Management | LDAP/AD integration, SAML2 SSO, MFA, role-based access (Sysadmin/Admin/User), admin network restrictions, user auto-expiration. |
| Change Management | Versioned releases, automated CI/CD with full test suite, security scanning on every build, documented release notes. |
| System Operations | Comprehensive audit logging, ClamAV antivirus, automatic security updates, brute force protection, syslog forwarding. |
| Logical Security | Built-in firewall, TLS 1.2/1.3 (AES-256), full disk encryption, FIPS 140-3 mode, regular external security scanning. |
| Segregation of Duties | Distinct Sysadmin/Admin/User roles with separate network restrictions. All admin activity logged and forwardable to independent SIEM. |
PCI DSS 4.0 covers security requirements for systems that handle payment card data. LiquidFiles addresses the technical requirements across all 12 PCI DSS requirement areas.
| Requirement | LiquidFiles Capability |
|---|---|
| Network Security (Req 1–2) | Built-in firewall exposing only necessary ports. Hardened appliance with secure defaults. No vendor-supplied default passwords. |
| Data Protection (Req 3–4) | TLS 1.2/1.3 (AES-256) in transit. Full disk encryption at rest. Configurable data retention and automatic deletion. |
| Vulnerability Management (Req 5–6) | ClamAV antivirus, automatic security updates, TDD with automated security scanning, OWASP Top 10 compliance. |
| Access Control (Req 7–8) | Role-based access, unique user accounts, MFA (TOTP, SMS, Duo) enforceable per group, LDAP/AD, SAML2 SSO, brute force protection. |
| Logging & Monitoring (Req 10) | All activity logged. Syslog forwarding for SIEM. NTP for time synchronisation. Supports PCI 4.0 automated log review via SIEM integration. |