SOC 2 — LiquidFiles Compliance Mapping
SOC 2 (Service Organization Control 2) is a reporting framework developed by the AICPA that evaluates an organisation's controls relevant to security, availability, processing integrity, confidentiality and privacy. This page maps the SOC 2 Trust Services Criteria to the capabilities LiquidFiles provides as a secure file transfer product.
A downloadable spreadsheet with all the control mappings is available at the bottom of this page.
Why LiquidFiles Doesn't Have a SOC 2 Report
SOC 2 is designed for service organisations — companies that process, store or manage data on behalf of their customers. A SOC 2 report attests that a service provider's controls have been audited by an independent CPA firm over a period of time.
LiquidFiles is a self-hosted product, not a service. We sell you the software, you install and operate it on your own infrastructure. We don't host your data, we don't manage your systems, and we have no access to your LiquidFiles installation or any files transferred through it. Since we don't operate as a service organisation with respect to your data, a SOC 2 report from LiquidFiles would not be meaningful.
What is relevant is whether LiquidFiles as a product provides the technical controls your organisation needs to satisfy the SOC 2 criteria within your own environment. That is what this page addresses.
How to Use This Page
SOC 2 is built on five Trust Services Criteria (TSC):
- Security (Common Criteria, CC1–CC9) — mandatory for every SOC 2 engagement. Covers access control, change management, system operations, risk assessment and monitoring.
- Availability — system uptime, disaster recovery, business continuity.
- Confidentiality — protection of information designated as confidential.
- Processing Integrity — completeness, accuracy and timeliness of processing.
- Privacy — handling of personally identifiable information (PII).
Many of these criteria relate to organisational governance, HR policies, physical security and operational procedures that are your responsibility. Below we focus on the criteria where LiquidFiles provides relevant technical capabilities.
Security (Common Criteria)
The Security criteria are the foundation of every SOC 2 report. They are organised into nine Common Criteria categories (CC1–CC9).
| Ref | Category | LiquidFiles Capability |
|---|---|---|
| CC1 | Control Environment | Customer responsibility. Organisational commitment to integrity, board oversight, management structure, HR policies. LiquidFiles as a product vendor maintains secure development practices as described in Secure Development Practices. |
| CC2 | Information and Communication | Shared responsibility. LiquidFiles provides comprehensive audit logging of all system activity (uploads, downloads, logins, admin actions) and syslog forwarding for SIEM integration. Release notes and a mailing list communicate updates. Internal communication policies are your responsibility. |
| CC3 | Risk Assessment | Customer responsibility. Your organisation's risk assessment processes. LiquidFiles continuously monitors vulnerability databases, runs automated security scanners, and responds to reported vulnerabilities within 24–48 hours. See Vulnerability Assessments. |
| CC4 | Monitoring Activities | Shared responsibility. LiquidFiles provides system logging, message audit trails (configurable retention, default 365 days), syslog forwarding for external monitoring, and brute force detection. Your SIEM integration and monitoring procedures are your responsibility. See Logging and Auditing. |
| CC5 | Control Activities | Shared responsibility. LiquidFiles provides role-based access control (Sysadmin/Admin/User), group-based permissions, network restrictions for admin access, and configurable security policies. Defining and operating control activities within your organisation is your responsibility. |
| CC6 | Logical and Physical Access Controls |
Logical access: Role-based access with distinct Sysadmin, Admin and
User roles. LDAP/Active Directory integration. SAML2 SSO. Two-factor authentication
(TOTP, SMS, Duo) enforceable per group. Admin network restrictions. Bcrypt password
storage with CrackLib validation. Configurable password policy and expiration.
Brute force protection. See
Strong Authentication. Physical access: Customer responsibility (your data centre, your infrastructure). |
| CC7 | System Operations | Shared responsibility. LiquidFiles provides built-in ClamAV antivirus (signatures updated every 2 hours), automatic daily security updates, built-in firewall, hardened appliance defaults, and comprehensive logging. Custom file scanning via Attachment Upload Actionscripts enables integration with external security tools. Operational monitoring and incident response procedures are your responsibility. See Antivirus Scanning. |
| CC8 | Change Management | Shared responsibility. LiquidFiles uses version-controlled releases, automated CI/CD via GitHub Actions (full test suite must pass), security scanning (Brakeman, RuboCop, ESLint) on every build, and release branches with cherry-picked fixes. Automatic updates enabled by default. Change management for your environment's configuration is your responsibility. See Automated Testing. |
| CC9 | Risk Mitigation | Customer responsibility. Your organisation's risk mitigation strategy. LiquidFiles provides the technical controls described throughout this page to support your risk treatment decisions. |
Availability
| Ref | Criteria | LiquidFiles Capability |
|---|---|---|
| A1.1 | Performance and Capacity Monitoring | Admin dashboard with system resource monitoring. Disk usage alerts. Automatic message expiration and file deletion to manage storage capacity. |
| A1.2 | Recovery and Business Continuity | Shared responsibility. LiquidFiles provides built-in backup and restore tools. The virtual appliance model supports VM-level snapshots. Can be deployed on high-availability infrastructure. Your backup strategy, RTO/RPO targets and DR procedures are your responsibility. |
| A1.3 | Recovery Testing | Customer responsibility. Testing of your backup and recovery procedures is your responsibility. |
Confidentiality
| Ref | Criteria | LiquidFiles Capability |
|---|---|---|
| C1.1 | Information Classification | Customer responsibility. Your organisation's classification scheme. LiquidFiles provides group-based permissions that can be used to enforce different handling requirements for different user groups. |
| C1.2 | Confidentiality Controls | Data in transit encrypted with TLS 1.2/1.3 (AES-256). Full disk encryption (LUKS/AES-256) available for data at rest. FIPS 140-3 mode available via Ubuntu Pro. File access protected with randomised 384-bit tokens. Configurable message expiration and automatic deletion. See FIPS Mode and Full Disk Encryption. |
| C1.3 | Confidential Information Disposal | Configurable automatic message and file deletion with retention policies per group. System-wide retention policy (default 365 days). Manual deletion by administrators. Full disk encryption ensures deleted data is not recoverable from disk. |
Processing Integrity
| Ref | Criteria | LiquidFiles Capability |
|---|---|---|
| PI1.1–PI1.5 | Processing Completeness, Accuracy, Timeliness | Largely not applicable. LiquidFiles is a file transfer system, not a data processing platform. Files are delivered as-is without modification. The audit log provides a complete record of all transfers including sender, recipients, timestamps and file details, ensuring transfer integrity is verifiable. |
Privacy
| Ref | Criteria | LiquidFiles Capability |
|---|---|---|
| P1–P8 | Privacy Management | Mostly customer responsibility. LiquidFiles as a company does not collect, process or have access to any personal information transferred through your LiquidFiles system. Privacy notices, consent management, data subject rights and privacy governance are your organisation's responsibility. LiquidFiles provides automatic data deletion, access controls and audit logging to support your privacy programme. See Monolithic Architecture & Privacy. |
Customer Responsibility
Because LiquidFiles is a self-hosted product, the following SOC 2 areas are entirely your organisation's responsibility:
- Control environment (CC1) — governance, ethics, organisational structure, HR policies.
- Risk assessment (CC3) — your risk identification and analysis processes.
- Physical access — your data centre, server room and equipment security.
- Operational monitoring — your SIEM configuration, alerting and incident response procedures.
- Business continuity — your backup strategy, DR testing and recovery procedures.
- Privacy governance — your privacy notices, consent mechanisms and data subject request handling.
For more context on this distinction, see our Vendor Onboarding Forms page.
Download
A spreadsheet with the SOC 2 Trust Services Criteria mapping for LiquidFiles is available for download.