Sarbanes-Oxley (SOX) — LiquidFiles Compliance Mapping
The Sarbanes-Oxley Act (SOX) Section 404 requires publicly traded US companies to establish and maintain internal controls over financial reporting (ICFR). IT General Controls (ITGCs) form a critical part of this requirement, governing the security, integrity and reliability of IT systems that support financial processes. This page maps the SOX ITGC domains to the capabilities LiquidFiles provides.
A downloadable spreadsheet with all the control mappings is available at the bottom of this page.
Why SOX Matters for File Transfer
SOX compliance becomes relevant for LiquidFiles when the system is used to transfer financial data, audit reports, or other documents that feed into or support the financial reporting process. SOX auditors will examine the IT controls around any system that touches financial data, including file transfer systems.
LiquidFiles is a self-hosted product. SOX compliance is your organisation's responsibility, not ours — we don't manage your systems or have access to your data. However, LiquidFiles provides the technical capabilities needed to satisfy the ITGC requirements that auditors look for in a file transfer system.
How to Use This Page
SOX does not prescribe specific IT controls. Instead, auditors assess ITGCs based on frameworks like COSO and COBIT, typically focusing on these key domains:
- Access Management — controlling who can access systems and data.
- Change Management — controlling changes to systems and applications.
- System Operations — monitoring, logging and incident management.
- Data Backup and Recovery — protecting data against loss.
- Logical Security — network security, encryption and vulnerability management.
- Segregation of Duties — preventing any single person from controlling all aspects of a process.
For each domain, we describe the product capability LiquidFiles provides. How you configure and operate these capabilities is part of your ICFR and is your responsibility.
Access Management
| Control Area | LiquidFiles Capability |
|---|---|
| User Provisioning and De-provisioning | LDAP/Active Directory integration for centralised user lifecycle management. Automatic group assignment based on LDAP group membership. Configurable user auto-expiration for inactive accounts. Local account management with admin-controlled creation and deletion. See LDAP Configuration. |
| Authentication | Configurable password policy (points-based with CrackLib dictionary validation, or custom regex). Password expiration. SAML2 SSO integration (Azure AD, Okta, ADFS). Two-factor authentication (TOTP, SMS, Duo Security) enforceable per group. Passwords stored using bcrypt. See Strong Authentication. |
| Privileged Access | Distinct Sysadmin, Admin and User roles. Admin web interface access can be restricted to specific network ranges. Sysadmin console (SSH) access can also be network-restricted. See Hardening — Admin Security. |
| Access Reviews | Admin interface provides user listing with last login dates, group memberships and access rights for periodic access review. LDAP integration ensures access reflects current directory state. |
Change Management
| Control Area | LiquidFiles Capability |
|---|---|
| Application Changes | All LiquidFiles releases are developed using TDD with automated tests. Code changes go through pull request review. GitHub Actions runs the full test suite and security scanners (Brakeman, RuboCop, ESLint) — builds cannot complete without passing all tests. Release branches maintained for each version with cherry-picked fixes. See Secure Development Practices. |
| Update Mechanism | Automatic updates enabled by default and run daily. All releases documented on the Release Notes page and announced via the mailing list. Updates can be applied manually if your change management process requires it. |
| Separation of Environments | LiquidFiles maintains separate development, testing and production environments. The automated build process ensures only tested code is released. Your staging/test LiquidFiles environment is your responsibility to maintain. |
System Operations
| Control Area | LiquidFiles Capability |
|---|---|
| Logging and Audit Trails | All uploads, downloads, login activity (successful and failed) and admin activity are logged. System log available in Admin → System Log. Message log with configurable retention (default 365 days). Syslog forwarding for external retention and SIEM integration. See Logging and Auditing. |
| Malware Protection | ClamAV antivirus built in and enabled by default. Signatures updated every 2 hours. All uploaded files scanned. Custom scanning via Attachment Upload Actionscripts for additional AV or DLP integration. |
| Vulnerability Management | Automatic daily security updates. Ubuntu CVE database checking. Ubuntu Pro support for extended maintenance. LiquidFiles responds to reported vulnerabilities within 24–48 hours. See System Vulnerabilities. |
| Incident Detection | Brute force protection automatically detects and blocks suspicious login attempts. Syslog forwarding enables SIEM-based alerting. Comprehensive audit trail supports forensic investigation. See Brute Force Protection. |
Data Backup and Recovery
| Control Area | LiquidFiles Capability |
|---|---|
| Backup Mechanisms | Shared responsibility. LiquidFiles provides built-in backup and restore tools. The virtual appliance model supports VM-level snapshots. Your backup schedule, off-site storage and retention policies are your responsibility. |
| Disaster Recovery | Customer responsibility. LiquidFiles can be deployed on high-availability infrastructure. DR planning, testing and documentation are your responsibility. |
Logical Security
| Control Area | LiquidFiles Capability |
|---|---|
| Network Security | Built-in Netfilter firewall. Only necessary ports exposed (HTTP/HTTPS). Internal services (PostgreSQL) not exposed on any TCP port. See Built-in Firewall. |
| Encryption in Transit | Nginx with TLS 1.2/1.3 only, AES-256 encryption with strong cipher suites. A+ rating on SSL Labs and SecurityHeaders.com. HSTS supported. See Web Server, SSL and Transmit Encryption. |
| Encryption at Rest | Full disk encryption (LUKS/AES-256) available. FIPS 140-3 mode available via Ubuntu Pro. Bcrypt password hashing. See FIPS Mode and Full Disk Encryption. |
| Security Testing | Regular external scanning with SSL Labs, SecurityHeaders.com, OWASP ZAP and OpenVAS. Customers encouraged to perform their own vulnerability assessments. See External Scanners. |
Segregation of Duties
| Control Area | LiquidFiles Capability |
|---|---|
| Role Separation | Distinct Sysadmin (system-level access), Admin (application management) and User (file transfer only) roles. Admin and Sysadmin access can be restricted to different network ranges. Group-based permissions control who can send to whom. |
| Audit Independence | All admin activity is logged and visible in the audit trail. Syslog forwarding ensures logs can be stored on systems outside the control of LiquidFiles administrators, supporting independent review. |
Customer Responsibility
SOX Section 404 compliance is fundamentally about your organisation's internal controls over financial reporting. The following areas are entirely your responsibility:
- ICFR scope and risk assessment — determining which systems are in scope for SOX, including whether LiquidFiles is used for financial data.
- Control documentation — documenting your controls, control owners and testing procedures.
- Configuration management — how you have configured LiquidFiles (we can describe capabilities, not your actual configuration).
- Operational procedures — access reviews, backup schedules, change approvals, incident response.
- Management assessment and auditor attestation — your annual Section 404(a) and 404(b) compliance process.
For more context on this distinction, see our Vendor Onboarding Forms page.
Download
A spreadsheet with the SOX ITGC control mapping for LiquidFiles is available for download.