Skip to content

Security Guide


FileOnion is built for firms that handle sensitive client documents. This guide is for firm users and administrators: it covers securing your own account, single sign-on, access control, audit logs, how client uploads are protected, and exporting your data.

Account security

Passwords

Change your password at any time:

  1. Go to Settings → Account and find the Account Security section.
  2. Enter your Current Password.
  3. Enter your New Password.
  4. Click Save Changes.

Tip

Use a long, unique password that you do not reuse on other services. A password manager makes this easy.

If you forget your password, click Reset password on the sign-in page. See Troubleshooting for the full reset flow.

Multi-factor authentication (MFA)

MFA adds a second sign-in step: a code from an authenticator app on your phone (such as Google Authenticator, Microsoft Authenticator, or 1Password). Each user enrolls from their own security settings, and administrator accounts may be prompted to enroll when they sign in.

To set up MFA:

  1. Go to Settings → Account → Account Security.
  2. Toggle on Multi-Factor Authentication (MFA). The configuration window opens.
  3. Scan the QR code with your authenticator app.
  4. Click Verify Configuration.
  5. Enter the verification code shown in your authenticator app.
  6. Click Verify, then Done to finish setup.

Checkpoint

On your next sign-in, FileOnion asks for a code from your authenticator app after you enter your password.

Lost your authenticator device?

Contact your firm's administrator, or email support@fileonion.com, to regain access to your account.

Single sign-on (Enterprise)

On the Enterprise plan, your team can sign in with your firm's identity provider instead of FileOnion passwords. FileOnion supports:

  • SAML 2.0 — works with any identity provider that speaks SAML 2.0, including Okta, Azure AD (Microsoft Entra ID), Google Workspace, and OneLogin.
  • OpenID Connect (OIDC) — for providers that use OIDC.

Setting up SSO

An administrator configures SSO from the Single Sign-On page in Settings:

  1. Choose the Provider Type: SAML 2.0 or OpenID Connect (OIDC).
  2. Enter a Provider Name (for example, "Okta" or "Azure AD").
  3. Enter the provider details:
    • For SAML: the Metadata URL where your identity provider publishes its SAML metadata.
    • For OIDC: the Issuer URL (the OpenID Connect discovery endpoint base URL), plus the Client ID and Client Secret. The secret is only required during initial setup.
  4. Add your firm's Email Domains (for example, yourfirm.com). Users with these email domains are prompted to use SSO on the sign-in page.
  5. Pick a Default Role for SSO Users — Member, Admin, or Guest.
  6. Optional settings:
    • Auto-provision users on first SSO login (JIT Provisioning) — creates a FileOnion account automatically the first time someone signs in through your identity provider.
    • Require SSO for all users — disables password sign-in for your organization.
  7. Click Save Configuration.

Checkpoint

The page shows "SSO is active and configured." Team members whose email domain matches now see a Sign in with SSO button on the sign-in page.

If the configuration has a problem, the page shows the error message so you can correct the settings. You can update the configuration later, or delete it — after deletion, users can no longer sign in with SSO.

Access control

Every person in FileOnion has a role that determines what they can do:

Role What they can do
Owner Full administration. The only role that manages billing.
Admin Full administration, including access to all requests regardless of visibility settings.
Member Day-to-day work. Access to restricted requests is governed by team membership, assignment, and sharing.
Guest Read-only team user.
Client External. Sees only their own requests through the client portal.

On Professional and Enterprise plans, you can go further with teams, per-request visibility (everyone, team only, private, or shared with specific people), and expiring share links. Files inherit the visibility of their request, so restricting a request also restricts its documents. See Teams & Sharing for the full guide.

On the Enterprise plan, permissions can be customized per role in Organization Settings → Roles & Permissions.

Audit logs

Audit logs are available on Professional and Enterprise plans. Owners and Admins can review them in Organization Settings → Audit Log.

FileOnion records security-relevant events across your organization, including:

  • Sign-ins, sign-outs, and SSO sign-ins
  • User lifecycle: created, updated, deleted, invited, and role changes
  • Team changes: created, updated, deleted, members added or removed
  • Request activity: creation, updates, assignments, visibility changes
  • Sharing: shares granted, revoked, and share links created
  • Document uploads and deletions
  • SSO configuration changes
  • Custom role changes
  • API keys created or revoked
  • Subscription changes and API requests

Each entry records the time, event type, who performed it (with their IP address), the affected resource, and the outcome. You can filter by event type and expand any row for full details.

How client uploads are secured

Clients never need a FileOnion account or password. When you send a request, your client receives a branded email or SMS with a magic link that opens their upload portal directly.

  • Scoped links. Each magic link is tied to that client and that request. It signs the client into their own portal view only — it does not grant access to anything else in your workspace.
  • Expiring links. Links expire, and an expired or invalid link cannot be used. You can resend a fresh link from the request at any time.
  • Secure links. For extra protection, you can send a secure link, which asks the client to enter a one-time verification code before the request opens.
  • Encryption. Files are encrypted in transit over HTTPS (TLS) and encrypted at rest with AES-256 server-side encryption.
  • Access-scoped downloads. Download URLs are only generated for users who have access to the file's parent request, and files inherit the request's visibility settings.

Data export (GDPR)

On Professional and Enterprise plans, Owners and Admins can export a full copy of the organization's data for compliance, portability, or migration. The export is generated as a JSON file — including your organization record, memberships, and audit logs — and delivered through a download link that stays valid for one hour. Go to Organization → Overview → Data Export (GDPR) and click Generate export, or trigger it through the REST API (POST /api/v2/data-export/trigger); see the API Overview.

To request deletion of personal data, contact support@fileonion.com.