How Foldr handles authentication, encryption, hosting and audit. No marketing-speak, no hand-waving about “enterprise-grade” anything. If your procurement team needs more, we’ll work through your questionnaire.
SSO via SAML 2.0, Microsoft Entra ID, ADFS, Active Directory, Google Workspace, Kerberos and LDAP. Local accounts supported where you need them. Password policies, expiry and history all configurable.
TOTP authenticator apps, Duo push, and FIDO2/WebAuthn passkeys. Per-device approval for sensitive shares. Sudo re-prompt on admin actions. Self-service password reset via verified email or SMS, optional.
Every connection between users, Foldr, and your storage backends is encrypted in transit (TLS 1.2+). On SaaS, traffic between Foldr and customers terminates at the edge with TLS; cluster-internal traffic runs on the private network with Kubernetes NetworkPolicy segmentation. On appliance deployments, run Foldr behind your own VLAN or reverse proxy.
Foldr connects to SMB, S3, Azure, OneDrive and the rest in place; the original files never move into our database, and by default no file content lives on Foldr’s side. Search, previews and OCR are opt-in per share or tenant; when they’re on, the derived output (extracted text, rendered thumbnails, OCR JSON) is held server-side, encrypted at rest by the underlying service on SaaS, or on infrastructure you control on an appliance. The Trust Centre lists it explicitly.
Foldr SaaS runs on UK and EU infrastructure for compute and customer data. A small number of operational services (telemetry, default AI inference, support tooling) sit outside the UK/EU; the Trust Centre has the full residency table.
Linux appliance you install in your own datacentre, hypervisor or cloud account. Air-gapped installs supported. Same Foldr Next UI as the SaaS, no internet dependency to operate.
Every file open, share, edit, delete, link creation and permission change is recorded against the user. Retained per your policy. Downloadable as CSV from admin Settings.
Foldr surfaces version history from the underlying storage backend where it’s available, so the audit trail isn’t a duplicate of what’s already there.
Per-user access tokens with explicit scopes and expiry. Programmatic access is attributable to the issuing user; the small number of platform-level system actions (e.g. background crawls) are logged separately.
Per-share or per-user IP allowlist and blocklist. Combine with per-device approval for sensitive estates.
Your files stay in your storage; you control retention, residency, and rights handling. We follow standard secure development practices and commission a third-party penetration test annually. We don’t list specific external certifications on this page because we’d rather work through your procurement questionnaire honestly than paste a logo soup. Get in touch and we’ll send you what you need.
Start a 30-day trial, no credit card. Or talk to us about self-hosting the appliance.
