M-Files Document Management System

M-Files provides a next-generation intelligent information management platform that improves business performance by helping people find and use information more effectively. Unlike traditional enterprise content management (ECM) systems, M-Files unifies systems, data and content across the organization without disturbing existing systems and processes or requiring data migration.


  • Metadata Driven Document Management
  • Mobile and Offline Access
  • Advanced Permissions Management Tool
  • Intelligent document classification
  • Fast comprehensive search
  • Integrated Automatic Process Management Tool
  • Open API's
  • Automatic version history
  • Supports all applications and file types
  • Option for self hosted private cloud


  • Manage Content based on What it is rather than Where
  • Find information via virtual views, no more folder structures
  • Access content in any location from a single view
  • Integrate with any line of business application with ease
  • Deploy on your own Cloud service provider
  • Control permissions to a granular level
  • Full audit trail of all actions within the solution.


£10 per person per month

Service documents

G-Cloud 9



Jason Arundel

03300 889569


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints There are no known constraints that affect the service
System requirements
  • Windows client requires a Windows OS installed on client device
  • Mobile applications will run on IOS, Android and windows
  • Recommended Web Browser - Chrome, IE, Firefox, Safari, MS Edge

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Automatic acknowledgement of support ticket and initial response in 5 business hours for severity 1 issues. Workaround or fix provided within 1 business day.
Standard Hours support provided from 09:00 - 17:00 Mon - Friday

24x7 support provides an initial response within 4 hours and fix/work around within 16 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels M-Files shall provide Support and Problem Resolution services concerning:
• Installation, including installation of administration tools
• Troubleshooting of a software program
• Cases where the software is not functioning as documented

Standard support and maintenance is provided as part of the M-Files software/service subscription. Standard support is provided during office hours 09:00 - 17:00 Monday to Friday.

24x7 support option is available which not only provides support access 365 day per year 24 hours per day but improves initial response and workaround times.

24x7 support is price as 7% of the total subscription value.

Technical Account manager (TAM) is available, TAM's are priced using the M-Files professional services rate card. Required hours provided through the TAM will be discussed and agreed on a case by case basis.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started M-Files has been designed to look and feel like a windows environment, meaning the solution is intuitive and easy to navigate. The majority of users will be able to start using M-Files effectively within around 30 minutes. Additionally M-Files provides learning resources in the form of online video's and documentation which allow users to refresh or learn specific M-Files functionality on the go.

M-Files academy provides organisations and individuals with a structured training program. The range of courses are designed to cover all levels of M-Files experience from beginner through to developer.

M-Files training can be delivered through as an on-line self-paced e-learning programme - virtual classroom or on-site dedicated training class.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction M-Files provides an export function that allows organisations to simply export data to a desired location.
End-of-contract process Organisations wishing to end their M-Files service agreement will need to notify M-Files of their intent to end the service in accordance with the service terms and conditions. Ending the services contract is a simple process, organisations export their data to the desired location using the export feature provided with the service, once complete the customer notifies M-Files who will switch of the service. M-Files and the customer will agree at which point any remaining data should be deleted. Data deletion will be performed in accordance with the MS Azure data sanitation process. If additional time/service is required by the customer beyond the intended contract close date, M-Files can extend the service in quarterly increments.

If assistance is required, such as exporting data in a certain way in readiness for the new solution, the Professional Services to assist with data export are not included as part of the service and will need to be purchased separately.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
  • Windows Phone
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Users are able to access, manage control information and business processes through their mobile device in the same way as they would through the desktop application. Users can access the solution via a browser on their mobile device or simply download one of the native applications for iOS, Android or Windows.
Accessibility standards None or don’t know
Description of accessibility M-Files Provides Tooltips on a metadata and non-text content.

Colour scheme are defined to provide high contrast maximise ease of readability.

Zooming features are provided within the UI enabling the enlargement of key information such as listings, metadata descriptions, content preview etc.

Keyboard use and shortcuts are widely available.
Accessibility testing M-Files has been designed/developed using best practise. Therefore any assistive technology designed to meet the European standards should integrate well with M-Files.
What users can and can't do using the API M-Files includes an ActiveX/COM API. Supported languages include VB.NET, C#, Visual Basic, VBScript, and C++. Additionally, M-Files includes the M-Files Web Service API that allows programmatic access to M-Files through a REST-like interface.

M-Files API is included as part of the installation of the M-Files software. The ActiveX/COM API documentation is available as an online version and as a Microsoft HTML Help (CHM) file. For viewing the CHM file.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources The M-FIles service as a public offering is a multi tenanted environment provided through Microsoft Azure. The Azure platform provides a sophisticated performance monitoring capability that ensure the load placed on the Azure platform is balanced to optimum levels.
For organisations that demand more aggressive service levels, the option of a dedicated cloud service is provided which is optimised specifically for the individual customer and user volumes.


Service usage metrics Yes
Metrics types Performance Testing
Data storage
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach M-Files provides and Export and archive data feature that allows organisation to export or archive specific data to a desired location. This function is typically performed by a systems administrator or M-Files power user.
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • Native file format
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • Excel
  • Native File Format

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability M-Files aims to provide 99% up-time However, to provide high-quality service, out side of the target up-time schedule maintenance may affect the availability of the Service.
1) Monthly maintenance
The Service Provider may carry out maintenance for servers on the third Sunday of the month, between 10am and 4pm UTC on servers in Europe. The maintenance tasks mentioned above may have an effect on the availability of the Service. Additionally, automatic scheduled database optimisation tasks are performed once a week. These tasks are started every Sunday and the starting time in Europe: 12 midnight – 2am UTC
Automatic database optimisation tasks may affect the availability of the service.
The Service Provider will not separately inform You about the aforementioned maintenance tasks or of the possible effects on availability at these times.

If the Service Provider repeatedly fails to meet the service levels and this causes disadvantages to Your business operations, You will receive a 15% reduction in the following month’s fee for the Service. To receive this compensation, You must notify the Service Provider in writing of this and briefly describe the failures and the resulting disadvantages.
The above is subject to the support agreement and service SLA
Approach to resilience M-Files Cloud is optimised for high availability. All components are duplicated to avoid service outages caused by events such as hardware failure etc.
There are three main components that make up the solution:
Application server, Databases and File storage:
- Application servers (M-Files Server) are duplicated across data centres.
- Databases are replicated in triplicate.
- Each file store is replicated six times; three times in the primary data centre and three times in the secondary data centre.
The cloud architecture is designed with resilience in mind and differs considerably from a standard M-Files installation which typically consists of one or two Windows servers.

Additional information can be provided upon request.
Outage reporting M-Files uses E-mail alerts as standard for service reports such as outages. API and dashboard can also be made available for reporting purposes.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Named users have access to management interfaces and support channels, these are controlled through access permissions. !!!!!!!
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Inspecta
ISO/IEC 27001 accreditation date 21/2/17
What the ISO/IEC 27001 doesn’t cover N/A
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes M-Files has ISO 27001:2013 certified Cloud Operations. Organisational security is fully documented and lead by Head of Quality and Security, steered by cross-functional Security Team. Head of Quality and Security reports directly to the CEO. Policy compliance is ensured via ISO 9001:2015 certified learning and training management system with internal audits and internal and external security checks.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The processes are designed to include change management via system built controls, such as ticket systems and change logs. Authorisation levels are determined by the critical level of the change and system and recorded appropriately. Security impact is part of the change request and also authorisation.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Vulnerability management process follows ISO 29147 with internal system to report, evaluate and trace the vulnerabilities and their fixes. Threats are identified via risk management, system development, testing and internal use which are collected via ISO 29147 compliant process. Patches are deployed with their critical importance in mind, within 24 hours for most critical. External threat landscape monitoring contains several sources, such as CERT-UK, CERT-US, CERT-FI, commercial companies, partners in military and defence industry and daily newsletters.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Monitoring is based on technical abilities, logs and alerts systems as well as daily human monitoring of the critical assets. Potential incidents are investigated and reported via ISO 27001:2013 certified incident management system with a defined protocol. Response includes containment, isolation, block and reduction methods, followed with restoration and remediation as needed. Finally the investigation loops back to preventive measures. Response depends on the incident, but may be within minutes.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach M-Files Incident management process is defined and certified with ISO 27001:2013 certification. It includes templates for most common and probable incident types. All users are instructed to report all incidents to the IT / Security team or any member of the global Security Team by any means available. Incident reports are created annually to reflect the reporting period and communicated to management and security critical partners.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10 per person per month
Discount for educational organisations No
Free trial available Yes
Description of free trial M-Files provides a fully functional 30 day trial. The Trial is available to download.
Link to free trial https://www.m-files.com/en/try-free-m-files


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑