Hosted~FTP~ GDPR compliance includes the technology and operational processes as well as the legal framework required with a signed DPA. The signed DPA, as noted below, is available with our Enterprise T5 bundles and above.
As part of our compliance profile under the General Data Protection Regulation (GDPR), Hosted~FTP~ ensures that any personal data stored in the U.S. is transferred and processed lawfully and that all appropriate technical safeguards (e.g., encryption, access control) are in place to secure personal data. We do not collect and/or process private or personal information. We provide file transfer/storage services and ensure that all files are transmitted and stored with the most secure data security model available that addresses all the privacy concerns of the GDPR regulation. To be fully GDPR compliant we also support with the following:
- Signed Data Processing Agreement (DPA):
- This agreement outlines the scope, purpose, and security measures involved in processing EU personal data.
- It includes terms ensuring compliance with GDPR, including data subject rights, data breach notifications, and management of sub-processors.
- Standard Contractual Clauses (SCCs) or Participation in the EU-U.S. Data Privacy Framework (DPF):
- We confirm that SCCs clauses are included in our agreements.
- SCCs alone (with a signed DPA) are sufficient for GDPR-compliant data transfers in lieu of DPF certification
“The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. (see link) ”
Hosted~FTP~ Data Protection #
Hosted~FTP~ implement measures which meet the necessary principles of data protection. We ensure that a very high level of data protection measures is designed into our file transfer and storage business processes. This includes encrypting all metadata i.e. one significant step more than the pseudonymizing of personal data identifying fields as prescribed by the GDPR guidelines.
In transit #
For transfers by web browsers:
- Our website is secured by HTTPS with AES 256 bit encryption (certified by the US government for top secret information)
For transfers by FTP (i.e. FTP client programs, scripts, etc.):
- We support FTPS (FTP over TLS/SSL) with AES 256 bit encryption and SFTP (see this link for a further description of the FTPS and SFTP protocols) with PKI or username/password authentication
On Arrival #
Hosted~FTP~ encrypts the data as soon as it arrives at the Hosted~FTP~ Amazon cloud location and before any processing takes place to ensure that the data is never unprotected. This includes all data, credentials and file-names and folder names; a process that is unique to Hosted~FTP ~.
At rest #
The encrypted files are then securely uploaded by HTTPS to Amazon S3 cloud storage, where Amazon encrypts the files a second time before they are stored.
Server Port Lock-down and File Integrity #
Port lock-down #
All Hosted~FTP~ servers are locked down completely except for the ports required to serve HTTP, HTTPS, FTP, and FTPS
File Integrity (chain of custody) #
All files are fingerprinted with an MD5 hash that is stored with reference to the file. When the file(data) is retrieved the MD5 hash is recreated and compared against the original to establish proof that there has been no tampering.
Please see this link for our security model
Considerations #
For GDPR compliance, storing data in the EU can be the better option because:
- It avoids the complexities of cross-border transfers.
- It aligns with customer expectations in Europe.
- It minimizes legal risks associated with government access and conflicting regulations.
However, if you need to, or already storing data in the U.S., ensure that:
- You have SCCs or DPF certification in place.
- You implement strong technical measures (such as the Hosted~FTP~ security model and encryption) to reduce risks.
Please contact us at support@hostedftp.com if you have any questions or need assistance regarding our GDPR compliance.
