SFTPGo provides a comprehensive set of security capabilities that can help organizations meet the requirements of regulatory frameworks such as HIPAA, GDPR, SOC 2, PCI DSS, and DORA. This page maps SFTPGo features to common compliance areas.
Encryption
Requirement
SFTPGo capability
Encryption in transit
All supported protocols use encrypted transport: SFTP over SSH, FTP with explicit/implicit TLS, WebDAV over HTTPS, and the WebClient over HTTPS. Configurable cipher suites and TLS versions. Post-quantum hybrid key exchange is available for both SSH (mlkem768x25519-sha256) and TLS 1.3 (X25519MLKEM768), providing protection against future quantum computing threats while maintaining backward compatibility with existing clients.
Encryption at rest
Data At Rest Encryption (CryptFs) provides transparent AES-256-GCM encryption on the local filesystem. Cloud backends (S3, Azure Blob, GCS) support server-side encryption.
Key management
Encryption keys can be managed locally or through cloud KMS providers (AWS KMS, Azure Key Vault, Google Cloud KMS, HashiCorp Vault, Oracle Key Vault). See KMS.
Audit logging
Requirement
SFTPGo capability
Activity tracking
All file operations (upload, download, delete, rename, copy, mkdir, rmdir) and SSH commands are logged with timestamp, username, client IP, protocol, file path, and status.
Administrative audit trail
All changes to users, groups, admins, event rules, shares, and other configuration objects are logged with the identity of who made the change.
Authentication logging
Successful and failed login attempts are logged, including the authentication method and client IP.
Searchable audit logs
The Audit Logs plugin stores events in PostgreSQL, MySQL, or SQLite with a searchable UI in WebAdmin and export capabilities.
Log forwarding
Events can be forwarded in real time to external systems via the Pub/Sub plugin (supports Amazon SNS/SQS, Azure Service Bus, Google Cloud Pub/Sub, RabbitMQ, NATS, Kafka).
Access controls
Requirement
SFTPGo capability
Authentication
Password, SSH public key, TLS client certificate, keyboard-interactive, and multi-step authentication (e.g., public key + password).
OpenID Connect integration with Microsoft Entra ID, Google, Okta, Auth0, Keycloak, and others. LDAP/Active Directory authentication with group mapping.
Least privilege
Granular per-user and per-directory permissions (list, download, upload, overwrite, delete, create directories, rename, symlink, chmod). Users are restricted to their home directory.
Role-based access
Groups for policy inheritance, Roles for delegated administration.
IP-based restrictions
Per-user and global IP allow/deny lists. GeoIP filtering by country. Access time restrictions per user.
Password policies
Configurable password strength requirements (entropy, length, character classes) at the global or group level. Automatic password expiration with configurable thresholds.
Threat protection
Requirement
SFTPGo capability
Brute-force protection
Built-in defender with configurable scoring and automatic IP banning.
Rate limiting
Per-protocol and per-IP rate limiting with defender integration.
Antivirus / DLP
ICAP integration for scanning uploaded files with antivirus and data loss prevention systems. Quarantine support via virtual folders.
Secure file sharing
Public shares with password protection, email-based authentication, expiration, download limits, and IP restrictions. Administrators can enforce share policies and restrict shareable paths via groups.
Data governance
Requirement
SFTPGo capability
Data retention
Automated retention policies with per-directory rules. Expired files can be deleted or archived.
Data isolation
Per-user home directories with strict filesystem isolation. Virtual folders with independent quotas.
Quota management
Per-user and per-folder quotas (total size and/or file count). Bandwidth throttling with separate upload/download limits.
Automated workflows
Event Manager for automated responses to file operations: copy, compress, encrypt (PGP), notify, and more.
Infrastructure
Requirement
SFTPGo capability
High availability
Multi-node clustering with near real-time configuration propagation.
Monitoring
Prometheus metrics for alerting and dashboards, including per-user transfer metrics. Structured JSON logs for integration with log management systems.
Infrastructure as Code
Terraform provider for declarative management of users, groups, folders, and event rules. REST API with JWT and API key authentication.
The features listed above describe the technical capabilities available in SFTPGo. Achieving compliance with any specific framework depends on how the software is configured and operated within your environment. For SFTPGo's managed SaaS offering, infrastructure-level controls are managed by SFTPGo.
The features listed above describe the technical capabilities available in SFTPGo. Achieving compliance with any specific framework depends on how the software is configured and operated within your environment. For SFTPGo's managed SaaS offering, infrastructure-level controls are managed by SFTPGo.