Articles from blog category

Alternative to DWP EDI PGP Secure Email

Thu 09 July 2020 | email compliance

The Department for Work and Pensions (DWP) is the British government department responsible for welfare and pension policy.

DWP provides EDI (Electronic Data Interface) / EDT (Electronic Data Transfer) file exchange services with partners and service providers, including Social Housing Associations (HA), Local Authority or Local Council etc

Depending on you DWP service (lie JobCentre Plus, DWP Housing, DWP Child Care) you can chose between multiple file exchange methods/interfaces.

For example, if you are an Housing Association and need to exchange documents with DWP Housing for Universal Credit Creditors or Suppliers you have the following options:

  • EDI PGP Secure Email S/MIME
  • EDI Generic File Transfer Service (GFTS)

In this article we describe the the main benefit of using the EDI Generic File Transfer Service (GFTS) option with SFTPPlus as an Explicit FTP server over the PGP Secure Email (S/MIME) option.

Automated security

This is the main reason for using SFTPPlus. The transfer is fully automated preventing any human errors during day to day operations.

SFTPPlus will check the security of the connection and will abort on error. For example, man-in-the-middle attacks are automatically detected.

This is fully automated and there is no chance for a human to press an "Ignore errors" or "Continue anyway" button and process with a vulnerable connection.

Support and consultancy

With SFTPPlus you will get support and consultancy from a team of secure file transfer experts, with a long-term relationship with DWP.

We will help you design and implement the secure file exchange with DWP.

DWP Code of Connection (CoCo) guidance is provided on a current ‘as is’ basis. DWP will not comment on the implementations of the individual mail solutions used by external organisations with whom DWP corresponds.

We can help you understand the CoCo document and make sure the people from your organization will understand the requirements and security measurements.

We have worked together with DWP and its partners for more than 15 years. We helped DWP migrate from their legacy document service and we have an excellent understanding of legacy systems.

For example, we helped with the delivery and are currently supporting the Digital Children’s Platform (DOS 012) and the data exchange between DWP and the Scottish Government.

Automated file transfer

Just drag and drop or copy a file to a local directory and SFTPPlus will take care of the secure transfer.

On errors, like connection errors or remote servers not available due to a 10 minutes maintenance, SFTPPlus will automatically retry the delivery of the files.

If the remote service is unavailable for a long period of time, SFTPPlus can send an email notification to inform that the file was not sent.

You can then check your network connection and check with DWP to see why the service is not available.

Integration with external applications

SFTPPlus can interact and integrate with your existing business logic applications, like a data or a reporting tool.

Once a report is generated by your reporting tool, SFTPPlus will automatically pick that report and transfer it.

Data retention policy

The transferred files can be archived for a number of days.

If there was an error on the DWP-side, you can retransmit the file from the archive.

The archived files are also available to support any audit operation.

Archived files are automatically remove after a number of days, so that your archive size will not grow forever.

No external or 3rd party dependencies

You don't need to install extra PGP software,

No need to configure or modify the Windows Certificate Store.

No need for Outlook or other PGP enabled email clients.

Large file transfer

Your email server might have a limit to the size of an email message.

The majority of email servers will reject emails greater than 20MB.

Depending on the type of documents that you exchange, this might not be an issue, as you will always transfer smaller files.

Read more about securing SFTPPlus transfer options in our documentation page.

• • •

Endpoint FTPS and SFTP server for DWP GFTS

Tue 02 April 2019 | compliance

A red floppy disk.

The electronic data interchange (EDI) of the Department for Work and Pensions (DWP) in the United Kingdom can be done via the Generic File Transfer Service (GFTS) gateway.

This article is aimed at companies which need to exchange files and data with the DWP.

For example, as an housing association you will exchange documents with the DWP Housing to manage the Universal Credit payments and deductions.

These entities are referred by DWP as creditor server or endpoint FTPS server.

The GFTS options is not available to Local Authorities or Local Councils. E-Transfer system should be used instead.

In practice, this means that as a partner to DWP you will have to set up and host an Explicit FTPS server. DWP is operating an FTPS client and actively pushes data to you.

Electronic data interchange (EDI) is the concept of electronically communicating information that was traditionally communicated on paper, such as purchase orders and invoices.

Connection Security

The connection between your company and DWP is secured using certificate-based mutual TLS authentication (mTLS) (also referred to as two-way authentication). DWP will provide the SSL certificate used by their client, while your company will have to provide the SSL certificate used by your FTPS server.

With SFTPPlus you can use a certificate generated by any certificate authority (public or your private CA).

Integration with the Let's Encrypt Certificate Authority is provided via the HTTP-01 challenge. SFTPPlus can seamlessly obtain and use a certificate from the Let's Encrypt CA. The certificate is automatically renewed.

On top of the security provided by the TLS/SSL layer, username/password credentials are used to identify the requests from DWP.

SFTPPlus can support a multi-channel architecture, allowing you to use the same SFTPPlus server for exchanging files with multiple partners, not only with DWP.

Read more about securing FTPS server with SFTPPlus in our dedicated documentation page.

Client / Server Data Exchange

FTPS is an open standard file transfer protocol built on a client-server model architecture.

The client is the active component which controls when and what type of file transfer operation to perform. The client generates an authenticated connection to the server and asks the server to push or pull files. DWP will act as a client.

The server is the reactive component which controls who can perform file transfer operations and what kind of file operations are allowed. The server stays idle and only becomes active once it receives a connection from the client. Your system will act as a server.

Once the data is pushed by DWP, it will reside as files on your system. From there it will be further processed and consumed by your business system.

ProAtria DWP Expertise

ProAtria, the developer of SFTPPlus, is a long-term partner for the projects deployed at DWP. We have helped with the migration from insecure FTP to Explicit and Implicit FTPS systems and with the migration from legacy Solaris-based systems to a modern Linux-based cloud infrastructure.

We can help you understand the Code of Connection (CoCo) document and make sure the people from your organization will understand the requirements and security measurements.

We are involved in the delivery and maintenance of the Digital Children’s Platform (DOS 012) and the data exchange between DWP and the Scottish Government.

We offer broad expertise into the data exchange with DWP and DVLA. Our customers benefit of help and consultancy for their DWP and DVLA related projects without any additional cost.

A server rack.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, AS2, HTTP, and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, and macOS.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

Faster GDPR compliance with SFTPPlus MFT

Fri 24 November 2017 | press blog

As of April 2016, the European Parliament and Council adopted a new legislation that will replace, in May 2018, the old personal data protection law for European Union (EU) and European Economic Area (EAA) residents. The new regulation is called The General Data Protection Regulation (GDPR).

The purpose of the new legislation is to protect the personal data of the EU and EAA residents by imposing rules to the organizations which hold or process the data within or outside of Europe. The companies from the United Kingdom are also affected (even after the Brexit). In case of a breach, the sanctions include warnings and can lead to high fines.

The SFTPPlus team offers services to the clients from the EU, EAA and the rest of the world. In this article, we would like to share and clarify how the new legislation can affect the file transfer operations in a company and how SFTPPlus MFT helps our customers comply with the regulations.


General Data Protection Regulation and File Transfers

To start, the key areas described in the regulation and affecting the data transfer operations inside an organization include:

  • Data portability and how open standards are required to achieve compliance.
  • Data protection, storage and the encryption at rest of the data.
  • Authentication and data access control, and the purpose of audit logging.

Let's review step-by-step the list above and outline how exactly SFTPPlus MFT Client and Server addresses the technical areas of GDPR compliance.

Data Portability

Article 20 GDPR covers data portability concerns and the importance of access to one's own data. File transfer technology should not imply any limitations or requirements on the format of data or the access to services providing such data.

SFTPPlus MFT was designed to address the data portability concerns. Our product uses open and standard file transfer protocols like SFTP, FTPS, and HTTP(S). All the data sent over a connection using these protocols is first encrypted using public and private cryptographic keys. The security layer is taking care of all the communication exchanged between your computer and SFTPPlus.

The open and standard technology respects the GDPR requirements and guarantees long-term support and consistent integration with the existing infrastructure. Using the SFTPPlus MFT web interface one can enable or disable multiple services within the same installation where the end-users benefit from user-friendly web portal for downloading and uploading files directly from their browsers or mobile phones.

Data Protection and Security of Processing

The data protection by design and by default is described in the Article 25 and the security of processing of the personal data is part of the Article 32. The two outline procedures for secure storage and secure access to personal data for processing at a later stage.

By using the SFTPPlus managed file transfer Client and Server organizations can automate the distribution and the synchronization of the data with full encryption support. For a better data protection in the age of cloud services, SFTPPlus can be configured to encrypt the data using local encryption keys before sending it remotely, just as described in the ENISA report (Privacy and Data Protection by Design).

The SFTPPlus MFT pre- and post-processing functionality and the external program execution support are particularly relevant here. These two simplify and make the deployments much easier for complex operations like the decryption of the data before the transfer and the encryption of the data after the transfer. It also works with both, the custom encryption/decryption solutions and the standard GPG tools.


General Data Protection Regulation also addresses the audit and reporting concerns. The Article 30 does not refer directly to the transfer of the data, but it focuses on the tracking and the maintenance of persistent data operations activity log. This information can be required by the supervisory authority on request and is a GDPR requirement.

We cover the audit logging and reporting requirements in the SFTPPlus MFT. Our product integrates with the MySQL and SQLite databases to provide custom filtering, export, and integration with external reporting tools. The web-based administration panel offers a simple and user-friendly interface to browse the logs, which is essential for the internal research in case of an incident.

The authentication and the data access control are also easier with our product. SFTPPlus provides multiple authentication methods, from virtual users to system accounts and remote account databases like LDAP.


At first, the General Data Protection Regulation might look intimidating and complex to understand, but with more than 10 years in the secure managed file transfer services, we are ready to help!

Our clients work with personal data on a daily basis and use our products in various industries: government agencies, the financial sector, healthcare and other PHI processing organizations. And while we know we can not change the compliance process, we are confident we can speed up the process for your organization by using our technology.

Try SFTPPlus MFT and reach faster GDPR compliance now!
• • •