By Yair Knijn · April 22, 2025
Why 'we use SFTP' is the answer that lost your team the regulated deal
Your vendor-risk lead opens the file-transfer section of a buyer's security questionnaire and types one sentence: we encrypt files in transit using SFTP. It reads as finished. The protocol is named, encryption is named, the field is filled. Two weeks later the thread goes cold, and nobody on your side traces the silence back to that line.
The damage is a quiet conflation. "We use SFTP" names a transport. The buyer was asking whether you run a managed, auditable file-transfer capability. Those are different claims, and the reviewer scoring the answer tells them apart far better than the person who wrote it.
What the vendor-risk team actually reads
Regulated buyers do not mine your questionnaire for facts. They mine it for maturity signals, and a one-line protocol answer is a tell. The logging and file-transfer sections of a SIG-style questionnaire are not checking whether the channel is encrypted. They take that as given. They want to know who can see a transfer, who approved a partner, and whether you can reconstruct what moved last quarter.
So "we use SFTP" registers as the absence of everything they came to find. Nothing on audit trail, nothing on access control, nothing on what happens when a transfer dies at 2am. The reviewer does not decide you are insecure. They decide you have not thought about it, which is worse, because their entire job is to shrink the pile of third parties that need a closer look. You just sorted yourself into it.
The controls a flat answer leaves out
SFTP protects bytes on the wire. It says nothing about the governance the questionnaire exists to surface. A bare answer silently drops:
- Per-transfer audit trail: who sent what, to which partner, when, and whether it completed, held as immutable evidence rather than a syslog you rotate away.
- Tenant isolation: proof that one customer's files and credentials cannot reach another's, which a shared
/inbounddirectory does not give you. - Protocol breadth: AS2 with signed MDNs for non-repudiation, or HTTPS APIs, because a buyer who mandates
RFC 4130reads "SFTP only" as a hard gap. - Key lifecycle: rotation, revocation, and an approval step for every partner credential, not a static key pasted into a config two years ago.
Each gap becomes a follow-up question in the reviewer's head. Stack enough of them and the follow-up never comes. What comes instead is a short note that they have decided to move forward with another vendor.
Answer with evidence, not transport
Stop leading with the tunnel and lead with the trail. The strong version of the same sentence: every transfer is logged with sender, recipient, payload hash, and disposition; logs are immutable and exportable for audit; partner access is scoped per customer; we support SFTP, AS2, and HTTPS depending on the integration. Identical SFTP underneath. A completely different read on maturity.
The pivot is from "what protocol do you use" to "what can you prove happened." A regulated buyer forgives a shorter protocol list well before a transfer you cannot reconstruct.
The section is scoring maturity, not transport
Treat the file-transfer questions as a maturity probe in technical costume. Encryption was settled before you typed a word. What gets scored is whether file movement is a governed, observable function in your shop or a folder people drop things into. A flat SFTP answer tells them which, and it tells them in round one, before a human at the buyer has spent a minute on whether your product is any good.
That is why this answer sits upstream of the demo. Win or lose, the questionnaire decides whether you ever reach the people who would like what you built. In xEvolve, SFTP, AS2, and HTTPS run inside one customer Environment with a single immutable audit trail across all three, so the honest answer to that section is also the strong one. The full protocol and logging story lives under /security.