At SafeSFTP.com, operated by Dane Commercial Services Ltd, we recognise the importance of protecting sensitive health data and complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Our services are designed to support HIPAA-regulated entities, provided that a signed Business Associate Agreement (BAA) is in place. This policy outlines how SafeSFTP ensures the confidentiality, integrity, and availability of electronic protected health information (ePHI), in accordance with the HIPAA Privacy Rule, Security Rule, and the HITECH Act.
HIPAA is a United States federal law that requires health care providers, insurers, and other entities that process health information to safeguard the confidentiality and security of that data. These organisations, known as Covered Entities, as well as their third-party vendors who handle ePHI on their behalf—known as Business Associates—are subject to strict privacy and security rules.
Although SafeSFTP is a UK-based company, our platform is designed to meet the technical safeguards required under HIPAA, including those related to encryption, access control, auditability, and data integrity. Customers subject to HIPAA may use our services in a compliant manner, provided a signed Business Associate Agreement (BAA) is in place.
SafeSFTP will enter into a Business Associate Agreement with any customer that qualifies as a HIPAA Covered Entity or a Business Associate and who intends to store, transmit, or process ePHI using our platform. The BAA establishes the permitted uses and disclosures of PHI, outlines our responsibilities under HIPAA, and imposes contractual safeguards that align with federal regulations.
It is essential to note that without a signed BAA, the use of SafeSFTP for storing or transmitting PHI is strictly prohibited. The BAA must be signed prior to uploading or sharing any ePHI on the platform. Customers may request a BAA by contacting us directly at [email protected].
Security is central to SafeSFTP’s architecture. In compliance with HIPAA’s Security Rule, we implement a range of technical, administrative, and physical safeguards to protect ePHI.
All data in transit across our platform is encrypted using industry-standard secure transfer protocols. Specifically, file transfers are conducted over SFTP (SSH File Transfer Protocol) or SCP, ensuring that data remains protected during transmission. For data at rest, SafeSFTP applies AES-256 encryption, the same level of protection recommended by NIST for safeguarding sensitive government information.
Additionally, our infrastructure is built to support logical data isolation, ensuring that each customer’s data is separated from that of others. This reduces the risk of cross-account data exposure and supports role-based access permissions within the platform.
Uploaded files are subject to automatic antivirus scanning to identify and eliminate malware or other security threats. Files that are identified as harmful may be immediately removed from the system to prevent risk to other users or services. While this protection enhances system integrity, customers remain responsible for maintaining backups of critical information and for verifying the integrity of files prior to upload.
SafeSFTP also enforces robust access controls. Access to systems and customer data is restricted to authorised personnel only, and multi-factor authentication is used wherever applicable. All administrative actions and user activity are logged, creating a reliable audit trail in the event of a review or investigation.
Encrypted backups are available as a premium feature and are designed to support data availability and business continuity requirements under HIPAA. These backups are protected with AES-256 encryption at rest and are stored in highly secure, redundant environments. Customers who purchase backup services are ensured an additional layer of protection against data loss or disaster recovery events.
It is important for customers to understand that backup services are not included by default and must be actively subscribed to. Without a backup plan in place, customers assume full responsibility for maintaining copies of important files and ensuring continuity of access.
All SafeSFTP data—including primary files and backups—is hosted exclusively within secure data centres located in the United Kingdom, European Union, or European Economic Area. These regions are subject to strong data protection laws and are managed by infrastructure providers that comply with industry security certifications.
Although SafeSFTP is not a US-based provider and is not subject to direct HIPAA enforcement, we voluntarily meet the technical standards required by HIPAA for encryption, access control, and integrity management. Customers are responsible for assessing any cross-border processing implications and ensuring that their own HIPAA compliance frameworks permit the use of non-US cloud providers with appropriate safeguards in place.
HIPAA compliance is a shared responsibility between SafeSFTP and its customers. Our obligations include providing a secure and encrypted platform, ensuring access controls are in place, and entering into a Business Associate Agreement where required.
The customer, however, remains responsible for ensuring that only authorised users upload or access ePHI, for maintaining internal compliance policies, for properly configuring access controls, and for ensuring that backups are in place if required.
Customers must also ensure that their own workforce is trained in HIPAA compliance and that appropriate internal safeguards are in place to prevent unauthorised use or disclosure of protected health information.
Use of the SafeSFTP platform to store or transmit PHI without a signed BAA constitutes a material breach of these Terms and a potential violation of HIPAA regulations. We reserve the right to suspend or terminate any account found to be using our services for HIPAA-regulated data without an appropriate agreement in place.
SafeSFTP maintains a comprehensive incident response plan that outlines procedures for identifying, containing, and resolving security incidents. In the event of a data breach involving ePHI, SafeSFTP will notify the affected customer without undue delay, and in accordance with HIPAA’s Breach Notification Rule.
The notification will include a description of the nature of the breach, the types of information involved, mitigation steps taken, and any recommended actions for the customer. We will cooperate fully with the customer’s investigation and reporting obligations to regulators or affected individuals.
While SafeSFTP provides a secure and HIPAA-appropriate technical environment, we do not certify, warrant, or guarantee the full HIPAA compliance of any customer organisation. HIPAA compliance depends not only on the systems in use but also on how those systems are implemented and managed.
Customers are encouraged to perform their own due diligence and risk assessments to ensure their use of SafeSFTP meets their internal compliance and legal requirements.
Organisations that are subject to HIPAA and that wish to use SafeSFTP for ePHI must request and sign a Business Associate Agreement before uploading any regulated data. Our team is available to discuss your compliance needs and provide the required documentation.
To request a BAA or ask a HIPAA-related question, please contact:
Dane Commercial Services LtdBy using SafeSFTP to store or transmit HIPAA-regulated data, you acknowledge and agree that a signed Business Associate Agreement is required. Without such an agreement, the use of our services for handling ePHI is not authorised.