Sign In
SecureFiles · comparison

FTP/SFTP or Conbool — when is the switch worth it?

FTP and SFTP are standardised, well-established protocols. Many mid-sized companies still use them for data exchange with suppliers and customers. This page compares classic FTP/SFTP with Conbool SecureFiles on the points that matter for modern compliance — as of May 2026.

Request a demoSecureFiles in detailUpdated: May 2026

In three sentences

What matters.

FTP (RFC 959) and SFTP (RFC 4253) are open standards that work as a data hub for suppliers and customers in many mid-market setups — with your own server, your own access control and your own maintenance. Conbool SecureFiles is a cloud service with an Outlook add-in, recipient authentication, audit log and configurable auto-expiry. Switching pays off where data protection, semantic audit and recipient identity matter more than pure machine-to-machine transfer.

The five most common questions, side by side.

Statements about FTP/SFTP refer to the open protocol standards (IETF RFCs) and general properties of classic server implementations.

Who actually has access to the data?

Conbool SecureFiles

Each recipient gets a one-time link with configurable lifetime. The recipient is known by name in the system; every access is attributed to a person — even for external addressees without a Conbool account.

FTP / SFTPFTP / SFTP

Access is classically by username and password (or SSH key for SFTP). In practice credentials are often shared between multiple staff on the partner side — who actually downloaded a file is usually not provable at application level.

Source: generic property of the FTP / SFTP protocol (IETF RFC 959 / RFC 4253). Shared functional accounts are a common finding in security audits and addressed as a risk in the German BSI IT-Grundschutz baseline.

Why it matters: shared functional accounts make GDPR access requests (Art. 15) and accountability (Art. 5(2)) hard to satisfy.

How is the recipient authenticated?

Conbool SecureFiles

Passwordless: the recipient receives a one-time link to their email address (magic-link principle), optionally combined with an SMS code as a second factor. No password is set by the sender or shared via a side channel.

FTP / SFTPFTP / SFTP

Classically the server operator hands fixed credentials to the partner. These are often long-lived, rarely rotated and can travel in cleartext (FTP). SFTP over SSH encrypts transport — but does not solve the password hygiene problem.

Source: IETF RFC 959 for FTP, RFC 4253 for SFTP. Password hygiene and key rotation are organisational topics that the protocol itself does not enforce.

Why it matters: when an employee leaves the partner organisation, that rarely flows back to the FTP server operator. Personal authentication prevents orphaned access.

What happens to old files?

Conbool SecureFiles

Files expire automatically after a configurable period and are deleted. This matches the storage limitation principle of GDPR Art. 5(1)(e) and supports the right to erasure (Art. 17).

FTP / SFTPFTP / SFTP

Files classically remain on the server until an administrator or a script actively deletes them. Retention is handled organisationally — the protocol itself has no notion of auto-expiry.

Source: generic property of the FTP protocol. Retention policies are the operator's responsibility (scripts, cronjobs, storage quotas).

Why it matters: forgotten files on FTP servers are a classic audit finding — uploaded once, often left for years.

What's the audit story?

Conbool SecureFiles

Every access is logged with IP, timestamp, user and action (upload / download / expiry) in an application-level audit log. The log is exportable and provides building blocks for the GDPR Art. 30 record of processing activities.

FTP / SFTPFTP / SFTP

Server logs record IPs, timestamps and connections at transport level. Semantic logging ("who downloaded which file for which business process") does not exist at application level by default — it has to be retrofitted.

Source: general property of typical FTP/SFTP server implementations (vsftpd, OpenSSH sftp-server etc.). The German BSI IT-Grundschutz addresses logging in building block NET.3.3.

Why it matters: audits and GDPR access requests demand business-level evidence — pure transport logs rarely cover the accountability requirement.

Who maintains the infrastructure?

Conbool SecureFiles

Cloud service operated by Conbool GmbH — hosting in EU data centres on ISO 27001-certified infrastructure. Patches, certificate lifecycle, availability and hardening are handled by the vendor. Customers only configure policies and permissions.

FTP / SFTPFTP / SFTP

The FTP/SFTP server runs in your infrastructure (or one you contract). Patching, certificates, backups, storage sizing, availability and hardening against attacks are fully your responsibility.

Source: generic property of a self-operated server service. The BSI IT-Grundschutz covers server hardening in building blocks SYS.1.* and NET.3.*.

Why it matters: running your own servers is legitimate but costs time and know-how. A cloud service offloads IT while data sovereignty stays anchored via the contract party and EU hosting.

Migration checklist

How an FTP replacement runs in practice.

An FTP replacement runs cleanly in five steps. Important: purely technical B2B interfaces (machine to machine) do not have to be migrated — the switch makes sense where humans exchange files.

  1. 1. Inventory of FTP connections

    Capture every active FTP/SFTP connection: which partner uses which path, which credentials are in circulation, what retention applies. The result is a list of use cases — separated into human-to-human exchange and automated machine interfaces.

  2. 2. Shadow-IT audit — who else uses FTP?

    Often employees use FileZilla, WinSCP or Cyberduck with their own FTP accounts that central IT knows nothing about. A short survey in the business units uncovers this shadow usage — and the real migration scope.

  3. 3. Pilot a use case on Conbool

    Pick one clearly bounded use case (e.g. a supplier interface or a recipient group) and switch it to Conbool. The Outlook add-in is rolled out centrally; the pilot partner gets magic links instead of FTP credentials. Typical runtime: 4–6 weeks.

  4. 4. Decisive cutover with a fixed date

    After a successful pilot, communicate a binding cutover date. All partners get the new access path in good time; old FTP credentials are deactivated on the cutover date. Experience shows: a clear deadline beats technical elegance — otherwise FTP keeps running in parallel forever.

  5. 5. Decommission the FTP server

    After cutover the FTP/SFTP server is shut down in a controlled way: archive remaining logs for the retention period (GDPR Art. 30), revoke certificates, remove DNS entries. An archived copy of the server logs is retained per internal policy.

Note: pure machine-to-machine B2B interfaces in closed networks do not have to be replaced — see the decision aid below.

Decision aid

When Conbool, when to keep FTP/SFTP.

Conbool SecureFiles fits when …

  • Your existing FTP setup is due for replacement anyway (age, maintenance load, missing audit).
  • Data protection and recipient authentication at application level matter to you.
  • Employees work in email and Outlook today and shouldn't have to learn FTP clients.
  • You need an audit-grade log and configurable auto-expiry.

Keeping FTP/SFTP makes sense when …

  • It's purely about machine-to-machine B2B interfaces (no end-user sending).
  • Transfer happens in strictly closed networks (VPN / IPSec / dedicated WAN).
  • The partner does not allow a new tool and SFTP is the contractually agreed channel.
  • You have an existing stable integration with ETL or MFT platforms you don't want to disturb.

Matched to your setup

Conbool SecureFiles for typical FTP use cases.

DSGVO-konformer Dateiversand

EU-Hosting, Audit-Log und Empfänger-Authentifizierung für DSGVO Art. 30.

Learn more

Große Dateien per Outlook versenden

Automatische Umleitung großer Anhänge auf einen sicheren Download-Link.

Learn more

Sicherer Posteingang

Partner laden Dateien sicher zu Ihnen hoch – ohne FTP-Account.

Learn more

WeTransfer-Alternative

DSGVO-konformer Dateiversand aus der EU, ohne CLOUD-Act-Risiko.

Learn more

Cryptshare-Alternative

Modulare deutsche Alternative mit echtem Zero-Knowledge.

Learn more

DSGVO-konformer Dateiversand

Verschlüsselter Dateiversand nach Art. 32 DSGVO und NIS-2.

Learn more

Sicherer Posteingang

Dateien sicher empfangen — persönlicher Upload-Link für Externe.

Learn more

Große Dateien per Outlook

Outlook-Anhang zu groß? Direkt aus Outlook verschlüsselt versenden.

Learn more

Also compared

Further file-transfer alternatives.

FTP replacement projects often touch the Cryptshare, FTAPI or WeTransfer question. Here are the direct comparison pages.

Frequently asked

Replace FTP with Conbool — cleanly planned.

30-minute demo. Cloud service hosted in the EU.

Request a demoSecureFiles in detail

Sources and fairness note

Statements about FTP and SFTP refer to the open IETF protocol standards (RFC 959 for FTP, RFC 4253 for SSH/SFTP) and to general properties of typical server implementations. For logging and server hardening this page references the German BSI IT-Grundschutz baseline (esp. building blocks NET.3.3 and SYS.1.*). Statements about Conbool rely on our product documentation and contractual commitments.

As of May 2026. Since FTP/SFTP are not vendor products, there is no vendor source. Concrete properties of your FTP installation depend on the server in use (vsftpd, ProFTPD, OpenSSH, Filezilla Server etc.) and your configuration.

FTP and SFTP are open IETF protocol standards. Conbool is a trademark of Conbool GmbH. This page is an editorial comparison — not against FTP/SFTP as a pattern, but against the typical properties of classic FTP server setups.