Secure Partner Data Exchange — B2B File Transfer with Xferity
Secure Partner Data Exchange
Section titled “Secure Partner Data Exchange”This use case describes how Xferity implements secure B2B file exchange with external trading partners.
The problem with ad hoc partner exchange
Section titled “The problem with ad hoc partner exchange”Most teams start partner file exchange with scripts, shared credentials, and informal processes. Over time this creates:
- SSH keys embedded in scripts or known_hosts files with no rotation process
- Shared passwords in plaintext config files or env variables
- No audit trail for what was sent, when, and to whom
- No visibility into certificate or key expiry
- No structured recovery when transfers fail
- Partner escalations when evidence is needed and none exists
Xferity replaces this with a structured, reviewable, auditable operating model.
What Xferity provides for partner exchange
Section titled “What Xferity provides for partner exchange”Partner definitions
Section titled “Partner definitions”Every trading partner is defined as a named YAML file with:
- protocol selection (SFTP, FTPS, AS2, S3, or local)
- endpoint configuration (hostname, port, URL)
- authentication method and credentials (via secret references)
- trust material (SSH host key, TLS fingerprint, or AS2 certificates)
- crypto roles for SFTP+PGP, FTPS+PGP, or AS2 partners
One partner file = one reviewable, version-controlled trust definition.
Partner Crypto Policy
Section titled “Partner Crypto Policy”For every partner, Xferity provides a unified Partner Crypto Policy view showing:
- Which certificate and PGP key roles are configured
- Which roles are missing or misconfigured
- Certificate expiry status per role
- AS2 certificate roles: signing, verification, encryption, decryption, HTTPS trust
This is the operator’s single place to review whether a partner is correctly configured for secure exchange.
Protocol-specific trust models
Section titled “Protocol-specific trust models”SFTP partners
Section titled “SFTP partners”- SSH host key verification required — explicit SHA-256 fingerprint or
known_hostsfile - No silent accept-all (unlike
StrictHostKeyChecking=noin scripts) - Password or SSH key authentication
- Hardened mode rejects
allow_insecure_host_key: true
FTPS partners
Section titled “FTPS partners”- Explicit TLS (FTPES) — not SFTP, not implicit FTPS
- Optional SHA-256 server certificate fingerprint pinning
- Standard TLS CA chain verification as baseline
- Hardened mode rejects
skip_verify: true
AS2 partners
Section titled “AS2 partners”- Certificate-based and role-specific trust model
- Separate certificate per role (signing, verification, encryption, decryption, HTTPS)
- MDN receipt validation confirms delivery
- Persistent message records in Postgres-backed deployments
S3-compatible storage partners
Section titled “S3-compatible storage partners”- TLS to the endpoint
- IAM role or static credentials with secret references
- No shared plaintext credentials
OpenPGP payload protection
Section titled “OpenPGP payload protection”For SFTP and FTPS flows where payload encryption is required:
- Encrypt before upload using partner’s public PGP key
- Decrypt after download using Xferity’s private PGP key
- Sign outbound and verify inbound signatures
- Isolated GnuPG execution per operation — no shared keyring
- Auto-fallback for enterprise key structures (Workday-style keys)
Secrets management for partner credentials
Section titled “Secrets management for partner credentials”Partner authentication credentials use secret references — never plaintext:
# Example partner config with secret referencesauth: password: env:PARTNER_SFTP_PASSWORD # or password: local-vault:partner-sftp-pw # or password: vault:secret/data/partners/acme#sftp_password7 providers supported: env, file, local vault, HashiCorp Vault, AWS Secrets Manager, Azure Key Vault.
Posture engine for partners
Section titled “Posture engine for partners”The security posture engine evaluates every partner continuously:
- Transport domain: Is host key verification configured? Is TLS setting secure?
- Crypto domain: Are AS2 certificate roles bound? Any expiring certificates?
- Secrets domain: Are any credentials plaintext in partner config?
Active Findings appear in the posture dashboard. Regression alerts fire when a partner’s posture worsens.
Audit trail for partner exchange
Section titled “Audit trail for partner exchange”For every file transferred to or from a partner:
- Structured JSONL audit event created
- Event includes: timestamp, flow, run ID, partner, file name, local path, remote path, outcome
- SHA-256 hash chain links events — any tampering is detectable
xferity trace <filename>shows full lifecycle for investigation- Evidence available for partner disputes, compliance reviews, and security audits
Regulated industry patterns
Section titled “Regulated industry patterns”Finance (payroll, EDI, payment files)
Section titled “Finance (payroll, EDI, payment files)”- SFTP + OpenPGP encryption for payroll file delivery
- AS2 for EDI 820/835 payment advice
- Hardened mode enforces secrets and TLS requirements
- Audit chain provides evidence for SOX or PCI investigations
Healthcare (HL7, FHIR, claims)
Section titled “Healthcare (HL7, FHIR, claims)”- AS2 for signed-and-encrypted HL7 message exchange
- SFTP + PGP for claims file delivery to clearinghouses
- Posture engine monitors certificate expiry proactively
- Audit log supports HIPAA audit reporting
Supply chain (EDI, order management)
Section titled “Supply chain (EDI, order management)”- AS2 for retailer EDI compliance (Walmart, Target, Amazon EDI)
- FTPS for logistics partner file exchange
- Certificate inventory tracks all partner cert expirations
Xferity supports
Section titled “Xferity supports”- AS2 (with MDN)
- SFTP / FTPS
- OpenPGP + CMS
- Durable job execution
- Retry and resume
- Air-gapped deployment