Pro2col Ltd

Secure Managed File Transfer (MFT)

Pro2col provide hosted managed file transfer (MFT) and enterprise file transfer services. MFT describes file transfer automation between business systems using secure file transfer protocols e.g. automated PGP encryption and SFTP automation. Alongside workflow automation MFT enables employees to share critical information outside organisations securely, using ad-hoc file transfer facilities.


  • Automated filetransfer and automated workflow, tasks and schedules
  • User to user file sharing
  • Multi-factor authentication and one time password to authenticating users
  • Secure data transfer using SFTP, FTPS, HTTPS, AS2, EDI-X12
  • FIPS 140-2 Compliance
  • Cloud Connector API Interacts with Web Services using REST/SOAP
  • PGP Encryption and compression using ZIP AES standards
  • Compatible with AWS S3, Azure blob and WebDAV storage
  • Advance Auditing and full audit trails, logging andreporting
  • Antivirus and Data Loss Prevention solutions using ICAP


  • Browser based administration and end user access management
  • UK data sovereignty
  • Service Level Agreements, (SLA) for workflows, monitors and triggers
  • Accredited and fully managed UK data centres
  • Authenticate users against Active Directory (AD), LDAP, IBMi and database
  • Data secured at rest and inflight with 256 bit encryption
  • Full end-to-end management of cloud infrastructure and application
  • Reduce costs associated with administering and managing outdated FTP systems
  • Improves security and streamlines processes and improves end user productivity
  • Managed by MFT technology experts established in 2004


£250 a server a month

Service documents


G-Cloud 12

Service ID

4 4 5 5 0 3 8 2 2 0 6 7 1 7 9


Pro2col Ltd G-Cloud Team
Telephone: ​0333 123 1240

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
The service is subject to scheduled platform maintenance periods that will be notified in advance of at least seven (7) days. Scheduled platform maintenance refers to upgrades or modifications to network and server equipment, software and hardware and/or network capacity. Scheduled platform maintenance may temporarily degrade the quality of the Pro2col services or include a short duration outage. Scheduled platform maintenance shall take place between the hours of: 00:00 and 06:00 on any of the seven (7) week days.
System requirements
  • Remote Agents require 160Mb disk space and 512Mb RAM minimum
  • Windows Agent supported OS v7, v8 and v10, server 2003-2016
  • Linux Agent, Red Hat, CentOS, SUSE, Ubuntu 32-bit and 64-bit
  • MAC Agent, macOS X
  • Unix Agent, UNIX, Solaris, AIX and HP-UX, JRE_1.7.0 or higher
  • IBMi (iSeries) IBM i V7R1 or higher
  • Outlook plugin, Microsoft Outlook desktop versions 2010 and later.
  • Windows sync client, .Net 4.5, Visual C++ 2012
  • Mac sync client, macOS 10.9.x or later, FUSE for macOS

User support

Email or online ticketing support
Email or online ticketing
Support response times
Pro2col Ltd provides 24x7x365 support and respond to new support quires within 1 hour or better.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
The Lite service is supported during UK office hours (09:00am to 5:30pm), Standard and Complete services are supported 24x7x365 from our NOC/SOC via email and phone.
Support available to third parties

Onboarding and offboarding

Getting started
The administration web interface is very intuitive includes topic based help . Certification, on site training and training via remote desktop session are also available along with documentation for off-line help.
Service documentation
Documentation formats
End-of-contract data extraction
When leaving the service data can be extracted from our systems using any of the provided transfer protocols. We can also provide professional services to help extract data to customer requirements. Please see our SFIA card for costs.
End-of-contract process
Prior to the contract end, the customer is required extract any data or information it needs to keep. At the end of a contract any compute resources used to deliver the service is disabled and closed down. This will remain in this state for 90-days before it is fully deleted from our systems. Once it is fully deleted we will be unable to retrieve data or information.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The service is accessible from any device with a compatible web browser. A separate mobile application is available for Android or iOS devices that allow you to preview, download or upload your personal or shared files. All downloaded files and folders are automatically updated to the most current version on the hosted MFT server. Edit files by sending them to apps on your device. A desktop version is also available with the same features.
Service interface
Description of service interface
Access to the service is provided by an HTTPS interface.
Accessibility standards
None or don’t know
Description of accessibility
The web portal interface is 508 compliant which relates to WCAG 2.0. HTML file uploader and Secure Form pages inside the Web Client to meet 508 compliance for keyboard tabbing to ensure items with focus are visually indicated. Help Documentation pages to have a language code to assist with 508 compliance. Help Documentation for 508 compliance by adding visual indication to all links when focused as well as adding a title to the Search input field.
Accessibility testing
We have no testing on record but are willing to work with users of assistive technologies under our feature request process.
What users can and can't do using the API
Using REST or SOAP API's, users can manage elements of the service and connect to external services via the fully documented API's.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Test & DR (disaster recovery) environments can be purchased in addition to mirror the production platform. Test environments allow for the testing of automated scripts before they are published to a production environment. The service can be customised by adding additional modules to match requirements. The interface can be rebranded for corporate identity.


Independence of resources
The underlying Cloud orchestration layer provides mechanisms to separate out and control user resources so services are no impacted.


Service usage metrics
Metrics types
Service status, Service statistics, Active sessions, Logged on users, black listed IPs, File transfer summary, Completed jobs, Expiring Certificates, Expiring PGP keys, Recent completed jobs, Recent file activity, Recent triggers are available on the dashboard.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
Data can be exported from our systems using any of the service supported transfer protocols.
Data export formats
  • CSV
  • Other
Other data export formats
  • .xls and .xlsx
  • .json
  • .xml
  • Fixed width
Data import formats
  • CSV
  • Other
Other data import formats
  • .xls and .xlsx
  • .json
  • .xml
  • Fixed width

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
The hosted service can be made FIPS 140-2 Compliance Mode. Networks are segmented at layer 2 VLAN with firewall termination.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
The hosted service can be made FIPS 140-2 Compliance Mode. Networks are segmented at layer 2 VLAN with firewall termination.

Availability and resilience

Guaranteed availability
99.95% as standard and target of 99.99% with Disaster Recovery design.
Approach to resilience
The platform provides abstraction layers so when deploying multiple Cloud Instances these are not loaded on to the same underlying physical server. The cloud orchestration layer checks the physical severs every 5 min. If a server has failed, then the Cloud Instance is automatically reloaded onto another physical server.
Outage reporting
Email alerts are sent to any effected customers once a reason for a service outage has been established. The customer will be kept up to date via our communication channels.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication
Users are authenticated against a local database as default with all passwords encrypted and salted. The service can be configured to authenticate users against an external LDAP or Active Director source.
Access restrictions in management interfaces and support channels
IP white lists, VPN and Two-Factor RADIUS (RSA SecurID) can be used to control access to the administration interface.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
IP white lists, VPN and Two-Factor RADIUS (RSA SecurID) can be used to control access to the administration interface.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO 9001:2015
  • ISO27001:2017

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We are working towards and implementing ISO 27001 and target Q4 2019 for this to be fully implemented.
Information security policies and processes
ISO 9001, staff vetting, incident and dispute reporting

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our Change Management policy describes the process for raising, planning, actioning and prioritising changes for our service delivery, software and infrastructure configuration and maintenance. Requests for changes to the service delivery are tracked through to resolution via our helpdesk. Application software is developed using secure coding techniques and tested against common and known security vulnerabilities. Application feature requests are tracked using a ticketing system.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Pro2col subscribes to a number of vendor security lists and alerts to ensure that it has full visibility of the latest vulnerabilities and threats as soon as they are made publicly available. Pro2col also maintains its own monitoring and altering system for all operational components including servers, network, operating systems and anti-virus engines to ensure they are kept up to date with the latest patching. Hardware is also monitored for environmental conditions and physical faults. Any “Critical” patches and evaluated in our lab environment prior to being deployed into a product environment and evaluated as a matter of urgency.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Pro2col services are delivered using secure, accredited and fully managed UK data centres designed and operated to be Tier 3 equivalent with N+1 on all critical systems. The Pro2col edge and internal firewalls provide threat management, logging and reporting. Any potential or actual compromise is classified in relation to its threat level and acted upon.
Incident management type
Supplier-defined controls
Incident management approach
Our ISO9001 Data Protection and IT Security Policy defines responsibilities and procedures for discovery, escalation, investigation, notification and documentation of incidents. Customers are able to report an incident via email or phone to our helpdesks and Pro2col will work with the customer in a timely fashion to ensure that any vulnerabilities leading to a potential or actual incident are addressed and any countermeasures, as agreed, are in place with services being restored.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Other public sector networks
  • Can connect to PSN upon request and Scope of Work.
  • Indirectly connected to JANET


£250 a server a month
Discount for educational organisations
Free trial available
Description of free trial
Full access to all modules during the 30-day trial period as defined in the service definition document.
Link to free trial

Service documents