Secure File Transfer

Thru provides a secure and scalable cloud service for manual file sharing and automated file transfer. We adhere to a multi-layer defense-in-depth model, which reduces the attack surface and contains security breaches at multiple levels. Security layers protect Thru’s cloud infrastructure, application and customer data.

Illustration of defense-in-depth (DiD) security layers that includes data, application and cloud infrastructure security

Cloud Infrastructure Security


Customers can deploy Thru in our cloud or in their private cloud. We manage deployment and maintenance for customers who deploy in our cloud, while private cloud customers pay for and manage their own cloud infrastructure.

Thru runs in certified Microsoft Azure data centers in the United States, United Kingdom, Germany and Australia. These data centers are compliant with the following standards (see also Microsoft Azure documentation):

  • SSAE 18 / ISAE 3402 (previously SAS 70)
  • SOC 3 SysTrust
  • ISO 27001
  • PCI Level 1 Service Provider Certified
  • Tier III Standards Compliant

Illustration of a protected cloud infrastructure

Network Protection

  • High availability for all network components
  • Multiple zones deployed for access controls and traffic logging
  • Firewalls with stateful inspection
  • Intrusion protection / detection software
  • OWASP-compliant web application firewalls filter web traffic
  • Dedicated VPN tunnels with multi-factor authentication for access into production systems by operations personnel
  • Domain access control by Active Directory in each deployed geography
  • Whitelisting and connection management of Thru’s server endpoints protect against security scanning and denial of service attacks

Antivirus Protection

  • Real-time scanning of code and data areas
  • Ongoing antivirus engine and signature updates
  • Automatic quarantine of infected files


We monitor global infrastructure and security events with security information and event management (SIEM) software 24/7.


Weekly automated scanning of Thru’s cloud infrastructure in all service geographies.

Application Security


  • Required to access any part of Thru
  • Strong credential policies for web portals and native applications
  • Multi-factor authentication support
  • Federated authentication with identity providers via SAML 2.0 and OpenID Connect
  • SFTP / FTPS endpoints are protected by password, key and certificate-based authentication


Role-based security to control access to application actions, workflows and data entities following the principle of least privilege.

Web Portal Security

Protection against OWASP Top 10 web application security risks. Portals are scanned for security vulnerabilities on a regular basis.


  • File transfer dashboards available for monitoring
  • Alerts for errors and missing files

Public API Protection

Secured by OAuth 2.0 framework.


  • Weekly automated vulnerability assessments of Thru platform
  • Periodic penetration testing by third-party security vendors

Software Development

  • Static application security testing is performed in all phases of Thru’s SDLC with triage and remediation
  • Dynamic application security testing is performed at the testing and release SDLC phases using automated cloud security tools

Illustration of magnifying glass zooming into computer monitor that detects an file transfer application security concern

Data Security

Illustration of data security

Data in Transit

Data transfer protected by secure transfer protocols: HTTPS / TLS 1.2 / 1.3, FTPS, SFTP.

Data at Rest

All data stored in Thru is encrypted by AES 256-bit encryption.

Data Replication

Data is replicated to multiple zones via cloud provider infrastructure.

Payload Encryption

PGP encryption is supported along with key management in the administration portal.

Data Retention

Multi-level retention policies delete the file data from transient storage after transfer completion.

Disaster Recovery and Compliance

  • Documented business continuity and disaster recovery plan for production and business systems
  • Standard service level agreement (SLA) is 99.9%
  • Recovery time objective (RTO) is 4-6 hours
  • Recovery point objective (RPO) is to have the whole site functional with minimal loss of transactions or data
  • HIPAA compliant
  • General Data Protection Regulation (GDPR) compliance
    • Users can request removal of personal information
    • Administrators can require user agreements before sending or receiving files
Scroll to Top