Exploring SFTPGo’s SaaS Plans

At SFTPGo, we typically refrain from publishing posts that directly compare our solution with others. Every software product has its own strengths, design philosophies, and trade-offs, making it more or less suitable depending on the specific needs and use cases of the user.
We believe users should be empowered to evaluate solutions independently and choose the one that best fits their requirements. Our goal is to support that process by providing clear and accurate information.

With that in mind, we want to take this opportunity to clarify how our SaaS offerings work. Based on a recent article by Couchdrop, it seems there is some confusion regarding certain aspects of our cloud plans and we feel it's important to address this openly, so users can make well-informed decisions based on facts.

What is SFTPGo?

SFTPGo is a Managed File Transfer solution that abstracts storage backends and allows access to files using the built-in WebClient over HTTPS and the standard SFTP, SCP, FTP, FTPS, and WebDAV protocols.
Using a secure, browser-based interface over HTTPS, administrators can easily manage users, folders, groups, and other resources: this is provided by the WebAdmin UI.

SFTPGo isn't an interface to an existing SFTP server, it's a full-featured File Transfer solution implemented entirely in the Go programming language.
I also maintain or contribute to several of SFTPGo’s key dependencies and am a member of the Go team. In particular, I maintain the golang.org/x/crypto/ssh package, which form the foundation for SSH/SFTP functionality in SFTPGo and many other applications and services, including Couchdrop.

Deployment and Management for our SaaS offerings

SFTPGo is offered as a fully managed service, where we take care of the infrastructure, software updates, security patches, backups, and monitoring. This allows users to focus entirely on their file transfer workflows, without the burden of managing infrastructure. The underlying infrastructure is fully managed by us and not directly accessible to customers.

SFTPGo does not operate on a shared multi-tenant environment. Instead, every SaaS plan includes a fully dedicated SFTPGo installation, each with its own dedicated static IP address. You also have the option to use your own custom domain.
Deployments are provisioned in a data center selected by the customer, typically located close to their users or operational base to optimize performance and compliance.

While this may not align with typical cost-optimization strategies from a vendor standpoint, it ensures strong data isolation, consistent performance, and full flexibility to configure protocols, ciphers and security algorithms independently for each environment.

Try running a free security audit of your SaaS file tranfer solution using tools like SSH-Audit and/or SSL Report. With SFTPGo, every cryptographic algorithm can be fully customized. This means that if another customer requires weaker algorithms, e.g. SHA-1 or CBC based, for compatibility reasons, it will have no impact on your configuration or security posture.

Deployments are region-specific, supporting data residency and sovereignty requirements, which are critical for compliance with regulations such as GDPR and HIPAA. All data remains within the selected region, helping meet legal and organizational privacy standards.

Currently available data center locations:

  • Europe: Frankfurt, Madrid, Paris, London, Milan, Amsterdam, Stockholm.
  • North America: Chicago, Los Angeles, Miami, Seattle.
  • South America: São Paulo.
  • Asia: Singapore, Mumbai, Chennai, Osaka, Tokyo.
  • Oceania: Melbourne.

Your installation, your rules, with no compromises.

Security is a top priority for us. Our SaaS offerings are post-quantum ready, and our WebAdmin and WebClient user interfaces are secured with strict Content Security Policies (CSPs). A CSP acts like a security guard, controlling what content can run on a web interface and helping prevent threats such as malicious code injections. SFTPGo avoids insecure CSP settings such as unsafe-eval and unsafe-inline. By strictly excluding these unsafe options, SFTPGo strengthens its CSP enforcement, providing more robust protection against code injection attacks.

Automation Capabilities

The SFTPGo EventManager enables automated workflows by responding to live events in real time and managing scheduled tasks, allowing seamless integration with external systems and enhanced operational efficiency.
The available workflows go far beyond basic automation like triggering actions, such as webhook or email notifications, after uploads or downloads. Here are just a few examples of what you can do:

  • Perform filesystem actions, such as copying to an external destination, deleting, renaming, and PGP encryption or decryption.
  • Automatically enforce retention policies to delete old files, with settings configurable on a per-directory basis.
  • Dynamically create users from templates following successful logins via identity providers such as Microsoft Entra ID, Google Identity Platform, Amazon Cognito, Auth0, Okta, Ping Identity, OneLogin, Keycloak and others.
  • Trigger actions for inactive, soon-to-expire users, or users with expiring passwords, supporting better account and credential lifecycle management.
  • Receive notifications when IP addresses are automatically blocked after too many failed login attempts.
  • Get notified of configuration changes, including user creation, updates, deletions, and more.
SFTPGo also makes it easy to integrate with your own custom authentication system, as some of our SaaS customers already do, offering even more control over access and automation.

While we don’t plan to provide a visual editor, we are actively working on several optimizations and new features to make the EventManager even more powerful and user-friendly. And if you encounter any issues, our support team is available to assist you, support is included with all our SaaS plans.

Pricing

Our base prices are listed in Euros. We have enabled currency conversion in our billing platform, so you will see the pricing displayed in your local currency.
Below are the monthly pricing tiers for our SaaS plans. When billed annually, you get two months free.

  • Tiny: €50
  • Small: €100
  • Standard: €230
  • Professional: €450
  • Premium: €850
In the Couchdrop article, our prices are listed at nearly double the actual amounts. This was likely due to seeing the prices converted into their local currency, which is not USD for sure (possibly AUD), and mistakenly presenting those values as if they were in USD.
We've enabled currency conversion to make it easier for users to pay in their local currency. However, if this causes confusion, we may consider limiting pricing display to EUR and USD only. The cost of the Tiny Plan is approximately 55 USD, based on the current exchange rate between the Euro and the US Dollar.

Our pricing model is based on resource usage rather than the number of users, and there is no limit on the number of users you can have.
If you occasionally exceed your storage or bandwidth limits, your service will continue to operate without interruption. Our monitoring system will notify us, and we’ll reach out to discuss whether upgrading to a plan better suited to your needs might be beneficial.

Security and Compliance

We began the ISO 27001:2022 certification process in February 2025 and are now in the final stages, with certification expected soon.

We work with a specialized HIPAA compliance firm based in the United States to ensure ongoing adherence to HIPAA regulations. They regularly review our procedures, assist with our annual risk assessments, and provide HIPAA training to our employees.
We are also able to sign a Business Associate Agreement (BAA) using our standard BAA template.

For the purposes of the GDPR we act as the data processor on your behalf. We are able to sign a Data Processing Agreement (DPA), using our standard template, upon request.

No software is immune to security vulnerabilities, and we believe that transparency is essential to earning user trust. We follow a Responsible Disclosure model to ensure security issues are reported, communicated, and resolved in a secure and effective manner.

Customer support

All of our SaaS plans include built-in support, there's no need to purchase a separate support plan, and there are no limits on the number of support requests. We offer both email support and video call assistance, including screen sharing for more effective help.
Support plans are applicable to on-premise installations, not to our SaaS offerings.

We hope this post provides a clearer understanding of how our SaaS offerings work. If you have any questions, feel free to contact us.

June 14, 2025 - Nicola Murino