Knowledgebase
Portal Home > Knowledgebase > Articles Database > Does a file transfer site have to be compliant?
Does a file transfer site have to be compliant?
Posted by codyb, 01-17-2016, 12:42 AM Hi, I'm having a file sharing site built. Customer A sends a file to Person B and customer B receives a download link. 1st Premium Plan has password protect and files are destructed in a particular time, let's say a week, and and 2nd Plan encrypts all files besides being password protect. The connection will be https, my host provider has a traffic guard that protect against DDos, is PCI Compliant, injections, hacking, server tweaking and software updates, antivirus scanning, they keep the data base encrypted on a different server, and they offer other managed services etc. Now my question is, are there any type of regulations that I have to abide by regarding the type of files that customers upload? For instance, if Client A decides to send a picture of his credit card or his social security, or a medical file, or any sensitive information, do I have to abide by all compliance requirements out there? For instance, I know that a medical office that transmits customers data online have to be HIPPA compliant, do I need to be the same? Please advise. Thank you.
Posted by HelpOps, 01-17-2016, 01:13 AM Your customer is required to insure that the service they are purchasing is compliant with the regulations of their industry. If you find someone transferring medical data or other sensitive data (loan applications, purchasing agreements, etc.) across your systems your customer would be liable for non compliance, be fined and there is a good chance that your servers would be confiscated by local or federal authorities if other type of sensitive information was found to be stored on them. I would recommend noting on the signup pages and other legal forms on your site what your compliance and accreditations are up front. It is nice that your host offers these accreditation but more then likely those may not extend to what you can say your business offers unless you work with them to insure your full compliance, which normally means they fully manage your server, granting your limited access to it. To fully protect yourself I would recommend contacting an attorney to insure you meet all the legal regulations and certifications for the types of services your want to offer, since it very costly to ask for forgiveness later than to have things properly setup at the start before you start accepting customers. If your a medical file sharing site then your systems will need to obtain and maintain HIPAA compliance, if you store credit cards on behalf of your client you will need to meet PCI DSS compliance regulations, if you host information for the government your host and your systems will need to be FedRAMP compliant and meet other regulations and gain additional certifications depending on where the servers are located. You can see a nice list of many of the requirements that some hosts have to meet by taking a look at AWS's certifications: https://aws.amazon.com/govcloud-us/ Last edited by HelpOps; 01-17-2016 at 01:17 AM.
Posted by codyb, 01-17-2016, 01:53 AM Thanks for your response. Let's say that my client base is intended to be made of individuals who share non sensitive data: photographers, videographers, designers, architects, etc. Would including in the terms and conditions where areas in which I'm not compliant so I'm not held responsible in case particular companies choose to share files that may end up stolen? My host provider is PCI Compliant. I'll look up your link. Thank you.
Add to Favourites 
Print this Article
Also Read
