Skip to main content

Setting up an SFTP connection with Reflect

Written by Reflect Team

1 - Introduction & operating principle

This document describes the standard procedure for automatically transmitting your HR/payroll exports to Reflect via SFTP. It specifies what needs to be set up on your end, the expected file format, and how Reflect connects to retrieve them.

Principle: you (or your payroll/HRIS provider) make an SFTP server available where your exports are deposited at regular intervals. Reflect automatically connects to this server to retrieve and integrate the files. No manual sending to Reflect is required: you are only responsible for depositing the files onto your server.

2 - What you need to set up

Element

Requirement

SFTP Server

Accessible from the Internet, using the SFTP protocol (SSH File Transfer Protocol).

User account

A account dedicated to Reflect (not shared with other uses), with read and write permissions on the deposit folder.

Deposit folder

A folder dedicated to exchanges with Reflect, with its exact path communicated to us (e.g., /reflect/).

IP Restriction (optional)

If your security policy requires IP filtering, the outgoing Reflect IP address to authorize is available in Appendix B.

▎ The SFTP server can be hosted by your teams, your payroll/HRIS provider, or a third-party vendor. In any case, the requirements above apply.

3 - Authentication & credentials exchange

Information to provide

When setting up the SFTP, you must provide us with at least the following:

  • IP address (or host name) of the SFTP server

  • Port

  • Username and password for the account dedicated to Reflect, with read and write permissions on the deposit folder

  • Any other applicable security information on your end: IP restriction, SSH key if required by your server, passphrase, etc.

This information is summarized in the form in Appendix A.

▎ Write permissions allow Reflect to archive or delete files after retrieval, preventing files from accumulating on the server.

Secure transmission

Sensitive information (passwords, private keys if applicable) must never be sent in plain text via email. Use a shared vault, a single-use link (such as a one-time secret), or any secure channel agreed upon with your Reflect contact.

On Reflect's side, all credentials are stored in an encrypted vault (Google Cloud Secret Manager).

4 - Files to deposit

Naming convention

Each file must follow a fixed naming pattern established during setup that includes a date, for example: {export_name}_YYYYMMDD.csv

The date in the file name allows Reflect to identify the covered period and sequence the exports relative to each other. Any file that does not comply with the agreed pattern will be ignored.

Format

  • CSV with a mandatory header row.

  • Encoding: UTF-8 is recommended. Any other encoding must be reported and must remain consistent.

  • Delimiter: To be agreed upon (; or ,) and must remain consistent over time.

  • Special cases based on your tools: Compressed files (ZIP) and/or encrypted files (GPG) if required by your company's security policy. In the case of GPG encryption, Reflect will provide you with its public GPG key, which must be used to encrypt your files before they are deposited. This should be validated with Reflect during setup.

Content

The list of expected exports and the required columns for each are detailed in a specific data requirements document unique to your integration. This document is delivered separately and is defined during the initialization phase.

Format stability

The format must not be modified: this includes columns (adding, removing, or renaming), file naming conventions, encoding, or delimiters. If a change becomes necessary despite this, please contact Reflect before applying it; otherwise, the data integration will be interrupted or corrupted.

5 - Deposit frequency & schedule

  • Deposit frequency: To be defined based on the scope — daily for current HR data, monthly (post-payroll closure) for payroll data.

  • Cut-off time: For a file to be included in the daily processing, it must be deposited before the time agreed upon during setup (around 11:00 PM). Any file deposited after this time will be integrated during the next run.

  • Each file must be complete (a full snapshot of the scope as of the export date), unless an incremental mode has been explicitly agreed upon.

6 - How and when Reflect connects

  • Reflect connects automatically once a day within the time window agreed upon during setup.

  • During each run, Reflect:

    • Connects to the server using the dedicated account;

    • Lists the contents of the deposit folder and identifies new files;

    • Downloads these files and integrates them into the platform;

    • Depending on the agreed mode, archives or deletes the retrieved files from the server (to be determined during setup).

7 - Implementation & testing phase

Step

Responsible

Description

1. Access exchange

Client + Reflect

Transmission of connection details (Appendix A) via a secure channel.

2. Connection test

Reflect

Verification of access to the server and the deposit folder.

3. Test file deposit

Client

Deposit of a first real export file that respects the agreed naming and format.

4. Format validation

Reflect

Checking of naming, encoding, columns, and content. Back-and-forth communication if discrepancies are found.

5. Go-live / Routine operation

Client + Reflect

Implementation of the recurring deposit on the client side, activation of the daily retrieval on Reflect's side.

Full setup usually takes a few days, mainly depending on how quickly access is granted and the recurring export is configured on the client side.

8 - Monitoring & incident management

  • Reflect monitors data retrievals daily. In the event of a connection failure or a prolonged absence of new files, your Reflect contact will reach out to you.

  • Cases to proactively report to Reflect:

    • Change of server, port, or account;

    • Password change or key rotation (to be planned in advance to avoid any service interruption);

    • Change in file format or structure (see §4).

  • For any questions or incidents, please contact your usual Reflect representative or Reflect Support.

9 - Security & compliance

  • Encryption in transit: All exchanges are carried out via SSH (end-to-end encrypted).

  • Credentials storage: On Reflect's side, access credentials are stored in an encrypted vault (Google Cloud Secret Manager) with access restricted solely to ingestion services.

  • Client-side best practices: Use an account dedicated to Reflect, limit permissions to the strict minimum, isolate the deposit folder, and periodically rotate passwords/keys (in coordination with Reflect).

  • Personal data: The processing of transmitted data is governed by the Data Processing Agreement (DPA) executed between your company and Reflect.

Appendix A — Information to provide to Reflect

  • IP address / Host of the SFTP server

  • Port

  • Username of the dedicated Reflect account

  • Password (to be transmitted via secure channel only)

  • Account permissions: read + write on the deposit folder

  • Other security information (IP filtering, SSH key, etc.)

  • Path to the deposit folder

  • File naming pattern

  • CSV encoding and delimiter

  • Compressed / encrypted files (using the public key provided by Reflect) or not?

  • Deposit frequency and time

  • File management mode after retrieval: deletion, archiving, etc.

  • Technical contact on the client side: name, email, phone number

Appendix B — Reflect Information

If you apply IP filtering, please authorize Reflect's outgoing public IP address: 34.32.176.67

Did this answer your question?