We have a integration arrangement to send content across the internet and the agreed protocol encrypts then sends it via sftp.
What possible reason coould there be to encrypt the content twice?
I can't see any good reason for it.
The algorithm for encryption is AES with CBC mode for enhanced security
The Hashing algorithms as defined by NZSIT 402:2008 should be using SHA 256; therefore the algorithm used to derive the key is PBKDF1 (defined in PKCS#5 v2.0 and documented in RRC 2898) with SHA256 as generator other than PBKDF2 which is based on SHA1 generator; it is also recommended to use 128 bit encryption strength unless higher security is required.
Bastion ssh/sftp servers are used on one at least one side of the communication, but they seem to be 'close' to the final endpoint system and no-one talks about the risk of intermediary servers being compromised.