Secure file sharing

How to send sensitive documents securely

Protect the document and the workflow around it. Verify the recipient, send only the necessary material, choose whether access should be live or persistent, protect the link, and define when access or retention should end.

Use Relay for a live handoff with supported client-side encryption, or use a scoped Vault share when the document must remain available and you need a link that can be managed and revoked.

Encryption is not recipient verification

A strongly protected transfer can still go to the wrong person. Confirm the recipient and destination through a trusted channel before sharing a sensitive link or recovery secret.

The main risks are not all technical

Wrong recipient

Autofill, forwarded messages, and similar names can route a protected document to the wrong person.

Forwarded link

A link can travel beyond the intended conversation unless access and handling rules are clear.

Excess data

The attachment may contain unnecessary pages, hidden metadata, comments, prior versions, or unrelated records.

Unclear retention

A one-time delivery can become indefinite cloud storage when nobody owns cleanup or revocation.

Local copies

After download, the recipient may store the document on unmanaged devices, shared folders, backups, or printouts.

Account recovery failure

Client-side encryption improves privacy, but recovery material must be stored safely outside the same account or device.

Prepare the document before sending

  1. 1. Minimize the content. Send only the pages, fields, and attachments the recipient needs.
  2. 2. Finalize the copy. Remove tracked changes, comments, hidden worksheets, embedded files, and prior revisions that should not travel.
  3. 3. Verify the recipient out of band. Confirm the person, organization, and expected channel before sharing the link.
  4. 4. Choose live or persistent access. Use Relay when both parties can complete the handoff now; use Vault when access must remain available.
  5. 5. Define the end of access. Decide who will revoke the share or remove retained material, and when.

Compare secure delivery methods

Comparison of methods for sending sensitive documents
Method Strength Remaining risk
Standard email attachment Familiar and easy for small documents Mailbox copies, forwarding, wrong-recipient risk, and unclear retention
Password-protected archive Adds a separate secret Password handling, weak choices, and no link revocation after delivery
Messaging platform Fast for known collaborators Workspace retention, forwarding, and local sync may be hard to control
Cloud-drive share Persistent access and collaboration Broad folder permissions and stale shares if not reviewed
SFTP Established secure transport for technical partners Accounts, client software, server administration, and retained drop locations
PhotonFile Relay for live delivery; Vault for a scoped, managed share Recipient verification and post-download handling still require policy

Relay or Vault?

Relay moves the document

Use Relay for a live handoff

  • Both parties are ready to complete the transfer now.
  • The file does not need default long-term retention in the transfer workflow.
  • Supported web Relay flows use client-side encryption by default, with TLS on the connection.
  • PhotonFile download flows do not require the recipient to create a PhotonFile account.
  • Keep the active transfer open until completion and plan for Retry if resume is unavailable.

Vault keeps the document

Use a Vault share for later access

  • The document must remain available after the send.
  • You want to share one selected file or folder rather than expose a workspace.
  • You need a link that can be managed and revoked later.
  • Set an expiration or one-download limit when the delivery calls for it.
  • Store Vault recovery material somewhere safe outside the same account or device.

Security controls that matter

Client-side encryption.

Use supported client-side encryption and understand where decryption material is carried in the recipient flow.

TLS.

TLS protects the connection, but it does not correct a wrong recipient or an over-broad share.

Link handling.

Send the link only to the intended recipient and avoid posting sensitive links in a broad or permanent channels.

Revocation.

Revoke a Vault share when the recipient no longer needs access or the link may have been exposed.

Recipient verification.

Confirm identity through a trusted channel, especially for financial, legal, medical, identity, or proprietary material.

Retention ownership.

Assign a person to review shares and retained documents instead of assuming they disappear automatically.

After the recipient downloads

Transfer security does not control every copy the recipient creates. Tell the recipient where the file may be stored, whether it may be forwarded, when it should be deleted, and who to contact if it reaches the wrong person.

Do not make automatic compliance claims

Encryption, access controls, and retention tools can support a compliance program, but they do not by themselves establish that a workflow satisfies a law, contract, or industry rule. Match the process to your actual obligations.

Common questions

Frequently asked questions

Is a password-protected ZIP enough for sensitive documents?

Not as a default. It does not provide link revocation and creates a password-sharing problem. Vault can share a selected document or folder without creating an archive, while Relay is the option for a live handoff.

Should I use Relay or Vault?

Use Relay for a live handoff that does not need default retention. Use Vault when the document must remain available through a scoped share that can be managed and revoked.

Can I revoke access after sending?

A Vault share can be revoked through share management. A completed download may still exist on the recipient device, so revocation is not the same as remote deletion.

Can the recipient download without an account?

PhotonFile download flows do not require the recipient to create a PhotonFile account. That includes Relay receives and Vault share downloads.

Can I make a link expire after one download?

Yes. Set the Vault share to expire after one download. The link stops working after its first completed download.

Does client-side encryption guarantee compliance?

No. It is one control. Recipient verification, access scope, retention, account security, local copies, incident response, and legal obligations still matter.

Keep going

Product and technical references: Vault sharing guide Relay guide Vault technical security Recovery and access safety

Choose the access window before you send

Open Vault for a scoped share that must remain available, or use Relay when the verified recipient is ready to complete the handoff now.