Wrong recipient
Autofill, forwarded messages, and similar names can route a protected document to the wrong person.
Protect the document and the workflow around it. Verify the recipient, send only the necessary material, choose whether access should be live or persistent, protect the link, and define when access or retention should end.
Use Relay for a live handoff with supported client-side encryption, or use a scoped Vault share when the document must remain available and you need a link that can be managed and revoked.
A strongly protected transfer can still go to the wrong person. Confirm the recipient and destination through a trusted channel before sharing a sensitive link or recovery secret.
Autofill, forwarded messages, and similar names can route a protected document to the wrong person.
A link can travel beyond the intended conversation unless access and handling rules are clear.
The attachment may contain unnecessary pages, hidden metadata, comments, prior versions, or unrelated records.
A one-time delivery can become indefinite cloud storage when nobody owns cleanup or revocation.
After download, the recipient may store the document on unmanaged devices, shared folders, backups, or printouts.
Client-side encryption improves privacy, but recovery material must be stored safely outside the same account or device.
| Method | Strength | Remaining risk |
|---|---|---|
| Standard email attachment | Familiar and easy for small documents | Mailbox copies, forwarding, wrong-recipient risk, and unclear retention |
| Password-protected archive | Adds a separate secret | Password handling, weak choices, and no link revocation after delivery |
| Messaging platform | Fast for known collaborators | Workspace retention, forwarding, and local sync may be hard to control |
| Cloud-drive share | Persistent access and collaboration | Broad folder permissions and stale shares if not reviewed |
| SFTP | Established secure transport for technical partners | Accounts, client software, server administration, and retained drop locations |
| PhotonFile | Relay for live delivery; Vault for a scoped, managed share | Recipient verification and post-download handling still require policy |
Relay moves the document
Vault keeps the document
Use supported client-side encryption and understand where decryption material is carried in the recipient flow.
TLS protects the connection, but it does not correct a wrong recipient or an over-broad share.
Send the link only to the intended recipient and avoid posting sensitive links in a broad or permanent channels.
Revoke a Vault share when the recipient no longer needs access or the link may have been exposed.
Confirm identity through a trusted channel, especially for financial, legal, medical, identity, or proprietary material.
Assign a person to review shares and retained documents instead of assuming they disappear automatically.
Transfer security does not control every copy the recipient creates. Tell the recipient where the file may be stored, whether it may be forwarded, when it should be deleted, and who to contact if it reaches the wrong person.
Encryption, access controls, and retention tools can support a compliance program, but they do not by themselves establish that a workflow satisfies a law, contract, or industry rule. Match the process to your actual obligations.
Common questions
Not as a default. It does not provide link revocation and creates a password-sharing problem. Vault can share a selected document or folder without creating an archive, while Relay is the option for a live handoff.
Use Relay for a live handoff that does not need default retention. Use Vault when the document must remain available through a scoped share that can be managed and revoked.
A Vault share can be revoked through share management. A completed download may still exist on the recipient device, so revocation is not the same as remote deletion.
PhotonFile download flows do not require the recipient to create a PhotonFile account. That includes Relay receives and Vault share downloads.
Yes. Set the Vault share to expire after one download. The link stops working after its first completed download.
No. It is one control. Recipient verification, access scope, retention, account security, local copies, incident response, and legal obligations still matter.
Keep going
Use a focused upload boundary instead of giving clients browse or workspace access.
Avoid attachment limits and persistent mailbox copies for oversized material.
Package dependencies, verify integrity, and limit project scope before delivery.
Product and technical references: Vault sharing guide Relay guide Vault technical security Recovery and access safety
Open Vault for a scoped share that must remain available, or use Relay when the verified recipient is ready to complete the handoff now.