Secure File Drop: A Private Alternative to WeTransfer

WeTransfer and similar services can read every file you upload. Here's who that affects, why it matters, and how zero-knowledge file sharing works differently.

Files being transferred securely over the internet

Secure File Drop — file sharing that stays private

Conventional file transfer services store readable copies of everything you upload. Zero-knowledge sharing changes that.

WeTransfer, Google Drive, and most mainstream file transfer tools receive your files in plaintext. Their servers store readable copies. Terms of service often grant broad rights to scan content for malware, legal compliance, or advertising. A data breach, legal subpoena, or rogue employee exposes everything you have ever uploaded. If you still wonder whether email attachments are safer, compare this with the common cases where email is the wrong channel for sensitive data.

The people most affected are those who work with sensitive documents by definition: lawyers sending contract drafts, HR teams sharing compensation data, IT teams distributing SSH keys or certificates, medical practitioners sending diagnostic images, and finance teams exchanging signed documents. For a business-focused view on those use cases, see also why secure sharing is a competitive advantage for professional services firms.

Secure file drop on mboxly.app works differently. Files are encrypted in your browser using AES-256-GCM before a single byte is transmitted. The decryption key is embedded in the URL fragment — the part after the # symbol that browsers never send to servers. The server receives and stores only ciphertext. It cannot read your files, and neither can anyone who gains access to the server. If you want the technical detail behind that mechanism, read how the URL fragment keeps the decryption key off the server.

This distinction matters operationally. In a conventional file-sharing service, the provider must protect both the storage layer and the access controls around readable content. In a zero-knowledge design, the storage layer still matters, but a storage breach yields encrypted blobs rather than documents an attacker can open immediately. That does not remove all risk, but it substantially changes the severity of the incident.

When the link expires or is opened once with burn-after-reading, the encrypted file is deleted. No readable copy ever existed on the server. No deletion is necessary on your end because there was nothing sensitive there to begin with.

Questions about secure file sharing

What is the maximum file size I can send?

The current limit is 50 MB per secure file drop. For larger files, consider splitting archives or contacting us about enterprise limits.

Can the recipient forward the link to someone else?

They can share the URL, and anyone with the URL can open the file during the TTL window. Enable burn-after-reading to ensure only one person can access the content.

Is this compliant with GDPR for sharing personal data?

Zero-knowledge encryption significantly reduces risk. However, GDPR compliance also depends on your legal basis for processing and data minimisation practices. Consult your DPO for formal compliance assessment.

Does zero-knowledge file sharing scan uploads for malware?

Not in the same way plaintext platforms do. If a service cannot read file contents, it also cannot deeply inspect them on the server side without breaking the zero-knowledge model. That trade-off is intentional: stronger privacy means less server-side visibility into content.

Keep reading

Secure File Drop: A Private Alternative to WeTransfer

Secure File Drop — file sharing that stays private

Questions about secure file sharing

More in Secure Sharing

What Is Message TTL and How to Set It Wisely

5 Situations When Email Is the Wrong Tool for Sensitive Data

Burn After Reading: How Self-Destruct Messages Actually Work