Does this genuinely improve security if I still send an email?

Yes, because the email no longer carries the document itself. The message contains only a link, and the content is encrypted before it leaves the sender's device. In practice, that one change eliminates the biggest risk in ordinary attachment-based correspondence.

Does mboxly.app meet GDPR requirements and the Privacy by Design approach?

Yes. Infrastructure runs in the EU, data is encrypted client-side, and the entire model is designed to limit the scope of processing and minimise the risk of content exposure. This is Privacy by Design in practice, not a marketing claim.

Is my data safe if someone breaks into the server?

Yes. Encryption happens in your browser before data reaches the server. The server stores only the encrypted payload, without the key needed to read it, so even an infrastructure breach does not grant access to document content.

Do you really take privacy as seriously as you claim?

Yes. Privacy is an architectural assumption here, not an add-on. We use a Zero-Knowledge model: the document is encrypted in the browser, and only the encrypted payload reaches the server. We do not build a product on access to client content — we build it on the absence of that access.

Does the client need to create an account or remember a password?

No. The client receives the link and opens the document or message immediately. No account, no installation and no extra steps means better client experience and less resistance within the firm.

Do we need to change how the team works?

Minimally. From the lawyer's perspective, the change is replacing a risky attachment with a secure link. A small habit adjustment, but a very significant improvement in client document protection.

What happens to a document after it is read or the link expires?

It can disappear after the first opening or after a chosen time period. This means the firm does not maintain unnecessary document retention and reduces the risk of sensitive files circulating longer than necessary.

Can I roll out mboxly.app starting with just one practice area or team?

Yes. You can deploy in stages — start with one lawyer, one department or one type of matter and expand usage as the team grows. There is no need for a large, risky big-bang rollout.

Does deployment require any installation or IT support?

No installation is required. mboxly.app works in the browser and does not require plug-ins or changes to your existing email setup. For the Free and Solo plans, firms can start immediately. For the Firm plan, there is a short domain-configuration step with your IT team or directly with your domain provider if the firm does not have in-house IT.

Can we choose our own domain or subdomain?

Yes. You can choose almost any domain or subdomain that fits your firm. That could be secure.yourfirm.com, box.yourfirm.com, vault.yourfirm.com or even a separate domain dedicated to secure communication. For the Firm plan, we confirm this at the start and configure the full branded experience around your domain and identity.

For law firms

Attorney-client privilege ends where ordinary email begins.

Every day your clients send you scanned IDs, contracts and powers of attorney through unencrypted email. One mistake, one hacked inbox — and a case ends up in the wrong hands. mboxly.app closes that gap in 60 seconds.

Try for free — no registration Book a demo

Not even the admin can read the content Data in the EU only · GDPR ready Links expire automatically

Why it matters

A secure link replaces one step in the workflow and removes the highest-risk part: readable files sitting in inboxes and third-party platforms.

Security without compromise

Designed so your firm cannot be held liable for a breach.

Every technical decision in mboxly.app follows one principle: even a server-side compromise must not threaten client confidentiality.

Try for free

Even we cannot decrypt it: Encryption happens exclusively in the lawyer's browser before data reaches the server. Only the encrypted payload lands on the server — without the key. Even full database access cannot reveal the content.
A server breach changes nothing: The encryption key never leaves the device. An attacker who gains access to the infrastructure finds only encrypted noise — nothing usable.
Documents disappear without your intervention: Self-destruction after the first read or after a set deadline. There is no file to steal because the file no longer exists. No data retention means no data retention risk.
EU infrastructure. Data never leaves Europe.: Servers exclusively within the European Union. GDPR and Privacy by Design compliance ready to document for audits or supervisory authority inquiries.
The client creates no account and installs nothing: They click a link — that is all. No client personal data stored on our side. Data minimisation in practice, not just in theory.
One link instead of an attachment. Your workflow stays the same.: You send an email as usual, but paste a secure link instead of a file. Changing the habit takes 30 seconds. The change in risk level is fundamental.

Law firm — open office, laptops and documents

None of the above situations result from carelessness. They are the consequence of nobody having designed a more convenient alternative — until mboxly.app.

How it looks in practice

Most law firms exchange documents the same way they did 20 years ago.

Not through negligence — because it is the most convenient option. Email, WhatsApp, a drive link. Nobody asks about encryption until there is a breach.

Scanned ID in an email attachment. The client does not think twice — they send it as always. The message passes through Google or Microsoft servers, is indexed, archived and potentially accessible to the platform operator. The firm receives the identity document in the inbox with no encryption whatsoever.
"I'll drop it in Drive, I'll give you access" — a Google Docs link. A 'view only' link sounds safe. But anyone who receives it — the client or an accidental recipient of a forwarded message — can share it further. The document lives on Google's servers indefinitely.
Power of attorney via WhatsApp, "because it's faster". WhatsApp uses end-to-end encryption in transit, but files land in the user's Google or Apple iCloud backup. A copy of the document exists on the client's device, in their phone cloud and on Meta's servers. The firm has no control over any of those copies.
WeTransfer without a password. Link valid for 7 days. A convenient tool, but the link is publicly accessible to anyone who receives it or intercepts traffic. No authorisation — anyone who obtains the URL downloads the file. An email confirmation? It does not protect the document.
Reply to an old thread with a new attachment. "Re: Re: Re: Service agreement" with another client in CC. The thread history contains everything: prior correspondence, other clients' data, a draft contract from a year ago. The lawyer clicks Reply and sends a new attachment — unknowingly attaching the full context of another person's case.
Scanned deed via SMS or MMS, because "the client prefers it". SMS is not encrypted. Message content and attachments pass through the telecoms operator as plain text. Metadata retention is mandated by law in many jurisdictions — and message content remains unprotected.

Risk

What does a client data breach mean for a law firm?

One incident is enough. The consequences are multi-dimensional — professional, financial, reputational and legal.

Professional disciplinary liability: Breaching attorney-client privilege through an inappropriate communication channel can result in disciplinary proceedings. Unawareness of the risk is not a mitigating circumstance.
Administrative fine under GDPR: Data protection authorities impose fines for failure to comply with the Privacy by Design principle. A client data breach through an unencrypted email is a ready-made enforcement scenario. Fines can reach 4% of annual global turnover.
Client compensation claims: A client whose data leaked due to the firm's negligence can pursue compensation in civil proceedings. GDPR grants them this right explicitly — without the need to demonstrate financial loss.
Loss of reputation and referrals: A client whose data leaked through the firm's inbox does not return and does not refer others. In the legal profession, where reputation takes years to build, one incident can cost far more than any fine.

The solution

Send documents without risk

Replace a plain attachment with an encrypted link that expires or disappears after opening. Minimal change for the firm, maximum security for the client.

Send your first secure document Book a demo for law firms

Pricing

Choose the deployment level that fits your firm

Free

The public mboxly.app without customisation. Perfect for testing the secure link mechanics before rolling it out across the firm.

€0

✓ Full end-to-end encryption
✓ Expiring and self-destructing links
✓ mboxly.app branding visible to the recipient
✓ No firm subdomain or identity
✓ No data processing agreement (DPA)

Try now

Solo

For solo lawyers and small law firms. The client sees your logo and brand — on the mboxly.app domain. Ready in minutes, no DNS setup needed.

€59 / mo €47 / mo

✓ Client sees: yourfirm.mboxly.app — your logo and colours
✓ Secure links with expiry and self-destruction
✓ Read receipts
✓ Data processing agreement (DPA)
✓ Live same day

Choose Solo

Firm

The client sees only your domain, your logo and your brand. We handle the rollout for you.

€129 / mo €103 / mo

✓ Client sees: secure.yourfirm.com — your brand only
✓ Your own domain with full white-label
✓ Branding setup €129 (free with annual billing) Branding setup €129 €0
✓ Expiring and self-destructing links
✓ Read receipts
✓ Data processing agreement (DPA)
✓ Launch and priority support included

Choose Firm

Enterprise

For organisations that need a private installation, full environment control and a solution tailored to specific security requirements.

Custom pricing

✓ On-premise or private cloud installation
✓ Own brand and domain
✓ Licence, support and agreed SLA
✓ Read receipts
✓ Custom deployment and security consultancy
✓ Integrations and organisational requirements on request

Let's talk

We do not sell seat counts. You pay for the deployment level, branding and environment control — from a free start to full white-label and private installation.

Features for law firms

What your firm gets when it deploys mboxly.app

Your own firm subdomain

Your clients see the address secure.yourfirm.com — not our brand. Builds trust and a professional image from the first interaction.

Documents with an expiry date

You decide when the link expires — after an hour, a week or the first download. Full control over the document lifecycle.

Read receipts

You see whether and when the client opened the document. No more "did you receive it?" follow-up calls.

GDPR and professional privilege

EU infrastructure, client-side encryption, data processing agreement (DPA) as standard. Audit documentation available immediately.

Multilingual for international clients

The client receives the document link in their language — English, Polish, German, French or Spanish. No extra configuration on your end.

No account required for the client

No registration, no app to install, no password to remember. They click the link and it works. Lower friction means higher adoption.

FAQ

Frequently asked questions from law firms

Does this genuinely improve security if I still send an email?: Yes, because the email no longer carries the document itself. The message contains only a link, and the content is encrypted before it leaves the sender's device. In practice, that one change eliminates the biggest risk in ordinary attachment-based correspondence.
Does mboxly.app meet GDPR requirements and the Privacy by Design approach?: Yes. Infrastructure runs in the EU, data is encrypted client-side, and the entire model is designed to limit the scope of processing and minimise the risk of content exposure. This is Privacy by Design in practice, not a marketing claim.
Is my data safe if someone breaks into the server?: Yes. Encryption happens in your browser before data reaches the server. The server stores only the encrypted payload, without the key needed to read it, so even an infrastructure breach does not grant access to document content.
Do you really take privacy as seriously as you claim?: Yes. Privacy is an architectural assumption here, not an add-on. We use a Zero-Knowledge model: the document is encrypted in the browser, and only the encrypted payload reaches the server. We do not build a product on access to client content — we build it on the absence of that access.
Does the client need to create an account or remember a password?: No. The client receives the link and opens the document or message immediately. No account, no installation and no extra steps means better client experience and less resistance within the firm.
Do we need to change how the team works?: Minimally. From the lawyer's perspective, the change is replacing a risky attachment with a secure link. A small habit adjustment, but a very significant improvement in client document protection.
What happens to a document after it is read or the link expires?: It can disappear after the first opening or after a chosen time period. This means the firm does not maintain unnecessary document retention and reduces the risk of sensitive files circulating longer than necessary.
Can I roll out mboxly.app starting with just one practice area or team?: Yes. You can deploy in stages — start with one lawyer, one department or one type of matter and expand usage as the team grows. There is no need for a large, risky big-bang rollout.
Does deployment require any installation or IT support?: No installation is required. mboxly.app works in the browser and does not require plug-ins or changes to your existing email setup. For the Free and Solo plans, firms can start immediately. For the Firm plan, there is a short domain-configuration step with your IT team or directly with your domain provider if the firm does not have in-house IT.
Can we choose our own domain or subdomain?: Yes. You can choose almost any domain or subdomain that fits your firm. That could be secure.yourfirm.com, box.yourfirm.com, vault.yourfirm.com or even a separate domain dedicated to secure communication. For the Firm plan, we confirm this at the start and configure the full branded experience around your domain and identity.