Does this genuinely improve security if I still send an email?

Yes, because the email no longer carries the document itself. The message contains only a link, and the content is encrypted before it leaves the sender's device. In practice, that one change eliminates the biggest risk in ordinary attachment-based correspondence.

Does mboxly.app meet GDPR requirements and the Privacy by Design approach?

Yes. Infrastructure runs in the EU, data is encrypted client-side, and the entire model is designed to limit the scope of processing and minimise the risk of content exposure. This is Privacy by Design in practice, not a marketing claim.

Is my data safe if someone breaks into the server?

Yes. Encryption happens in your browser before data reaches the server. The server stores only the encrypted payload, without the key needed to read it, so even an infrastructure breach does not grant access to document content.

Do you really take privacy as seriously as you claim?

Yes. Privacy is an architectural assumption here, not an add-on. We use a Zero-Knowledge model: the document is encrypted in the browser, and only the encrypted payload reaches the server. We do not build a product on access to client content — we build it on the absence of that access.

Does the client need to create an account or remember a password?

No. The client receives the link and opens the document or message immediately. No account, no installation and no extra steps means better client experience and less resistance within the firm.

Do we need to change how the team works?

Minimally. From the lawyer's perspective, the change is replacing a risky attachment with a secure link. A small habit adjustment, but a very significant improvement in client document protection.

What happens to a document after it is read or the link expires?

It can disappear after the first opening or after a chosen time period. This means the firm does not maintain unnecessary document retention and reduces the risk of sensitive files circulating longer than necessary.

Can I roll out mboxly.app starting with just one practice area or team?

Yes. You can deploy in stages — start with one lawyer, one department or one type of matter and expand usage as the team grows. There is no need for a large, risky big-bang rollout.

Does deployment require any installation or IT support?

No installation is required. mboxly.app works in the browser and does not require plug-ins or changes to your existing email setup. With Solo, firms can start almost immediately. With Firm, there is a short domain-configuration step with your IT team or directly with your domain provider if the firm does not have in-house IT.

Can we choose our own domain or subdomain?

Yes. You can choose almost any domain or subdomain that fits your firm. That could be secure.yourfirm.com, box.yourfirm.com, vault.yourfirm.com or even a separate domain dedicated to secure communication. For the Firm plan, we confirm this at the start and configure the full branded experience around your domain and identity.

Secure client documents without a new portal or an email migration

Replace the email attachment with an encrypted client link.

Send draft agreements, powers of attorney and client documents without changing your firm's email habits or asking recipients to create accounts. mboxly.app fits into the workflow your team already uses.

See the system in demo Choose Solo or Firm

Clients open the link without an account Data in the EU only · GDPR ready See the demo: northbridge-legal.mboxly.app

Why it matters

A secure link replaces one step in the workflow and removes the highest-risk part: readable files sitting in inboxes and third-party platforms.

Benefits for the firm

Client confidentiality without adding a new process to the firm's day-to-day work.

mboxly.app improves the most sensitive part of client communication: the document stops circulating as a plain attachment, and the firm gets a calmer, cleaner and more professional delivery model.

See deployment plans

The document stays outside the provider's reach: Encryption happens in the lawyer's browser before data reaches the server. The firm gets a practical tool without handing readable client documents to the service provider.
The infrastructure does not become the trust bottleneck: The encryption key never leaves the device, so the model does not depend on the operator promising to protect readable files forever. That gives the firm a steadier way to handle sensitive documents.
Documents do not linger in circulation indefinitely: You can set links to expire or self-destruct after opening. That gives the firm more control over the document lifecycle and less manual cleanup across inboxes and cloud tools.
EU infrastructure and an easier compliance conversation: Servers stay within the European Union, which makes GDPR, Privacy by Design and audit documentation easier to organise and explain internally.
The client opens the link without an account or instructions: Recipients simply click the link. No registration, no installation and no extra training means the workflow is much more likely to stick inside the firm.
One link instead of an attachment, without changing the team's rhythm: Lawyers still work in a familiar pattern: prepare the document, send the email, deliver a secure link instead of a file. It is a small operational change with a clear improvement in delivery quality.

Secure client channel

Encrypted document sharing without client-portal friction

Clients do not want another portal, and firms do not want another process to manage. mboxly.app keeps the simplicity of email while changing the way the document is delivered.

Instead of attaching a file, you generate a secure link and send it through the communication channel the client already uses. It is easier to roll out than a client portal because it does not require registration, account setup or recipient training.

Encryption for law firms in mboxly.app uses AES-256-GCM in the browser before the file reaches the server. That keeps powers of attorney, evidence bundles and case documents private, professional and firmly under the firm's control.

Privilege and technology

The best delivery channel for a law firm raises the privacy standard without making life harder for the team or the client.

Law firm — open office, laptops and documents

None of the above situations automatically means poor practice. Most often, it simply means the firm has not yet had a delivery tool that is secure, fast and easy for the client.

How it looks in practice

These are the moments when a plain attachment stops being good enough.

In many firms the issue is not carelessness. It is that the fastest tool is often the least controlled one. These three situations show where a secure link creates a better client experience and better operational control.

Scanned ID in an email attachment. The client does not think twice — they send it as always. The message passes through Google or Microsoft servers, is indexed, archived and potentially accessible to the platform operator. The firm receives the identity document in the inbox with no encryption whatsoever.
Power of attorney via WhatsApp, "because it's faster". WhatsApp uses end-to-end encryption in transit, but files land in the user's Google or Apple iCloud backup. A copy of the document exists on the client's device, in their phone cloud and on Meta's servers. The firm has no control over any of those copies.
Reply to an old thread with a new attachment. "Re: Re: Re: Service agreement" with another client in CC. The thread history contains everything: prior correspondence, other clients' data, a draft contract from a year ago. The lawyer clicks Reply and sends a new attachment — unknowingly attaching the full context of another person's case.

Why firms tighten this part of the workflow

A plain attachment costs more than it looks like at first glance.

This part of the workflow is worth improving not only for compliance, but also for team confidence, client experience and the firm's reputation.

Professional disciplinary liability: Breaching attorney-client privilege through an inappropriate communication channel can result in disciplinary proceedings. Unawareness of the risk is not a mitigating circumstance.
Administrative fine under GDPR: Data protection authorities impose fines for failure to comply with the Privacy by Design principle. A client data breach through an unencrypted email is a ready-made enforcement scenario. Fines can reach 4% of annual global turnover.
Client compensation claims: A client whose data leaked due to the firm's negligence can pursue compensation in civil proceedings. GDPR grants them this right explicitly — without the need to demonstrate financial loss.
Loss of reputation and referrals: A client whose data leaked through the firm's inbox does not return and does not refer others. In the legal profession, where reputation takes years to build, one incident can cost far more than any fine.

Demo deployment

See how a branded secure channel can look for a law firm

The NorthBridge Legal demo shows the client-facing experience: firm branding, legal footer, secure document sharing and no account required for the client.

example client channel

NorthBridge Legal LLP

northbridge-legal.mboxly.app

Deployment

How to deploy mboxly.app in a law firm in 3 steps

No email migration, no new client portal and no large IT project required to get started.

Start with one workflow or one practice area

Begin with one lawyer, one team or one document category, such as powers of attorney, ID scans or draft agreements. This gives you a low-risk pilot and a clear adoption signal.

Set the domain, retention and usage rules

Together we choose the rollout model, configure your branding or domain, and agree which document types should expire after a deadline and which should disappear after the first read.

Expand to the full firm once the pilot proves itself

Once clients open secure links without friction, you roll the workflow out to additional teams. The firm keeps its current email habits and changes only the way sensitive files are delivered.

The solution

Send documents in a calmer way for the firm and a simpler way for the client

Replace a plain attachment with an encrypted link that expires or disappears after opening. No new portal, no email migration and a live reference model for law firms.

Choose Solo Choose Firm

Pricing

Choose the deployment level that fits your firm

Solo

For solo lawyers and small law firms. The client sees your logo and brand — on the mboxly.app domain. Ready in minutes, no DNS setup needed, with 30 days free to start and no card required.

€59 / mo €47 / mo

✓ 30 days free to start, no card required
✓ 13 months of access for the price of 12 on annual billing
✓ Client sees: yourfirm.mboxly.app — your logo and colours
✓ Secure links with expiry and self-destruction
✓ Read receipts
✓ Data processing agreement (DPA)
✓ Live same day

Choose Solo

Firm

The client sees only your domain, your logo and your brand. We handle the rollout for you, and you start with 30 days free without entering a card.

€129 / mo €103 / mo

✓ 30 days free to start, no card required
✓ 13 months of access for the price of 12 on annual billing
✓ Client sees: secure.yourfirm.com — your brand only
✓ Your own domain with full white-label
✓ Expiring and self-destructing links
✓ Read receipts
✓ Data processing agreement (DPA)
✓ Launch and priority support included

Choose Firm

Both plans start with 30 days free and no card required. Solo is the fastest branded start on the mboxly.app domain, while Firm gives you full white-label delivery on your own domain.

Features for law firms

What your firm gets when it deploys mboxly.app

Your own firm subdomain

Your clients see the address secure.yourfirm.com — not our brand. Builds trust and a professional image from the first interaction.

Documents with an expiry date

You decide when the link expires — after an hour, a week or the first download. Full control over the document lifecycle.

Read receipts

You see whether and when the client opened the document. No more "did you receive it?" follow-up calls.

GDPR and professional privilege

EU infrastructure, client-side encryption, data processing agreement (DPA) as standard. Audit documentation available immediately.

Multilingual for international clients

The client receives the document link in their language — English, Polish, German, French or Spanish. No extra configuration on your end.

No account required for the client

No registration, no app to install, no password to remember. They click the link and it works. Lower friction means higher adoption.

FAQ

Frequently asked questions from law firms

Does this genuinely improve security if I still send an email?: Yes, because the email no longer carries the document itself. The message contains only a link, and the content is encrypted before it leaves the sender's device. In practice, that one change eliminates the biggest risk in ordinary attachment-based correspondence.
Does mboxly.app meet GDPR requirements and the Privacy by Design approach?: Yes. Infrastructure runs in the EU, data is encrypted client-side, and the entire model is designed to limit the scope of processing and minimise the risk of content exposure. This is Privacy by Design in practice, not a marketing claim.
Is my data safe if someone breaks into the server?: Yes. Encryption happens in your browser before data reaches the server. The server stores only the encrypted payload, without the key needed to read it, so even an infrastructure breach does not grant access to document content.
Do you really take privacy as seriously as you claim?: Yes. Privacy is an architectural assumption here, not an add-on. We use a Zero-Knowledge model: the document is encrypted in the browser, and only the encrypted payload reaches the server. We do not build a product on access to client content — we build it on the absence of that access.
Does the client need to create an account or remember a password?: No. The client receives the link and opens the document or message immediately. No account, no installation and no extra steps means better client experience and less resistance within the firm.
Do we need to change how the team works?: Minimally. From the lawyer's perspective, the change is replacing a risky attachment with a secure link. A small habit adjustment, but a very significant improvement in client document protection.
What happens to a document after it is read or the link expires?: It can disappear after the first opening or after a chosen time period. This means the firm does not maintain unnecessary document retention and reduces the risk of sensitive files circulating longer than necessary.
Can I roll out mboxly.app starting with just one practice area or team?: Yes. You can deploy in stages — start with one lawyer, one department or one type of matter and expand usage as the team grows. There is no need for a large, risky big-bang rollout.
Does deployment require any installation or IT support?: No installation is required. mboxly.app works in the browser and does not require plug-ins or changes to your existing email setup. With Solo, firms can start almost immediately. With Firm, there is a short domain-configuration step with your IT team or directly with your domain provider if the firm does not have in-house IT.
Can we choose our own domain or subdomain?: Yes. You can choose almost any domain or subdomain that fits your firm. That could be secure.yourfirm.com, box.yourfirm.com, vault.yourfirm.com or even a separate domain dedicated to secure communication. For the Firm plan, we confirm this at the start and configure the full branded experience around your domain and identity.