TL;DR. “Confidential” means different things. For low-risk material, email or WeTransfer is fine. For genuinely sensitive documents — financial accounts, legal records, personal data, IP — both fail UK GDPR’s Article 32 expectations. The cleanest approach is a four-step secure process: portal with audit trail, NDA acceptance, per-recipient links, audit log export. This guide explains when each tool fits and walks through the four steps.
When email is fine
Email is acceptable for confidential documents when:
- Recipient’s email address is verified and current
- Document does not contain UK personal data subject to GDPR
- No regulatory framework specifically prohibits email (e.g. SRA, FCA, ICO sector guidance)
- You can tolerate having no audit trail
Examples of “confidential but email-acceptable”:
- Internal company memos to staff
- Marketing materials shared with prospects
- Public-record documents (Companies House filings, etc.)
- General correspondence with known clients
When WeTransfer is fine
WeTransfer (Free or Pro) is acceptable when:
- File is too large for email (over 25 MB)
- Recipient is verified
- Document is not regulated personal data
- A 7-day expiring link is sufficient
WeTransfer’s Free tier is genuinely fine for one-off large file sends to known recipients where audit trail isn’t required.
When neither is appropriate
Email and WeTransfer both fail for:
- Tax records, payroll, financial statements with personal data
- Legal documents (contracts, witness statements, advice)
- M&A and fundraising due diligence material
- HR records (employment contracts, performance reviews)
- IP documentation (founder assignments, patents)
- Health data (special category under Article 9)
- Anything subject to professional codes (SRA, ICAEW, ICO)
For these, use a tool with audit trail, access controls, and NDA capture.
The four-step secure process
Step 1: Use a tool with audit trail
Pick a tool that produces a per-document, per-viewer log. The log should capture:
- Viewer’s name (from acceptance form)
- Email address
- IP address
- Timestamp
- Pages viewed and dwell time
- Any download events
Tools that produce this: Beamprobe, Papermark Pro, Onehub, iDeals, Datasite. Tools that don’t: WeTransfer Free, email, generic Drive/Dropbox folders.
Step 2: Require NDA or terms acceptance
Before any document opens, the recipient should accept your NDA or engagement terms. This converts a casual share into a defensible legal record.
The acceptance should be:
- Tied to the recipient’s identity (full name + email)
- Timestamped at the moment of access
- IP-captured for evidence
- Stored in your audit log
Step 3: Use per-recipient links
A single link shared with multiple people makes leak tracing impossible. Per-recipient links cost nothing extra on most modern tools.
If a document leaks to a competitor or the press, per-recipient links let you identify the source. Without them, you have no recourse.
Step 4: Export the audit log
Schedule a monthly or quarterly export of the audit log to your firm’s compliance archive. This is what regulators and counsel ask for.
For UK GDPR, the ICO can request access logs going back 12+ months. Without an export schedule, you’ll have whatever the vendor’s default retention is — often less than required.
Tools comparison
| Tool | Audit trail | NDA gate | Per-recipient | UK residency | Cost |
|---|---|---|---|---|---|
| None | No | No | Provider-dep. | Included | |
| WeTransfer Free | Minimal | No | No | EU | Free |
| WeTransfer Pro | Limited | Password | Limited | EU | £10/mo |
| Dropbox Business | Basic | No | Limited | Multi | £15/user |
| Beamprobe | Page-level | Yes | Yes | UK only | £29 flat |
| Papermark | Link-level | Basic | Yes | EU | £19 |
For genuine confidentiality work, the bottom three rows are the realistic options. Beamprobe and Papermark are the cheapest with full audit trail.
Common situations
Sending tax computations to a client
Don’t email. Use a portal with audit trail. Beamprobe or your practice management portal (Karbon, FYI, Liscio).
Sending board pack to non-executive directors
Use a portal. NDA-gate if the pack contains commercially sensitive material.
Sending due diligence materials to investors
Always a virtual data room. NDA gate, per-recipient links, audit log. See The UK Data Room Guide.
Sending a contract to opposing counsel
Email is acceptable for the document itself if it’s not yet signed. Once executed, version controlling and storing in a portal is preferable for audit reasons.
Sending a CV / employment contract
To a known recipient with consent: email is fine. To an unknown recruiter: portal with link expiry.
Sending design files / IP
Always a portal with watermarking enabled. Per-recipient links so you can trace any leak.
Beamprobe for confidential documents
- £29/month flat for unlimited rooms and documents
- NDA gate with custom text and CSV/PDF audit export
- Per-recipient links with one-click bulk creation
- Page-level analytics — know who read what for how long
- Bot filtering — Mimecast/Proofpoint scanners excluded
- UK data residency by default — AWS eu-west-2 (London)
- Free tier for trying it out: 1 room, 5 documents
Send your first confidential document securely →