UK GDPR file-sharing checklist.

"Appropriate technical and organisational measures" proportionate to the risk. In practice: encryption at rest and in transit, access control, an audit trail, breach notification within 72 hours, and the ability to demonstrate compliance. Email attachments fail at least three of these tests for confidential documents.

For non-personal data, yes. For personal or commercially sensitive data, usually not. Email lacks encryption-at-rest after delivery, an audit trail of who opened the attachment, and any access revocation mechanism. A data room with NDA gate and audit log meets all three.

Most UK businesses processing personal data must register with the ICO unless an exemption applies. The fee is £40-£2,900 per year depending on size. Sharing client documents via a data room does not by itself trigger registration if you are already registered for your normal processing.

UK or EU is the lowest-friction answer. US storage requires the UK International Data Transfer Addendum (IDTA) or adequacy regulations, which adds paperwork your counterparty may not sign. Beamprobe defaults to EU jurisdiction on Cloudflare R2 with UK and US optional.

Yes if you are processing personal data through the vendor. UK GDPR Article 28 requires a written Data Processing Agreement covering subject matter, duration, nature, types of personal data, controller obligations, and sub-processors. Beamprobe publishes its DPA at /legal/dpa.