Every month, millions of financial documents travel around as email attachments: annual figures, payslips, VAT summaries, copies of ID documents. For most business owners this feels perfectly normal. Yet for documents like these, email is one of the weakest links in how you run your business.

Why email is not a secure channel

Email was designed in an era when security simply wasn't a design requirement. Three structural problems:

You lose control the moment you hit send. Once an attachment is sent, there is no taking it back. Send the annual figures to the wrong address by mistake, and they sit there forever.

Attachments linger everywhere. The message lives in your sent folder, in the recipient's inbox, on both providers' mail servers and in every backup of those. One document, six copies, zero oversight.

You have no idea who opens it. Email gives you no insight whatsoever into what happens to an attachment. Forwarded to a personal address? Opened on a shared computer? You will never know.

A copy of an ID document or a payslip falls squarely under the GDPR. For documents like these, this lack of control isn't just inconvenient, it's a real compliance risk. In the event of a data breach, you need to be able to demonstrate which data ended up with whom. With email, that is simply impossible.

Where a share link makes the difference

A secure share link flips the model: the document stays in one place, and you decide who can access it and for how long.

  • Revocable. Wrong recipient? Revoke the link and access is gone instantly.
  • Expiry date. A link to the quarterly figures doesn't need to stay valid for years. Set an expiry date and access ends automatically once the deadline has passed.
  • Password. Add a password that you share through a different channel (over the phone, for instance), and a forwarded link is worthless without it.
  • Visibility. An audit log shows when the file was opened and downloaded. Exactly what you need when you have to account for who saw what.

What to look for when choosing a service

Not every file-sharing service is fit for financial documents. A quick checklist:

  1. Where are the servers? For GDPR-sensitive documents, you want storage within the EU, under European jurisdiction.
  2. Encryption at rest. Files should be stored encrypted on the server, not just encrypted in transit.
  3. Per-file access. A link should grant access to exactly one document or folder, never to an entire account.
  4. Accountability. Without logging of uploads, downloads and shared links, you have nothing to reconstruct after an incident.
  5. Data processing agreement. If you share your clients' documents, a data processing agreement with your storage provider isn't a nice-to-have but a GDPR requirement.

How this works in practice

It doesn't have to be complicated. Upload the document once, create a link per recipient with an expiry date and a password, and revoke the link as soon as the work is done. You keep the overview, your accountant gets exactly what they need, and if you're ever audited, you can show who had access and when.

That is the whole idea behind codocs: file sharing done right. Hosted on European servers, stored encrypted, with links that stay under your control. Looking for the business alternative to WeTransfer? That is exactly what we built.