Sending a file to a client sounds simple. In practice, it is one of the highest-risk moments in any professional workflow — the point at which a document leaves your controlled environment and goes somewhere you can no longer manage.
Most professionals share files in one of three ways: email attachment, a generic cloud link, or a dedicated client portal. Each carries different risks. Here is what you should know about each — and what a secure workflow actually looks like.
Email Attachments
Email attachments are the most common method and the most problematic. Once a document leaves your outbox, you have no control over where it goes — it can be forwarded, downloaded to any device, and stored indefinitely on mail servers you have no visibility into. Email also provides no audit trail of who opened the attachment or when.
For routine, non-sensitive documents, email attachments are acceptable. For anything containing personal data, client confidential information, or legally sensitive material, they should not be your default.
Generic Cloud Links
A Dropbox or Google Drive link is better than an attachment in that it can, in theory, be revoked. In practice, links are often set to "anyone with the link" with no expiry, are forwarded freely, and are almost never revoked after the intended recipient has accessed them. The audit visibility for these links is minimal.
Secure Per-File Share Links
The most secure approach for professional file sharing is a per-file link that:
- Is unique to the specific file being shared
- Can be revoked at any time by the sender
- Logs when it was accessed and from where
- Does not grant access to any other files in the case
In Herarx, every file can be shared via a secure link that works exactly this way. You share precisely what you intend to share — nothing more — and you can revoke access the moment it is no longer needed.
The Principle of Minimum Necessary Access
The most important concept in professional file sharing is not which tool you use — it is whether the recipient can access more than you intended. A client who receives a link to a shared folder can see everything in that folder. A client who receives a per-file link can see exactly one file.
Apply the same principle you apply internally: give people access to exactly what they need, for exactly as long as they need it, and no more.
After You Share
The file sharing workflow does not end when you click send. Build the habit of reviewing active share links regularly and revoking any that are no longer needed. A link shared six months ago for a matter that has since closed is a low-visibility risk that accumulates quietly over time.