Home / GDPR file transfer
GDPR file transfer

Send files without losing control of personal data

Any shared file may contain personal data. Moving it to a third-party service extends the perimeter you must govern. Keeping it in-house simplifies it.

privacy & data
🛡️

Data in your environment

  • Location: you choose
  • Expiry and deletion
  • Fewer third parties

This page is informational and not legal advice. For your specific compliance needs, refer to your DPO or a qualified advisor.

Why file transfer is a privacy matter

A seemingly harmless attachment — a customer list, a contract, a photo, a report — often contains personal data. The moment you upload it to an external service, that data is processed by a third party, possibly on servers in different jurisdictions, with sub-processors you didn't choose.

From a GDPR standpoint this raises concrete questions: who is the data processor, where does the data live, what safeguards cover transfers, how long is it kept.

The dedicated-instance advantage

When the transfer runs on a dedicated, isolated instance, many of these questions have a direct answer: the data stays in your environment, under your policies and agreements.

  • Location: you choose the storage setup and where data resides.
  • Minimisation & retention: expiring links and automatic deletion shorten how long data is kept.
  • Access control: the panel is protected by corporate SSO via Cloudflare Access.
  • Traceability: you know which files were sent, to whom and when.

Fewer vendors, fewer surfaces to govern

Every external service is one more sub-processor to map, assess and document. Concentrating file transfer on infrastructure you already control reduces the number of third parties involved in processing, simplifying your records, DPAs and internal audits.

The foundation of all this is data sovereignty: if files never leave your perimeter, compliance starts ahead.

FAQ

Does Express automatically make my company GDPR-compliant?

No: compliance depends on your overall processes. But Express helps, because it keeps data in a dedicated, isolated space and gives you control over access, location and retention.

Where does the data reside?

In your Cloudflare environment, per the setup you choose. There's no third-party vendor storing files on your behalf.

Can I set automatic file deletion?

Yes. Links have an expiry and files can be removed automatically, shortening how long personal data is retained.

Read all FAQs →