Remote and hybrid work didn’t just change where work happens, it changed how sensitive data moves. Financial reports are shared via links instead of internal drives. HR documents are accessed from personal laptops. External partners collaborate directly inside your cloud workspace. These workflows improve speed, but they also shift control away from traditional IT boundaries.

As data moves across more devices, users, and third parties, the cloud provider plays a bigger role in how that data is stored, processed, and shared. That’s why standard cloud storage is no longer enough. The real question is not simply whether data is encrypted, but whether the provider can still access it – and who controls the encryption keys.

Choosing a cloud storage provider with true end-to-end encryption (E2EE) ensures that only authorized users not the provider, not attackers can access your data.

What are the risks of typical cloud storage?

Cloud storage simplifies collaboration and reduces infrastructure costs. Subscription models allow you to use what you need without a hefty up-front investment. But the trade-off often lies in control over sensitive data.

The provider can access your data

When you use cloud storage, you “rent” space on the cloud provider’s servers. Most cloud providers encrypt files both while they are being transferred between users and servers (“in transit”) and while they are stored on the provider’s servers (“at rest”) to protect data from external threats. However, they also manage the encryption keys. This is often necessary to enable features such as:

  • Full-text search across files
  • Real-time collaboration and previews
  • Integrations with other productivity tools

To support these functions, files are decrypted on the provider’s systems when accessed. In practice, that means the provider can technically access the content, and a breach or insider incident can expose readable data.

The result is a hidden dependency: your data is only as secure as the provider’s internal controls.

Data location and compliance risks

With global cloud infrastructure, your files may be stored – or processed – in multiple jurisdictions. For organizations handling personal or sensitive data, this creates challenges across regulatory frameworks worldwide:

  • GDPR restricts transfers of personal data outside the EU/EEA unless safeguards are in place
  • Regulations like NIS2 and DORA require stronger technical over data access, resilience, and third-party risk
  • Laws in other regions (e.g. the US CLOUD Act, HIPAA, or CCPA) can affect how data is accessed or disclosed
  • Audits often require proof of where data is stored, processed, and accessed

Without visibility and control over data location and access, compliance becomes reactive instead of intentional.

In cloud environments, compliance is no longer defined by where data is stored, but by how it is accessed, transferred, and controlled across jurisdictions.

Uncontrolled sharing via links

“Share with link” is one of the most convenient – and most fragile – features in modern cloud tools. In practice, it only takes a small mistake:

  • A confidential report link gets forwarded beyond the original recipient
  • A link stays active long after a project ends
  • A file is accessed without the sender ever knowing

What starts as a quick way to collaborate can quietly turn into uncontrolled access. A single misconfigured link can expose sensitive documents externally – without triggering alerts or leaving a clear trace.

Device-related vulnerabilities

Cloud storage extends access to wherever work happens – office laptops, home desktops, or someone quickly opening a file on their phone between meetings.

But in day-to-day work, that flexibility can create hidden risks:

  • A lost phone still has access to synced files and folders
  • An infected personal device silently uploads compromised files
  • A former employee logs in weeks later because their access was never removed

Without clear control over who can access data and from which devices permissions become difficult to track and even harder to enforce at scale.

How does cloud encryption actually work?

Cloud encryption converts files into unreadable data using cryptographic algorithms. Only those with the correct decryption key can turn it back into readable content.

The critical distinction lies in where encryption happens and who controls the keys.

Standard cloud encryption (in-transit and server-side)

In a standard cloud model, files are protected while they move between users and servers, typically via HTTPS/TLS. Once they reach the provider’s servers, they are decrypted, processed, and re-encrypted for storage. When the file is opened again, it is decrypted on the server before being sent to the user.

That model supports useful features like search, previews, and integrations but it also means the provider can access the data.

End-to-end encryption (E2EE)

Files are encrypted on the user’s device before upload and remain encrypted throughout storage and transfer. They are only decrypted on the recipient’s device.
That means the provider never sees or processes file content in readable form, and only authorized users with the correct keys can access it.

Zero-knowledge architecture

Zero-knowledge architecture goes a step further. Encryption keys are generated and managed entirely on the client side, such as in the user’s app or browser, and are never accessible to the provider. Authentication and key management happen without exposing passwords or keys to the server.

That means, the provider cannot access, reset, or recover your data even in case of a breach.

End-to-end encryption ensures that data is encrypted on the user’s device and only decrypted by the intended recipient. Zero-knowledge architecture ensures that the provider never has access to the encryption keys or file content.

 Key differences in cloud encryption models

  Standard cloud encryption End-to-end encryption (E2EE) Zero-knowledge E2EE
Where encryption happens  on provider server on user devices on user devices
Who controls the keys provider provider or shared user only
Can provider access data yes no, unless the provider controls the keys no, under any circumstances

 

What are the benefits of end-to-end encrypted cloud storage and collaboration?

Secure file sharing without losing control

Sharing often happens under pressure or simply out of habit, using familiar communication channels even for sensitive data. Contracts are emailed to external partners, project documents are sent to contractors, and financial files are shared with auditors. With zero-knowledge end-to-end encryption, sharing doesn’t just protect the file, it controls who can actually open it:

  • Access is granted to specific recipients, who can decrypt files using their own credentials
  • Encryption keys are exchanged securely in the background, so only intended recipients can access the content
  • Sharing links can include controls like password protection, expiration, or email verification without exposing the underlying data

Control stays with the sender, regardless of where the file travels.

Access management that reflects real roles

In everyday work, access changes constantly – new team members join a project, external partners need temporary access, and employees change roles or leave.

With true end-to-end encrypted solutions, access becomes precise and manageable:

  • one person can be given view-only access to a contract while others can edit or share it, and access can be revoked immediately when roles change
  • teams can see who opened which file and when, instead of relying on assumptions

This is critical when working with sensitive data like HR records, legal documents, or financial reports where access needs to be both limited and traceable.

Protection against data breaches

Encryption becomes a last line of defense when something goes wrong – whether it’s a misconfigured system or a successful attack on cloud infrastructure.

With zero-knowledge end-to-end encryption, attackers may still reach stored files. But what they obtain is encrypted data, not readable documents. Without the decryption keys, those files cannot be opened or meaningfully used.

That fundamentally changes the impact of a breach. Instead of exposing readable content, the incident is contained to encrypted data that attackers cannot act on.

End-to-end encryption doesn’t prevent every breach, however, it prevents breaches from turning into data exposure by ensuring that stolen files remain unreadable without the decryption keys.

Easier compliance with data protection laws

Regulations like GDPR, NIS2, and DORA require organizations to demonstrate control over how sensitive data is stored, accessed, and shared.

True end-to-end encryption supports this by ensuring that:

  • Only authorized users can access data, as encryption keys remain under their control
  • Access and sharing actions can be tracked and audited

This makes it possible to prove – not just claim – that sensitive data is properly protected.

Cloud end-to-end encryption best practices

1. Identify and classify sensitive data

Start with the data that attackers and regulators care about most: personal information and other high-value business data.

That includes personally identifiable information (PII) such as:

  • names
  • birth dates
  • government-issued identification numbers
  • telephone numbers
  • email addresses
  • payment card information
  • healthcare information

It should also include sensitive corporate information such as financial records, intellectual property, and HR documents.

Without clear data classification, sensitive information often ends up in less secure tools – especially when teams share files externally or work across departments.

2. Verify every user and device

In distributed work environments, access needs to be tied not just to a person, but to a verified device as well. Every device should be linked to an authorized user, so access can be controlled and revoked when needed.

At a minimum, this should include:

  • multi-factor authentication (MFA) before access is granted
  • verified sharing with external recipients, for example through a known email address or a one-time verification code
  • device-level visibility and control, so unmanaged or lost devices do not remain trusted indefinitely

This prevents access from being reused – for example, from shared accounts, compromised credentials, or unmanaged devices.

3. Apply least-privilege access

End-to-end encrypted cloud storage is most effective when paired with least-privilege access. Not everyone needs full access to every file, folder, or action. Role-based access control (RBAC) helps limit permissions.

To keep those controls consistent, it also makes sense to integrate the platform with Active Directory or single sign-on (SSO). That way, when roles change or people leave the organization, access can be updated centrally instead of being managed file by file.

4. Encrypt across the full data lifecycle

Encryption should not begin only once a file reaches the cloud. Sensitive data should remain protected from the moment it is created on the user’s device, while it moves between users and services, while it is stored in the cloud, and when it is shared externally, including by email.

If encryption only applies in transit or only at rest, files may still be exposed during access, sharing, or processing. Stronger protection means the data remains encrypted throughout the workflow – not just in isolated parts of it.

5. Choose a zero-knowledge provider

A zero-knowledge end-to-end encrypted solution does more than encrypt files. It is built so that the provider never has access to your sensitive data in the first place.

In practice, that means the provider:

  • never sends encryption keys to its servers in an unencrypted form
  • never stores user passwords in a way that would allow them to recover access
  • cannot access shared keys
  • uses cryptographic checks to ensure file content has not been altered, even if its systems are compromised

Zero-knowledge architecture removes trust from the provider by design. Security no longer depends on internal policies but on cryptographic guarantees.

Where Tresorit fits in

For organizations handling sensitive information, the challenge is not just secure storage – it is secure collaboration without losing control or slowing teams down.

Tresorit is built for that: a zero-knowledge, end-to-end encrypted platform for working with sensitive files, collaborating with external stakeholders, exchanging documents securely, signing approvals, and sending encrypted emails.

Protection works in the background, built into familiar workflows, so teams can share, review, sign, and communicate without friction or exposing content. By protecting sensitive data across its entire lifecycle, Tresorit makes secure collaboration practical across organizational boundaries.

Learn more about Tresorit SecureCloud for Businesses.

Created in January 2023 and last updated in July 2026 to reflect current encryption best practices and cloud collaboration requirements.