Common Questions About Secure File Transfers

SwissTransfer supports individual files up to 50GB and total transfer sizes up to 50GB per session. This capacity handles most business needs including 4K video projects, large CAD files, and comprehensive dataset transfers. For comparison, email attachments typically max out at 25MB, while many consumer cloud services limit free transfers to 2-5GB. The 50GB limit accommodates approximately 12 hours of 4K video footage at standard bitrates, complete architectural project folders with all revisions, or roughly 50,000 high-resolution photographs. If you need to send more than 50GB, split the content into multiple transfers or contact us about enterprise solutions with higher limits.

End-to-end encryption means files are encrypted on your device before upload and remain encrypted until the recipient downloads and decrypts them. Your browser generates a unique AES-256 encryption key that never reaches our servers. The key is embedded in the share link after the # symbol, which browsers don't send to servers when accessing URLs. This means even if someone intercepted the encrypted file from our servers, they couldn't decrypt it without the complete link including the key fragment. Our servers only see encrypted data blobs and cannot access file contents, names, or metadata. This differs from services using server-side encryption where the provider holds decryption keys and can theoretically access your files.

Default storage is 7 days, but you can set custom expiration from 1 hour to 30 days when creating a transfer. After expiration, files are immediately deleted from all servers and backups. Shorter retention periods reduce exposure risk for sensitive information. For example, if you're sharing confidential business documents, setting a 24-hour expiration ensures the window for unauthorized access is minimal. The system automatically purges expired transfers without requiring manual deletion. You can also manually delete transfers before expiration through the management link provided when you create the transfer. Unlike services that retain deleted files for recovery purposes, our deletion is permanent and irreversible.

Yes, you can add password protection as an additional security layer beyond encryption. When enabled, recipients must enter the correct password before they can access the download page. This provides two-factor security: they need both the transfer link and the password. Send these through separate channels for maximum security—for example, share the link via email and communicate the password by phone or text message. The password is hashed using bcrypt with 12 rounds before storage, making brute-force attacks computationally impractical. Even with password protection, files remain end-to-end encrypted, so passwords protect access to the transfer while encryption protects the file contents themselves.

The platform includes automatic resume capability for interrupted uploads. If your connection drops or you close your browser, you can return to the same upload URL and the transfer will continue from where it stopped. Files are uploaded in chunks, and the system tracks which chunks completed successfully. When you resume, only the remaining chunks are uploaded, saving time and bandwidth. This feature is particularly valuable for large files on unstable connections. The resume capability works for up to 24 hours after starting an upload. After 24 hours, partial uploads are automatically cleaned up and you'll need to start over. For the most reliable transfers of files over 10GB, use a wired ethernet connection rather than WiFi to minimize interruption risk.

The technical security controls meet the encryption and access requirements of both HIPAA and GDPR, but compliance is a shared responsibility. HIPAA requires covered entities to execute Business Associate Agreements with service providers handling protected health information. For GDPR, our Swiss infrastructure benefits from Switzerland's adequacy decision, allowing data transfers without additional safeguards. However, organizations remain responsible for conducting their own risk assessments and ensuring their use of any tool fits within their compliance programs. We provide the secure infrastructure and encryption, but you must determine if it meets your specific regulatory obligations. Healthcare providers should consult their compliance officers, and EU organizations should review our data processing terms against their GDPR requirements.