Cloud File Sharing — Powerful collaboration, zero data sovereignty
Dropbox, Google Drive, Microsoft OneDrive, Box, ShareFile, and Egnyte collectively hold the vast majority of the enterprise file-sharing market. They are well-engineered, well-integrated, and genuinely capable: they have per-user permissions, group access control, audit trails, desktop sync clients, and mobile apps. For teams with no sensitivity constraints, they are the obvious default.
The structural issue is one that can't be configured away. Every file you share through any of these services is first uploaded to the vendor's cloud infrastructure, stored there, and then downloaded by the recipient. During that time — which may be hours, days, or indefinitely if the share link is never revoked — a copy of your file lives on a server you don't own, managed by a company that may be subject to legal process, breach, or policy change. For law firms, healthcare providers, journalists, financial institutions, and government bodies, this isn't a hypothetical concern.
Tresorit is the most privacy-conscious cloud competitor. It uses genuine end-to-end encryption, meaning the vendor cannot read the files. But it is still cloud-hosted: the encrypted file lives on Tresorit's servers, metadata (who shared with whom, when) is visible to the platform, and the internet is always required. Tresorit solves the 'vendor can read it' problem without solving the 'vendor infrastructure is in the data path' problem.
- All cloud services store a copy of every shared file on their infrastructure — unavoidable by design
- Vendor infrastructure means vendor risk: breach, legal process, policy change, or service shutdown
- E2EE options (Tresorit) encrypt content but metadata and cloud dependency remain
- None offer LAN-only or air-gap mode — internet is always required
- Machine-level access control is limited or absent outside enterprise tiers
P2P & Direct Transfer Tools — Privacy without enterprise governance
Resilio Sync, Syncthing, LocalSend, OnionShare, Magic Wormhole, Pairdrop, and Croc all solve the cloud problem correctly: files move directly between machines. No third party ever holds a copy. For technically confident users sharing files with other technically confident users, they work well.
What these tools are not designed for is enterprise access governance. Syncthing and Resilio Sync are synchronisation tools — they maintain a live, bidirectional mirror of a folder between two or more machines. This is a different model from controlled sharing: once someone is in your sync group, they get everything in the folder as it changes. There is no per-file permission, no machine whitelist, no audit log of who downloaded what, and no way to grant read-only access to one document without giving access to all of them.
LocalSend is the closest to Privatta's LAN use case: it is beautiful, it is fast, and it is end-to-end encrypted. But it has no access control at all — anyone on the same network can receive any file you send, there is no persistent user database, and it has no internet mode. Magic Wormhole and Croc are one-shot command-line tools: perfectly good for a developer sharing a file once, but there is no recurring share, no access list, no log, and no GUI.
OnionShare works over Tor and genuinely anonymises the transfer, which is valuable in specific threat models. But it requires the recipient to have Tor Browser, is significantly slower than direct transfer, and has no persistent access control model. It solves a different problem from the one most organisations face.
- Syncthing and Resilio Sync are sync tools, not share tools — folder membership is all-or-nothing
- LocalSend has no user accounts, no access control, no internet mode, and no audit log
- Magic Wormhole and Croc are single-transfer CLI tools — no persistent sharing model
- OnionShare addresses anonymity, not governance — requires Tor and is impractical for recurring use
- None of the P2P tools combine machine whitelisting, per-user ACL, group permissions, and a local audit log
Managed File Transfer (MFT) — Enterprise-grade audit, server-grade overhead
MOVEit Transfer, GoAnywhere MFT, IBM Sterling B2B Integrator, Axway AMPLIFY, Biscom, and Globalscape EFT are the established enterprise-grade managed file transfer platforms. They have everything the compliance team asks for: full audit trails, per-user and group access control, machine authentication, integration with directory services, encryption at rest and in transit, and regulatory certifications across the board. They are the correct answer for large organisations that need to demonstrate control over every byte that moves across a boundary.
The trade-off is operational complexity and cost. These platforms are server-deployed — someone on your team must provision, harden, maintain, and update the server. 'Self-hosted' in the MFT world means a dedicated server instance, typically requiring a DBA and a sysadmin. Pricing starts in the thousands of dollars per year for the smallest deployments and scales to six figures for large enterprise agreements. There is no desktop app that a user just runs; users interact via a web portal or a CLI client.
For a 500-person organisation with a dedicated IT team and a compliance mandate, this trade-off is often the right one. For a 20-person professional services firm, a clinical research team, or a distributed remote organisation, the operational overhead is prohibitive. Privatta delivers the audit log, the per-user ACL, and the machine whitelist as a desktop application that a non-technical user can set up in under ten minutes.
- MFT platforms require self-hosted server infrastructure — ongoing maintenance by IT staff
- No native desktop application — users interact via a web portal or CLI
- Pricing typically starts at $3,000–$10,000/year and scales significantly
- Correct choice for large enterprises with dedicated IT; prohibitive overhead for smaller organisations
- Privatta delivers the MFT governance model as a desktop app with no server to maintain
Encrypted Private Storage — Zero-knowledge cloud, still cloud
ProtonDrive, Filen.io, and Internxt represent a newer category: zero-knowledge encrypted cloud storage. Unlike Dropbox or Google Drive, the vendor genuinely cannot read your files — encryption happens client-side before upload, and the key never leaves your device. This is a meaningful improvement over conventional cloud storage for personal and small-team privacy.
These services are still cloud services. Files still live on a server you don't own. There is no LAN mode, no offline mode, and no air-gap capability. They are excellent for persistent storage and backup; they are not designed for direct machine-to-machine transfer with access control, audit trails, or machine authentication. Their sharing model is link-based — generate a link, send it to someone — rather than a named-user permission model with device-level verification.
Tresorit Send, which operates on a different model from Tresorit's full product, is essentially a secure version of WeTransfer: generate a link that expires, the recipient downloads from the link. The file still passes through Tresorit's infrastructure. No recipient authentication, no machine whitelist, no audit log of who actually downloaded it.
- Zero-knowledge encryption addresses content confidentiality but not cloud dependency or metadata
- No LAN mode, offline mode, or air-gap capability in any encrypted storage product
- Sharing is link-based, not named-user with device-level authentication
- No audit log of specific downloads — only upload/share events may be recorded
- Correct for personal backup and storage; not designed for governed point-to-point transfer
The position Privatta holds alone
The market organises around two axes. On one axis: how private is the transfer? Cloud services score poorly; P2P tools score well. On the other axis: how much access governance does it provide? P2P tools score poorly; MFT platforms score well. Almost every product is strong on one axis and weak on the other.
Privatta is the only product that sits at the intersection of both. Files move directly between machines — no cloud copy, ever. And the access model is governed: named users, per-file permissions, virtual folders, machine-identity verification via Ed25519 Peer ID, a three-factor authentication chain, and a local SQLite audit log recording every request and its outcome. The Enterprise tier adds user groups and a full membership hierarchy on top.
The second unique property is the deployment model. Every competitor that offers enterprise governance — MFT platforms, cloud enterprise tiers — requires server infrastructure. Every competitor that avoids server infrastructure — LocalSend, Magic Wormhole, Syncthing — lacks governance. Privatta arrives as a desktop application: one installer, no server to provision, no port forwarding required (libp2p handles NAT traversal), and it works fully offline on a LAN from the first minute.
- Only product combining true P2P (no cloud copy) with named-user ACL, machine whitelist, and local audit log
- No server infrastructure required — installs as a desktop app; libp2p handles NAT traversal automatically
- Three transport modes in one install: LAN, internet P2P, and fully offline / air-gapped
- Enterprise tier adds user groups without removing a single capability from lower tiers
- The same binary satisfies a solo professional (Pro) and an organisation-wide deployment (Enterprise)