Your client deals with no account and no install — just a link and a browser. You open the file as if it came from your own drive.
Sender
Your client
Server
GrataQ
Recipient
You
Three steps you'll see in the app every day.
In the app you name the link (e.g. "Contract ABC"), set how long it stays active, and optionally ask for the sender's name. You send the link to your client by email or text — it isn't a secret password; the key that unlocks the file stays with you and you alone.
The link works like a one-time gate — once the upload is done, or once its window closes, it shuts on its own. You can also revoke it manually at any time.
send.grataq.com/u/h7k2-q4mpThey open the link in their browser and immediately see they're sending to you — your logo, your name, and your verified domain. They pick a file and send it, and the security happens automatically.
Your client needs no account and no install. It works the same on a phone or a computer.
As simple for your client as WeTransferA new item appears in your Inbox in the app. You click, and the file is right there — as if it came from your own drive. Our server never saw its contents.
It all happens automatically. No passwords to manage, nothing to retype — you just open the file.
As simple as opening an attachmentPlain email and upload services (Filemail, WeTransfer, Dropbox Transfer, MASV, TransferNow) don't solve the hardest part: how to hand your client the key safely. Here's a head-to-head comparison.
| GrataQRecommended | Filemail | WeTransfer | Dropbox Transfer | MASV | TransferNow | ||
|---|---|---|---|---|---|---|---|
| Post-quantum cryptography | Yes | No | No | No | No | No | No |
| Full encryption (E2E) | Yes | Business only | No | No | No | Only with a password | No |
| Service hands over the key | Yes | You hand it over | You hand it over | You hand it over | You hand it over | You hand it over | You hand it over |
| Server sees the contents | No | Only without E2E | Yes | Yes | Yes | Only without a password | Yes |
| Verified identity | Domain (DNS) | No | Email only | No | No | No | Easily forged |
| Data in the EU | Yes | Business only | By IP | Defaults to the US | Via the store | Yes (FR) | Depends on provider |
Comparison based on each service's publicly available documentation as of June 2, 2026. Details may vary by plan and over time — always confirm with the provider for binding information.
A client emails an attachment, drops a large file on a transfer service, snaps a photo of a record into a messenger app. It ends up on someone else's servers, often outside the EU, with no encryption and no record of who could access the file. See if this sounds familiar in your field.
Healthcare and psychology services
A patient is sending me a photo of a prescription over Messenger. This can't be right.
Sensitive data in the special-category regime of the GDPR (Art. 9). Encrypted right at the sender, hosted in the EU. We know exactly where the data is and who handles it.
Architects, designers, and construction
The drawings are too big for email, so we put them on a transfer service. Then they sit on someone else's server and we don't know who can access them.
Large attachments through your link with a raised limit — encrypted right at your client, not on someone else's drive. Our server sees only unreadable data, not your design.
Attorneys, notaries, accountants, tax and financial advisors
Client documents come in by email. I don't have the budget for my own secure portal, but I have to protect them.
Files encrypted right at your client; our server never sees the contents. After download they're automatically deleted from storage — and there's nothing for you to build or run.
Public administration, government offices, and schools
Citizens and parents upload records into a web form. They have no idea whether it goes to us or to someone impersonating us.
An office's or school's domain verified through DNS — the sender sees they're sending to you, not to an imitation. No account, no install on their end.
Insurers and claims adjusters
Clients photograph the damage and send it over WhatsApp. It gets mixed in with personal chats and I can't file it properly anywhere.
Incoming transfers in a single inbox with history and a notification on every new file. Search by sender and by name — nothing gets lost.
Staffing agencies and real estate offices
Candidates and clients dump copies of records and statements on us through WeTransfer and Dropbox. Then it all sits on someone else's server.
An intake link with a short expiry — once it lapses, it closes on its own. Records encrypted at your client; the key stays with you alone.
Intake links with a clear life cycle and a verified institutional identity — two things that keep your transfers under control.
Every link has a limited lifespan. Active → closes once complete, or expires automatically once its window passes. In the app you have an overview of every link and its status.
You verify your domain once — then on the upload page your client sees your logo, your company name, and a green "Verified domain" badge. They can be sure they're sending to you, not to an imitation.
Private by default: we don't track users — no analytics, no third-party cookies, no profiling. Not in the app, and not on the website.
Before going to production, your DPO, CISO, or internal audit will want to go through the details. Here are all the documents they need for that.
The complete document for reviewing the cryptography and operations: ML-KEM-768, ML-DSA-65, the key-derivation scheme, the transfer format. All with references to the NIST FIPS standards.
Open the whitepaper →
Assets, adversaries, trust boundaries. What the product protects and what it explicitly does not — for your internal risk assessment and deployment decision.
Open the threat model →
Generation, rotation, backup, recovery. What happens when a device is lost or compromised, and how the other side verifies that the identity is truly yours.
Open the document →
An exhaustive list: what's encrypted, what's in cleartext, how long it's kept, who has access. No vague "we minimize metadata." And what we don't track at all: no analytics, no third-party cookies, no profiling.
Open the overview →
The Windows app is in the Microsoft Store. Install it in a minute, verify your domain, and you can send your clients their first link.
