File transfer should have made these choices years ago.

A category that hadn't moved in fifteen years, until trust broke.

File transfer for business has been a solved problem in the wrong way for a long time. The dominant pattern looks the same everywhere: upload a file to a third party, get a link, share the link. Convenient, fast, ubiquitous — and architecturally identical to handing someone else your filing cabinet keys for a week.

For most of that period, businesses accepted the trade-off because the alternative was sending files as email attachments (worse) or running their own SFTP server (overhead nobody wanted). The middle option was: trust that the file-transfer vendor would behave. The relationship was governed by Terms of Service that, in fairness, were generally honoured.

Then, in mid-2025, one of the largest players in the category updated their Terms of Service to permit using user files for AI training. The reaction was immediate and broad — not because anyone was surprised that infrastructure providers held leverage over their users, but because that leverage had been made explicit. The Terms of Service moved. Files that had been "private" yesterday became training material today.

Nullsend started from that observation. If your file-transfer vendor's architecture lets them read your files, then your privacy depends entirely on their current policy — and current policy can change in a press release. The only durable answer is an architecture in which they can't read your files in the first place.

End-to-end encryption, all the way down.

The technical decisions that follow from "the vendor must not be able to read user files" are well-known but rarely implemented in commercial file-transfer products, because they make some things harder (no thumbnails, no server-side virus scanning, no recovery if a link is lost) and require more careful client-side engineering.

Nullsend implements them as the default, not as an enterprise upsell. Every transfer is encrypted in the sender's browser before upload, using AES-256-GCM with a key generated locally. The decryption key travels in the share URL fragment — by web standards, that portion of the URL never reaches a server. Nullsend's infrastructure stores ciphertext indistinguishable from random bytes.

The full technical detail — algorithm choices, key handling, sub-processors, compliance posture — is documented openly on our security page. The short version: we use the boring, well-reviewed cryptographic primitives that every browser ships with, and we don't try to be clever. The interesting part isn't the algorithms; it's that we've built the product around what those algorithms imply, instead of treating them as a marketing asterisk.

For businesses that handle other people's confidential information.

Nullsend's target buyer isn't a consumer sending a holiday video to a relative. It's a creative agency sending finished work to a client under NDA. A law firm exchanging privileged documents with counsel. A private healthcare practice sending scans between specialists. A print studio receiving 20 GB of client artwork.

These buyers share two things in common. First, they're handling material whose exposure would be career-damaging — sometimes regulator-notification-triggering — for them and for their client. Second, they're sophisticated enough to recognise that "this vendor promises to keep your data private" and "this vendor is structurally unable to access your data" are different statements with different risk profiles.

We've priced and built for that buyer specifically. Four monthly subscription tiers from £19 to £199+, no free plan, no advertising business, no consumer features bolted on. Recipients of files never have to sign up for anything; they receive a branded page on the sender's subdomain and a one-click download. The sender's organisation gets a white-labelled portal, an audit log, and a Data Processing Agreement that's available before signup, not after.

UK and EU first. The rest can wait until we've earned the right.

Nullsend is a UK company with EU-resident infrastructure, serving UK and EEA customers at launch. The decision to launch geographically narrow was deliberate: GDPR compliance is something we wanted to build into the architecture rather than retrofit, and the legal frameworks that govern data protection in the UK and EU are the ones we're most able to commit to authoritatively at this stage.

Founded on three decades of IT experience.

Nullsend is built by a team whose backgrounds span more than thirty years of IT and infrastructure experience across regulated industries — including financial services, professional services, and SaaS operations. The decisions baked into the product, from architecture to operational posture to compliance roadmap, are informed by what works in environments where confidentiality and uptime aren't optional.

The company is small by design, at least for now. The architecture demands a small surface area; the brand demands consistent voice; the customer base demands that the people answering technical questions can answer them properly. Nullsend doesn't intend to scale headcount faster than the product and its customer trust can absorb.

The administrative details, on one page.

For anyone doing vendor diligence, here's what you need to know about the legal entity behind this product.