- Consumer document tools have no concept of client records, matter linking, or retention schedules
- Vault stores documents with AES-256-GCM encryption, linked to client records, with tamper-evident audit trails
- Automated retention and deletion policies keep you GDPR-compliant without manual housekeeping
- E-signature, document requests, and AI-powered document processing are built in — not add-ons
There's a document management setup that nearly every professional services firm under 50 people uses: a shared cloud drive organised into folders, roughly by client name, vaguely by year. Some folders are meticulously organised. Others are chaos. There is no retention policy. There is no deletion process. There is no audit trail showing who accessed what. Documents containing sensitive personal data sit alongside invoices and lunch menus.
This is the current state of the industry and it has to change. Not because it's inconvenient — it's actually quite convenient — but because it creates regulatory exposure that most firms haven't fully reckoned with.
Related HubSecure buying path
Document Collection & Vault guidesecure document collectionSecure Vault moduleDropbox comparisondocument collection software guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Secure Document Collection Guides cluster. Continue with the product hub for secure document collection.
The risks that accumulate silently
- HighAES-256 encryption is absent on free/standard tiers of consumer storage — documents at rest are not encrypted to a standard that regulators expect for sensitive personal data.
- HighShared links can be forwarded. A link sent to one client can reach anyone. There is typically no record of who actually accessed the document after the link left your hands.
- MediumNo retention schedule means you are almost certainly holding personal data longer than legally permitted. Under GDPR, you must delete personal data once the purpose for holding it expires.
- MediumUS cloud providers are subject to US government data access requests (Cloud Act). Your client's passport copy stored on a US server can be legally accessed by US authorities without your knowledge.
- MediumNo document versioning or tampering detection means you cannot prove that a document has not been altered since it was filed.
What Vault does instead
AES-256-GCM encryption at rest
Every file stored in Vault is encrypted with AES-256-GCM — the same standard used for financial and healthcare data. At-rest encryption is mandatory, not optional.
Client and matter linking
Documents don't float in folders — they're attached to specific client records and matter files. Finding everything related to a client takes seconds, not a folder search.
Automated retention schedules
Set retention periods by document type: KYC documents retained for 5 years post-relationship. Contracts retained for 7. Personal data deleted automatically when the period expires.
Tamper-evident audit trail
Every access, download, share, edit, and deletion is logged with timestamp and user identity. You can prove who saw a document and when — or that nobody tampered with it.
Secure client document requests
Request documents from clients through a secure portal — no email attachments, no unauthenticated file sharing links. Clients upload directly into their vault file.
E-signature built in
Send agreements for signature directly from Vault. Signed documents are stored with the full signature audit trail attached — no separate DocuSign account needed.
The retention schedule nobody has written
Ask most professional services firms whether they have a document retention schedule and they'll say yes. Ask them when they last deleted a client file and they'll pause. Retention schedules that aren't enforced are aspirations, not controls. Vault's automated retention means deletion actually happens — not when someone gets around to it, but on the schedule you set.
This matters for GDPR compliance in a very specific way: the obligation to delete personal data is not waived by forgetting about it. When a DSAR asks "what data do you hold about me?", the answer that includes documents from a client relationship that ended six years ago — that you should have deleted two years ago — is a compliance problem.
AI-powered document processing
Vault's AI layer extracts structured data from documents automatically: pulling the entity name and registration number from a company certificate, extracting the expiry date from a passport, identifying the key terms in a contract, and populating the relevant fields in the client's CRM record. What used to take a team member 15 minutes per new client — opening each document, reading it, typing the data — takes seconds.
The DSAR use case alone: When a client submits a data subject access request, Vault generates a complete document export instantly — every file linked to that client record, with access logs included. What used to take hours of manual hunting across a shared drive takes one click. The time saving on a single DSAR typically covers months of Vault subscription cost.
Migrating from your current setup
The migration question is the one that always comes up first. Yes, migrating documents is work. It's less work than it sounds because most firms discover, during migration, that a significant proportion of what's in their shared drive doesn't need to be migrated at all — it can be deleted, because the retention period expired years ago. The migration becomes a compliance cleanup. Most firms finish feeling better about their data quality than they have in years.
Can Vault store any file type?
Yes — PDFs, Word documents, Excel spreadsheets, images, scanned documents, and any other file type. AI processing (data extraction, classification) works best on PDFs and common Office formats, but Vault stores everything.
Is Vault accessible to clients or internal only?
Both. There's an internal view for your team with full access controls, and a client-facing portal where clients can upload requested documents, view shared files, and sign agreements. The client view is permission-scoped — they can only see what you explicitly share with them.
See Vault handle a complete client file
We'll walk through a document upload, AI extraction, e-signature, retention schedule, and DSAR export — all in one flow.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.