Doqubox Doqubox
Back to blog

How Doqubox uses end-to-end encryption to protect sensitive documents

06 March 5 min reading time

Organizations that ask clients to share sensitive documents such as passports, contracts, financial statements, medical records, or compliance documents carry a serious responsibility. The risk is not only interception during transmission, but especially what happens afterward. Sensitive files end up in inboxes, backups, incorrectly forwarded attachments, shared mailboxes, or internal systems that are not designed for confidential data, with all the associated risks.

Doqubox is built to reduce that exposure. With Doqubox, files are encrypted before they leave the sender's device and are only decrypted by an authorized recipient. That means only the sender and recipient have access to the documents, and no one else can view them.

In this article, we explain how that works in practice and what it concretely means that the platform has no practical access to the contents of encrypted documents.

The core idea: first encrypt, then upload

Doqubox is designed so that encryption takes place in the sender's browser.

When someone uploads a file to a Doqubox address, the original file is processed locally in the browser using modern browser cryptography. The browser encrypts the file first and only then uploads the encrypted version. The encryption uses a key that was previously created by the recipient and is not known to anyone else.

This fundamentally distinguishes Doqubox from traditional file-sharing systems, which often encrypt files during transport and storage, but where the system itself still has access to the files and their contents. In practice, you are then not only sending the file to the recipient, but also to the intermediary service. That means you cannot be sure what happens to that data, and you also take unnecessary risk if the service is compromised.

In practical terms, this means our servers can store, route, and deliver encrypted data without being able to view the underlying documents.

What happens when someone uploads a file

In the encrypted Doqubox workflow, Doqubox encrypts files in the browser before the upload is sent.

Broadly speaking, the process looks like this:

  1. The sender navigates to a dedicated portal with your organization's branding and chooses which file to send.
  2. The browser creates new encryption material for that specific file based on a secret key known only to the recipient. The file is then encrypted with it.
  3. Only the encrypted file and the required encryption metadata are uploaded to Doqubox.
  4. The recipient receives a notification that a new file has been received.

The original readable file is therefore not stored on our platform. By the time the document reaches our servers, it is already encrypted. That is what makes our approach unique: no one other than the intended recipient can view the contents of documents, not even us.

What happens when an authorized recipient downloads a file

When an authorized recipient downloads an encrypted document, the browser retrieves the encrypted file and decrypts it locally. The server can still enforce access rules and deliver the encrypted file, but it does not perform the decryption itself. Only after that local decryption does the user receive a readable file in the browser.

Strong encryption like PGP, without the hassle

Conceptually, this follows the same basic principle as PGP: end-to-end encryption with public and private keys (PKI), where data is encrypted with the public key before it is sent and can only be opened by the intended recipient using the private key.

The difference lies in ease of use. PGP is powerful, but for many people too technical for everyday document exchange. Key management, configuration, and daily use quickly become obstacles.

Doqubox applies the same security principle in a way that is practical and user-friendly for normal business use. Users do not need to understand anything about cryptography to benefit from it. They can easily and securely request, send, receive, and open sensitive documents through a familiar workflow while the encryption happens in the background.

Why end-to-end encryption really makes the difference

Many platforms talk about encryption, and sometimes even about end-to-end encryption, but in practice they still have access to the keys and therefore to document content. Although that provides a degree of protection, it still means you must trust that they will not misuse that data and that it will not unintentionally fall into the wrong hands.

With true end-to-end encryption, files are encrypted before they leave the sender's device in such a way that only the recipient can decrypt them. As a result, a data breach, internal access, or exposed backup does not reveal readable information, only unusable encrypted files.

Even within the platform, document content is not visible to anyone other than the intended recipient. This does not remove the need for every other security measure. Good authentication, endpoint security, retention policies, and access management remain essential. But it does eliminate one of the biggest structural risks: central access to sensitive data.

That is the practical security value of the end-to-end encryption model in which the keys also remain outside the platform's reach (zero knowledge). For organizations that work with identity data, legal documents, financial information, or medical records, that means a fundamentally higher level of data protection.