Use case — Healthcare

Secure medical record transfer

Send patient records, imaging, and clinical documents with client-side AES-256 encryption, EU hosting, optional OTP-verified delivery, and automatic expiration — built for the confidentiality requirements of health data under GDPR.

Encryption: AES-256-GCM, in-browser Hosting: European Union Verified delivery: OTP (email/SMS/crypto) Retention: auto-expiring

Confidential by default

Files are encrypted in the browser before upload. In passwordless mode the decryption key never reaches our servers, so we cannot read patient data — only your recipient can.

Kept in the EU

Record data is stored exclusively in the European Union (Supabase Storage & OVHcloud Paris), avoiding cross-border data transfers that complicate GDPR health-data processing.

Auto-expiring

Transfers expire automatically (24h by default, up to 72h on free) and are purged from storage every 10 minutes — limiting how long sensitive data exists at rest.


Controls mapping

How beTransfer maps to health-data requirements

The platform provides technical and organizational controls that correspond to common requirements for processing health data. This is a technical mapping, not a legal certification.

RequirementHow beTransfer addresses it
Confidentiality of health dataClient-side AES-256-GCM encryption; decryption key stays with sender/recipient in passwordless mode (zero-knowledge).
Data residency in the EUFile storage and database are EU-hosted (Supabase + OVHcloud Paris). No file-content replication outside the EU.
Recipient authenticationVerified delivery requires a one-time passcode (email, SMS, or crypto challenge) before the recipient can download.
Storage limitationAutomatic expiration with a cleanup job running every 10 minutes; manual deletion available to the sender at any time.
Integrity & tamper detectionGCM authenticated encryption detects ciphertext modification on decryption, rejecting tampered files.
Secure transportHTTPS/TLS with HSTS preload for all traffic.
Access loggingDownload events are logged and retained for 30 days for audit, then purged.

Compliance note: beTransfer.eu provides security controls suitable for sensitive transfers but is not a medical device or a HIPAA Business Associate offering. Entities regulated by HIPAA, the EU GDPR health provisions, or national health-data laws should confirm with their own compliance team that these controls satisfy their specific obligations before processing patient data.


How it works

Send a medical record in three steps

  1. Add the file & choose encryption

    Select the record (PDF, DICOM zip, imaging, lab report) in the upload area. Client-side end-to-end encryption is enabled by default — the file is encrypted in your browser before it ever leaves your device.

  2. Set expiration & verified delivery

    Choose how long the link stays valid (24h default, up to 72h on free). Enable verified delivery to require an OTP (email, SMS, or crypto challenge) from the recipient before download is permitted.

  3. Share the link securely

    Send the share link to your recipient. The decryption key lives in the URL fragment, which servers never receive — so the link itself is the key. The transfer auto-expires and is deleted from storage on schedule.


FAQ

Medical record transfer — common questions

Is beTransfer.eu suitable for sending medical records?

beTransfer.eu provides technical controls that support secure medical record transfer: client-side AES-256-GCM encryption, EU hosting, OTP verified delivery, and automatic file expiration. Organizations subject to HIPAA or other health-data regulations should confirm with their own compliance team that these controls meet their obligations.

Are medical files encrypted end-to-end?

Yes. Files are encrypted in the browser before upload using AES-256-GCM. In passwordless mode the decryption key stays in the URL fragment and is never sent to the server, so beTransfer.eu cannot read file contents.

Where are uploaded medical records stored?

File data is stored exclusively within the European Union, using Supabase Storage for files up to 50 MB and OVHcloud Object Storage in Paris, France, for larger files.

How long are medical records kept?

Transfers expire automatically — 24 hours by default on the free tier (up to 72 hours). Expired files are deleted from storage every 10 minutes. Senders can also delete a transfer manually at any time.

Can I require the recipient to verify their identity?

Yes. Verified delivery lets you require a one-time passcode via email, SMS, or a crypto challenge before the recipient can download. This adds an authentication layer on top of the share link.

What file types and sizes are supported?

Allowed file types are defined by a MIME-type allowlist (PDFs, images, documents, archives, video, audio, and more). On the free tier, transfers up to 200 MB are supported. See the upload page for the current list of accepted types.

Send patient records the secure way

Encrypted in your browser, hosted in the EU, expired automatically. No account required to start a transfer.