“It’s in the cloud” has become shorthand for “it’s safe.” We hear it from colleagues, family members, even IT departments. Upload your files to Google Drive or Dropbox, the thinking goes, and they’re backed up, protected, and always available. Job done.

But “the cloud” is not a magical vault. It’s a marketing term for someone else’s computer — and the distinction matters enormously when the files in question are your will, your passport scan, your life insurance policy, or your children’s birth certificates.

What “Cloud Storage” Actually Means

When you upload a file to a mainstream cloud provider, it lands on a server in a data centre — possibly in another country. The provider manages that infrastructure, handles backups, and gives you a convenient link to retrieve your file from any device. That’s genuinely useful.

What most people don’t realise is that the provider can read your files. Google scans documents for indexing. Microsoft processes content for search and compliance features. Dropbox employees with sufficient access rights could, in theory, open anything in your account.

This isn’t speculation. Cloud providers are subject to legal subpoenas and government data requests — and they comply, because they can. In 2024 alone, Google received over 200,000 government requests for user data globally. Beyond legal requests, there are data breaches: Dropbox confirmed a breach of its e-signature platform in 2024 that exposed customer names, emails, and authentication tokens. No system run by humans is immune to human error — or human malice.

The Encryption Spectrum

Not all encryption is created equal. It helps to understand the four broad levels, because marketing language deliberately blurs the lines between them.

No encryption

Some older or poorly-built services store files as plain data. Anyone with access to the server — an engineer, a hacker, a contractor — can open them directly. This is thankfully becoming rare, but it still exists in some legacy systems and small business tools.

Encryption in transit (HTTPS)

This protects your data while it travels between your device and the server. It’s the padlock icon in your browser. Almost every reputable service uses it. But once your file arrives at the server, it’s decrypted and stored in a readable form — or encrypted with a key the provider controls.

Encryption at rest (server-side)

Here, files are encrypted on the server’s hard drives. This protects against someone physically stealing a disc from the data centre. However, the provider holds the encryption key. They can decrypt your files whenever they need to — for indexing, for compliance, or because a court told them to. Google Drive, OneDrive, and Dropbox all work this way by default.

End-to-end / zero-knowledge encryption

This is the gold standard. Your files are encrypted on your device, before they leave it, using a key that only you possess. The server — if there even is one — stores only unreadable ciphertext. The provider cannot decrypt your files. A hacker who breaches the server gets gibberish. A court order yields nothing useful, because there’s nothing to hand over.

If the company storing your data can read your data, then your data is only as safe as that company’s security, its employees, and its legal obligations.

Why This Matters for Sensitive Documents

There’s a meaningful difference between uploading holiday photos and uploading a certified copy of your will. If your holiday snaps leak, it’s embarrassing. If your passport scan, bank details, or power of attorney documents leak, the consequences can be devastating — identity theft, financial fraud, or worse.

Consider what a typical “important documents” folder might contain:

  • Wills and codicils — revealing your estate distribution and beneficiaries
  • Life insurance policies — containing policy numbers, sums assured, and personal details
  • Passport and driving licence scans — prime targets for identity fraud
  • Bank and pension statements — account numbers, sort codes, balances
  • Property deeds and mortgage documents — your address, lender, and financial commitments

You cannot undo a data breach. Once a passport scan is on the dark web, it’s there permanently. Unlike a compromised password, you can’t simply reset your date of birth or National Insurance number. The only real protection is ensuring the data was never readable in the first place.

The After Me Approach

After Me was designed from the ground up around zero-knowledge encryption. Rather than asking you to trust a server, the app ensures your documents never leave your device in a readable form.

Here’s how it works in practice:

  • AES-256-GCM encryption — the same standard used by governments and financial institutions worldwide. Each document is encrypted individually with its own unique key material.
  • Keys generated and held on your device — your encryption keys are derived locally and never transmitted. TITADE Ltd has no mechanism to access them, even if compelled.
  • No server, no cloud account required — your encrypted vault lives on your phone. There is no After Me server storing your documents, which means there is no central target for attackers.
  • Open format specification — the vault format is publicly documented. Anyone can inspect exactly how documents are encrypted, how keys are derived, and how the vault is structured. There are no black boxes.

This isn’t a novel approach — it’s simply the right one for documents that matter. The inconvenient truth about most cloud storage is that convenience was prioritised over confidentiality. For holiday photos, that trade-off is fine. For your family’s most important paperwork, it isn’t.

What to Look For in Secure Storage

Whether you use After Me or not, here are the criteria worth checking before you entrust sensitive documents to any service:

  1. Zero-knowledge architecture — the provider should be unable to read your data, full stop. If their privacy policy says they “may process your content,” that’s a red flag.
  2. Open source or open format — security through obscurity is not security. A trustworthy tool lets you verify its claims. Look for published specifications, third-party audits, or open-source code.
  3. Local-first design — ideally, your data shouldn’t leave your device unless you explicitly choose to share or export it. A local-first approach eliminates an entire category of risk.
  4. Independent audit or public specification — has the encryption been reviewed by someone other than the people who built it? A published format spec or a third-party security audit is a strong trust signal.
  5. No account required — if a service forces you to create an account with an email and password, that’s another vector for attack. The fewer credentials involved, the smaller the attack surface.

The safest place for your most sensitive documents is the device in your pocket — provided the encryption is done properly.

Cloud storage has its place. It’s brilliant for collaboration, for sharing large files, and for keeping your music library in sync across devices. But when you’re storing documents that could be used to steal your identity, empty your bank account, or complicate your family’s life after you’re gone, “it’s in the cloud” should not be the end of the conversation. It should be the beginning of a much more careful one.

Ready to store your important documents with proper encryption?

Store your documents securely

Related articles

What Documents Does My Family Need When I Die? Digital Estate Planning: A UK Guide for 2026 How to Store Your Will Safely (Without a Filing Cabinet) Organising Documents After Someone Dies: A Step-by-Step Guide