Skip to content
PrivateAI
← Back to Home
privacy tools

Your Client NDA Probably Requires Encrypted Storage. Here's What That Actually Means.

11 min read min readBy PrivateAI Team

_Last updated: 2026-05-28_

> Not legal advice. This article discusses general patterns in data security obligations common to contractor agreements. For anything binding on your specific situation, consult a lawyer.

The Clause You Probably Skimmed

Pull up the last NDA you signed. Look for language around any of these phrases:

  • "commercially reasonable security measures"
  • "reasonable care to protect"
  • "industry-standard safeguards"
  • "encryption at rest and in transit"
  • "no less protective than measures used to protect Recipient's own confidential information"
  • "comply with applicable data protection regulations"

If the client is a tech company, a financial services firm, a healthcare organization, or any enterprise with its own legal and security team, there is a strong chance at least one of these phrases appears in your agreement.

The weaker versions ("reasonable care") leave interpretation open. The stronger versions name specific standards or require encryption by specification. But even "commercially reasonable security measures" has shifted in meaning — what qualified as reasonable in 2018 is not what qualifies in 2026. Courts and regulators have increasingly treated client-side encryption as a baseline expectation for sensitive professional data, not a premium feature.

The implication: "I stored it in Google Drive" is an increasingly weak defense when client data appears in a breach disclosure or a contract dispute.


What "Reasonable Measures" Actually Means in 2026

Legal standards for data security in contracts tend to track industry norms with a lag — but a few things have shifted enough to matter.

Encryption is no longer the differentiator — key control is. Ten years ago, "encrypted storage" meant using a service that encrypted data at rest. Every major cloud provider does this now. The harder question is: who holds the encryption keys?

When you store files in Google Drive, Google encrypts them at rest using Google's keys. Google can decrypt those files. Google has done so in response to law enforcement requests and in the course of content scanning. From a practical security standpoint, "Google Drive encrypts your data" means Google encrypts it — not you.

If your NDA requires that confidential information remain protected from unauthorized disclosure, a fair question follows: is a third party's ability to decrypt your files "authorized"? In most cases, your client didn't authorize Google to have access. They authorized you.

Data residency has become a clause in enterprise NDAs. For clients with EU operations, NDAs now commonly specify that their data cannot be stored on infrastructure subject to US legal jurisdiction. The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) extended US government reach to data stored by US companies anywhere in the world — including EU data centers. If your client is EU-based or handles EU citizen data, storing their files with Google, Microsoft, or Amazon creates a potential CLOUD Act exposure that your NDA may explicitly prohibit.

This isn't theoretical for freelancers doing work for European fintech companies, legal firms, or healthcare providers. If your contract specifies EU data residency and you're storing client files in Google Drive, you're out of compliance before anything bad has happened.


Why Standard Cloud Storage Creates a Liability Gap

To be precise about what you're accepting when you use standard cloud storage for client work:

The service provider can read your files. Google, Dropbox, and Microsoft use their own encryption keys, not yours. Their terms of service give them broad latitude to access, scan, and disclose content for policy compliance, service improvement, and law enforcement cooperation.

Breaches expose plaintext. When a provider that holds server-side keys is breached, an attacker gains access to both encrypted data and the keys needed to decrypt it. When a zero-knowledge provider is breached, the attacker gains only ciphertext with no viable path to the plaintext.

You have limited visibility into who has accessed client files. If a government agency subpoenas Google for a user's files, Google can comply — and is frequently restricted from notifying the user by non-disclosure orders. You would not know your client's confidential files had been accessed. Your NDA obligation to maintain confidentiality would have been violated by a process you couldn't see or control.

Metadata is readable even when content is "encrypted." Standard cloud providers encrypt file contents but store metadata — filenames, folder structure, access timestamps, sharing history — in readable form. Someone with server access doesn't need to decrypt your files to learn a great deal about your work: who you're sharing with, what projects you're working on, when you're accessing what.

None of this means your data will definitely be exposed. It means the exposure is architecturally possible in ways that a well-drafted NDA may prohibit, and in ways that create liability in a dispute.


The CLOUD Act Problem for International Client Work

If you do any work for clients with European operations, or for clients who handle data subject to GDPR, this deserves specific attention.

The CLOUD Act (2018) requires US-based cloud providers — Google, Microsoft, Amazon, Dropbox — to provide user data to US law enforcement when legally compelled, regardless of where the data is physically stored. A US government warrant can reach Google Drive files stored in EU data centers.

This creates a compliance conflict for work governed by both a US-signed NDA and GDPR. GDPR restricts the transfer of EU personal data to non-EU jurisdictions without adequate safeguards. If a US government request compels Google to disclose EU citizen data you're storing on Drive, GDPR was violated through a mechanism neither you nor your client could prevent — and your NDA may have named you as responsible for that protection.

Swiss-based providers like Tresorit operate under Swiss data protection law, which has a robust framework but is not subject to CLOUD Act jurisdiction. Swiss law requires domestic legal process for data requests, with significant procedural protections that make US-style emergency disclosure orders inapplicable. For clients specifying non-CLOUD-Act-subject storage, Swiss jurisdiction specifically satisfies the requirement.


How Zero-Knowledge Storage Changes Your Exposure

Zero-knowledge storage changes the compliance picture in a specific way: it removes the provider from the threat model entirely.

With Tresorit, files are encrypted on your device before they leave it. Tresorit's servers store ciphertext. Tresorit does not hold decryption keys. When law enforcement contacts Tresorit with a data request, Tresorit can provide the encrypted data and genuinely cannot provide decryption keys — because they don't possess them.

This architectural distinction has concrete implications for the clauses in your NDA:

"Confidential information shall be encrypted using industry-standard encryption at rest and in transit." Tresorit uses AES-256 client-side encryption. This clause is satisfied with auditable documentation — Tresorit publishes its security architecture and holds ISO 27001, SOC 2 Type II, and GDPR certifications.

"No unauthorized third party shall have access to confidential information." With zero-knowledge storage, the storage provider is not an authorized third party with access — it's an infrastructure provider with no ability to access the content. The cryptographic architecture, not a contractual promise from Google, enforces this.

"Data shall not be transferred to jurisdictions without adequate data protection." Swiss jurisdiction with no CLOUD Act applicability satisfies EU data residency requirements that US-based providers cannot meet by design.

The posture shift: instead of arguing "we trust Google's security team," you're asserting "it is cryptographically impossible for the storage provider to disclose plaintext data, regardless of who asks." Those are categorically different defensive positions.

Recommended

Zero-knowledge encrypted cloud storage with ISO 27001, SOC 2 Type II, and GDPR certifications. Swiss jurisdiction, no CLOUD Act exposure.

Tresorit

Start Your 14-Day Free Trial

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.