PrivCloud Sharing logo

PrivCloud

HomeUploadSign inSign up
Home

/

Blog

/

SwissTransfer security

Is SwissTransfer Really Secure? What You Need to Know in 2026

SwissTransfer
Security Analysis
RGPD / GDPR
Encryption
8 min read

By Simon Themiot - freelance cybersecurity consultant. Published May 19, 2026.

Summary

  • SwissTransfer encrypts your files in transit (TLS) and at rest (server-side AES), but Infomaniak holds the decryption keys. This is not end-to-end encryption.
  • Switzerland benefits from a security image, but is not in the EU. For a French company, GDPR requires an additional framework (adequacy decision) for transfers to Switzerland.
  • SwissTransfer is excellent for non-sensitive large files (50 GB free, 30 days). For confidential data, it lacks E2E encryption and the zero-knowledge model.
  • For sensitive files with real encryption: PrivCloud (E2E AES-256-GCM, zero-knowledge, France, open source).

Table of contents

1. SwissTransfer: overview and how it works

SwissTransfer is a free large file transfer service operated by Infomaniak, a Swiss hosting company based in Geneva. Launched in 2019, it allows sending up to 50 GB per transfer without registration, with configurable availability (up to 30 days). SwissTransfer positioned itself as a European WeTransfer alternative, capitalising on the security and neutrality image associated with Switzerland.

SwissTransfer's advantages are real: generous file size (50 GB free), no intrusive advertising, password protection available, simple interface. But when it comes to cryptographic security, reality is more nuanced than the marketing image suggests.

2. What encryption does SwissTransfer use?

SwissTransfer uses two layers of encryption:

  • Encryption in transit (TLS 1.2+): Your files are protected during transfer between your browser and Infomaniak's servers. This is the web standard in 2026 - every serious site uses it.
  • Encryption at rest (server-side AES): Once stored on Infomaniak's servers, files are encrypted. But the encryption keys are managed and held by Infomaniak.

This model is identical to that of WeTransfer, Google Drive, or Dropbox. Encryption at rest protects against physical hard drive theft in the datacenter, but it does not protect against: a malicious Infomaniak employée, Swiss legal compulsion (LRens), an infrastructure breach, or unauthorised administrative access.

Important technical point

SwissTransfer does not offer end-to-end encryption. The encryption key is not generated in your browser - it is generated and stored server-side by Infomaniak. This means Infomaniak can technically decrypt and read your file contents. Even with a password on the link, the file itself remains readable by the provider.

3. Is SwissTransfer zero-knowledge?

No. The zero-knowledge model means the service provider cannot, at any point, access the content of your files. For this, the decryption key must remain exclusively between the sender and recipient, never passing through the server.

On SwissTransfer, when you upload a file, it is sent in cleartext (protected only by TLS in transit) to Infomaniak's servers. The server then encrypts it with its own keys. At no point does your browser encrypt the file before upload. Password protection is only an access lock on the download link, not content encryption.

In comparison, a zero-knowledge service like PrivCloud encrypts the file in your browser with the Web Crypto API (AES-256-GCM) before any upload. The key is placed in the URL fragment (after #) which, by HTTP design, is never sent to the server. Even in case of a complete server breach, files remain unreadable.

4. GDPR and Swiss hosting: the implications

Switzerland is not a member of the European Union. However, the European Commission has granted Switzerland an adequacy decision (Article 45 GDPR), meaning transfers of personal data to Switzerland are permitted without additional standard contractual clauses. This is a real advantage over the United States.

Nevertheless, for a French company subject to GDPR, using SwissTransfer still implies:

  • Document the transfer to Switzerland in your activity register.
  • Verify that Infomaniak's DPA covers Article 28 GDPR obligations.
  • Accept that Swiss intelligence law (LRens) allows Swiss authorities to access data stored by Infomaniak.
  • Understand that encryption at rest does not exempt you from breach notification (Article 33), since Infomaniak holds the keys.

For businesses that want to maximise compliance simplicity, hosting directly in France eliminates these questions. With a French zero-knowledge E2E service, the encrypted stored data is no longer "readable personal data" under GDPR, which drastically reduces obligations in case of an incident.

5. When to use SwissTransfer and when to avoid it

SwissTransfer is an excellent service for certain uses. Here is a clear guide:

SwissTransfer is suitable for:

  • Non-confidential large files (marketing videos, public photos, public archives).
  • One-off transfers where content is not sensitive.
  • Situations where file size (up to 50 GB) is the main criterion.
  • Sending to recipients with no contractual confidentiality requirements.

SwissTransfer should be avoided for:

  • Sensitive personal data (healthcare, HR, legal, banking).
  • Documents subject to professional secrecy (lawyers, notaries, doctors).
  • Intellectual property files with strategic value.
  • Any transfer where you cannot accept the provider reading the content.
  • Situations where your security policy requires zero-knowledge.

6. FAQ

Does the SwissTransfer password really protect my files?

The SwissTransfer password protects access to the download link. It is a useful barrier: without the password, you cannot download the file. But the file itself is not encrypted with that password. Infomaniak can still access the content server-side. It is the difference between a padlock on the door and a safe.

Is SwissTransfer better than WeTransfer for security?

In terms of encryption, both services are équivalent: transit + at-rest encryption, no E2E, no zero-knowledge. SwissTransfer's advantage is jurisdiction (Switzerland vs Netherlands + AWS US), generous size (50 GB vs 2 GB), and free password protection. But in terms of mathematical file confidentiality, neither is zero-knowledge.

Can Infomaniak scan my files on SwissTransfer?

Technically yes, since Infomaniak holds the decryption keys for stored files. Their privacy policy states they do not proactively scan user content, but they are required to cooperate with Swiss authorities in case of legal compulsion (LRens). With a zero-knowledge service, this question does not arise: the provider cannot read the content, even if they wanted to.

Related articles

Why encryption at rest does not protect your filesZero-knowledge: what it really means for your filesCan WeTransfer read your files? Technical analysis

Need a truly confidential transfer?

PrivCloud combines SwissTransfer's simplicity with real end-to-end encryption. Zero-knowledge, France hosting, open source, free up to 2 GB. Your files remain unreadable to everyone, including us.

Try PrivCloud for free
Security model

|

Full comparison

Last updated: May 19, 2026. Analysis based on Infomaniak's public documentation and SwissTransfer's terms of use at that date.