If your firm is over fifty users and you have ever forwarded a redlined contract to opposing counsel, you have already used file-sharing for privileged material. The question is not whether you share files — it is whether the platform you chose actually carries the controls a regulator, a partner, or your malpractice insurer expects when they look.
We have walked through tool selection with twenty-plus legal clients over the last three years — boutique litigation shops, mid-market IP firms, and a few AmLaw 200 satellite offices — and the trade-offs keep landing in roughly the same five places.
What "secure" actually means for legal
For a marketing team, "secure file sharing" usually means SSO and a half-thought-out expiration link. For a law firm, the bar is higher in four specific ways:
- Matter-level access control. Permissions need to attach to a matter, not a folder. When the case closes, access closes — automatically, with an audit trail.
- Conflict-aware sharing. The system has to know that User A on Matter X cannot see Matter Y, even if both are in the same client's tenant.
- Encryption you actually hold the keys to. Bring-your-own-key (or hold-your-own-key) is no longer a luxury — it is what your clients increasingly require in their outside-counsel guidelines.
- Defensible retention. When a litigation hold drops, the platform needs to enforce it without an admin remembering to.
The five tools compared
1. iManage Share / Cloud
The default for firms already on iManage Work. Tight integration with the document management system means matter context flows through automatically — which is the single biggest operational win on this list. Encryption is strong, audit logs are deep, and ethical wall enforcement is native. The downside is cost, and the fact that external recipients without iManage credentials get a slightly clunkier experience than competitors offer.
2. NetDocuments NetShare
Comparable to iManage for firms standardised on NetDocs. NetShare's permission model is matter-aware, and it ships with retention policies aligned to common legal records-management schedules. Its external-share UX is genuinely better than iManage's. The catch: it really only sings if NetDocs is your underlying DMS — bolting it on otherwise is a half-measure.
3. Microsoft 365 (SharePoint + Purview)
The pragmatic choice for firms already deep in the Microsoft estate. With Purview Information Protection, Conditional Access, and sensitivity labels properly configured, you get genuinely strong controls — and your users do not have to switch apps. The honest catch is the words "properly configured." We have walked into firms believing they had matter-level control through SharePoint and finding open-by-default permissions on every site. The platform is capable; the deployment effort is real.
4. Box (with Legal Hold add-on)
Box was built around the share-link primitive and remains the easiest external-collaboration experience on this list. The Legal Hold add-on adds defensible retention and immutable preservation. Where Box falls short for legal is the same place SharePoint does — matter-aware permissioning is something you have to architect, not something that ships configured.
5. Citrix ShareFile (now Progress)
Still common at smaller firms because of its simplicity and its long-standing positioning as a "compliance-friendly" share platform. It checks the basic boxes — encryption at rest, audit logs, expiration — but it lacks the deeper matter-context and ethical-wall capabilities that make iManage and NetDocs feel native to legal. Acceptable for firms under fifty users with low matter complexity; under-powered above that.
How we'd actually choose
If we are walking into a new legal engagement at VSERV, the choice tree is shorter than it sounds. If the firm already runs iManage Work or NetDocuments, the integrated share product wins because matter context is free. If the firm runs everything in Microsoft 365 and has the bandwidth to do Purview right, that's the most cost-effective long-term answer. Box is the right pick for firms whose work is heavily collaborative with external counsel and whose matter model is simpler. ShareFile only survives the conversation at the very low end.
None of these are wrong — they fail in different ways, and the right one is the one whose failure modes match your operating model.
What to take to your next meeting
If you are about to renew or rip-and-replace a file-sharing platform, take three questions into the room before you take a demo: (1) Does this tool understand a matter as a permissioning unit, or just a folder? (2) Where do the encryption keys actually live, and can our clients audit that? (3) When a litigation hold drops, what does the admin need to remember to do — and what happens if they forget?
If you would like a walk-through of how VSERV scoped this exact decision at a 180-attorney firm last quarter, the case study is one email away.