Is email safe for sending tax documents?

Why standard email is unencrypted

Most email travels in a way that is broadly analogous to sending a postcard: the content is readable at every relay point unless additional measures are in place. Standard SMTP — the protocol that moves messages between mail servers — does support opportunistic encryption in transit (TLS), but that only protects the connection between two servers at a given moment. The message itself is stored in plain text on the sending server, on intermediate relay servers, and on the recipient's mail server. Anyone with access to those systems — through a data breach, a misconfiguration, or lawful authority — can read the content.

End-to-end encryption (E2EE), such as S/MIME or OpenPGP, does protect message content all the way from sender to recipient. However, both sides must have the right software configured and the right certificates or keys exchanged in advance. In practice, most tax advisors and their clients do not have this set up. The result is that the overwhelming majority of professional email exchanges involving tax documents are, in effect, transmitted without meaningful protection of the message body.

What that means for confidentiality and the GDPR

Tax advisors handle some of the most sensitive personal and financial data that exists: income figures, asset details, business performance, and — in the case of individuals — information that may reveal health status, family circumstances, or life events. This data falls squarely within the scope of the General Data Protection Regulation (GDPR) where clients are based in the EU or EEA. Under Article 5(1)(f), personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised access. Article 32 requires controllers and processors to implement technical and organisational measures appropriate to the risk — including, where appropriate, encryption.

Beyond data-protection law, tax advisors in most jurisdictions are subject to professional-secrecy or client-confidentiality obligations that predate the GDPR. These duties typically require advisors to take affirmative steps to keep client information confidential — not merely to avoid deliberate disclosure. Regulators and professional bodies in various countries have issued guidance indicating that transmitting sensitive documents over unprotected channels may breach these obligations. The specific rules vary by jurisdiction, so advisors should check the guidance of their relevant professional body and local supervisory authority.

Concrete risks: interception, misdirection, and metadata

Three categories of risk deserve particular attention when tax advisors use standard email for document exchange:

• Interception in transit. Even when TLS is used between servers, a misconfigured server, a downgrade attack, or a compromised relay can expose message content. Targeted attacks against professional services firms — who hold valuable financial data — are well documented.
• Wrong recipient. Autocomplete errors are a leading cause of data breaches in professional services. A tax return sent to the wrong address is a personal data breach that must be assessed under GDPR Article 33 and may require notification to the supervisory authority within 72 hours.
• Metadata and server copies. Even when the body of a message is not intercepted, metadata — sender, recipient, subject line, timestamp — is logged at multiple points. Server-side copies persist long after both parties believe the conversation is over, creating a durable record that may be subject to access requests, litigation holds, or breaches affecting the mail provider.

Password-protecting a PDF attachment is sometimes suggested as a mitigation. It adds a layer, but the password is typically sent in a separate email over the same unprotected channel, and the approach does nothing to address misdirection or metadata. It is not a substitute for a properly encrypted communication channel.

Safer alternatives for sharing tax documents

Several approaches offer meaningfully stronger protection than standard email for the exchange of sensitive client documents.

Encrypted email (S/MIME or PGP)

Proper end-to-end encryption of email is technically sound when implemented correctly, but requires both the advisor and the client to have compatible software and to have exchanged keys or certificates in advance. For most clients — particularly individuals rather than large businesses — this is an impractical ask. The setup overhead, the risk of key mismanagement, and the absence of client-side tooling mean that true encrypted email remains the exception rather than the rule in practice.

Secure client portals

Practice-management platforms and dedicated document portals encrypt data at rest and in transit, and provide audit trails, access controls, and structured workflows. They are a well-established choice for larger practices. The trade-off is that documents are stored on the provider's servers, which means the provider has access to the data (subject to contractual and technical protections), and the client must register and maintain an account. This is a manageable requirement for ongoing client relationships but adds friction for ad-hoc or occasional exchanges.

Peer-to-peer encrypted channels

A different architectural approach avoids centralised storage altogether. With a peer-to-peer, end-to-end encrypted tool, files and messages travel directly between the two devices involved. The encryption key never leaves the devices; no copy of the document is held on a server. Because there is no central repository, there is nothing to breach at the provider level, and no metadata trail of who exchanged what with whom is created on a third-party system.

This approach suits scenarios where the advisor and client connect in real time — for example, sharing a draft return during a video call, or sending supporting documents immediately after a meeting. It requires no app installation and no client account: the client receives a link, opens it in a browser, and the connection is established. For practices that want to minimise the data footprint of their client communications, and for situations where creating a permanent portal account is disproportionate, a peer-to-peer channel can be a proportionate and practical complement to other tools.

COVANAN is one example of this type of tool: browser-based, peer-to-peer via WebRTC, with end-to-end encryption and no server-side storage of chat history, files, or attendee records. Signaling infrastructure is hosted in Germany. File transfer supports files up to 500 MB on the Spark Pro plan. An optional TURN relay is available for situations where a direct connection cannot be established, and can be configured to hide both parties' IP addresses.

Which approach is right for your practice?

The right answer depends on the nature and frequency of your client interactions, the technical capabilities of your clients, and your own practice workflows. Many advisors will find that a combination works best: a secure portal for ongoing document management with regular clients, and a peer-to-peer channel for real-time exchanges, one-off situations, or clients for whom portal registration is a barrier. What is generally no longer a defensible default, from either a data-protection or a professional-secrecy perspective, is unencrypted standard email for documents containing personal financial data.