A problem almost nobody sees
A lawyer receives a sensitive document from their client. A doctor discusses a diagnosis with a colleague. A psychologist coordinates treatment with a psychiatrist. A tax advisor sends tax return data. They all do it via messaging. And almost none of them have stopped to think about where those messages end up.
The answer, in most cases, is: on a server they don't control, in a country whose legislation they don't know, managed by a company whose business model is precisely to accumulate data. The message may be encrypted in transit, but once it reaches the server, it's a copy stored on someone else's infrastructure.
What the law says
The European GDPR is clear: whoever handles personal data of third parties is responsible for protecting it with adequate technical measures. Good intentions are not enough. It's not enough for the app to say it encrypts. If your client's data is on a server that doesn't comply with European regulations, you are responsible.
And it's not just the GDPR. Professional secrecy — regulated for lawyers, doctors, psychologists, auditors and many others — requires that communication with the client be confidential. Not confidential "as far as possible". Truly confidential. If the channel you use cannot guarantee it technically, you are assuming a risk you shouldn't be assuming.
What does a professional need?
What a professional handling sensitive information needs is surprisingly simple. A channel where messages go directly from their device to the recipient's, without passing through any intermediate server. Where no copy remains in any cloud. Where you don't need to give a personal phone number. And where the infrastructure fully complies with European regulations.
They don't need a complex app. They don't need training. They don't need to change how they work. They need exactly what they already use — instant messaging — but with the technical guarantee that information doesn't leave the devices of the two people in the conversation.
The difference between encrypting and not storing
Encrypting a message and storing it on a server is like putting a document in a safe and leaving it at a stranger's house. The safe is good, yes. But the document is still in someone else's house. And that someone can receive a court order, can suffer a cyberattack, or can simply change their terms of service.
The alternative is that the document never leaves your office. That it goes directly from your desk to your client's desk, without passing through any intermediary. That's what direct device-to-device communication does: it eliminates the intermediary. Not because the intermediary is bad. Because the intermediary is unnecessary. And the unnecessary, in security, is always a risk.
A matter of responsibility
In the end, the question every professional should ask is: if a conversation with my client leaks tomorrow, can I prove I used a technically secure channel? Can I prove the data never left our devices? Can I prove I didn't rely on the goodwill of a company on another continent?
The tool you choose to communicate with your clients says a lot about how you value their trust. And there are tools designed exactly for that: so that trust doesn't depend on promises, but on architecture.