2024 in review: what 1.4 billion file transfers taught us about regulated data

We processed 1.4 billion file transfers in 2024. That number is bigger than we expected when we started the year, and it comes with a lot of data — about transfer patterns, threat signals, compliance conversations, and the gap between what organizations think their file-transfer security posture is and what it actually is.

This is our annual retrospective. We try to make it worth reading: specific observations, honest assessments of where we got things wrong, and our thinking about what matters in 2025.

The numbers

1.4 billion transfers. Up 67% from 2023. The growth isn’t uniformly distributed — healthcare and financial services together account for 58% of transfer volume, which reflects the regulatory density in those sectors driving adoption of purpose-built tooling.

Average file size: 47 MB. This is up from 31 MB in 2023, driven primarily by imaging data in healthcare (DICOM files, radiology workups) and transaction datasets in financial services. Large file transfer at regulated-data sizes is a meaningfully different engineering problem than messaging-scale file sharing.

94.3% of transfers encrypted end-to-end. The remaining 5.7% are transfers where a recipient’s receiving system doesn’t support our preferred protocol and falls back to a lower-security mode — we flag these and are working on eliminating the fallback paths. In 2023 this number was 89.1%.

11,200 customers at year end. We added roughly 4,300 net new customers, with the majority of growth in mid-market — organizations with 100 to 2,000 employees. This cohort has the compliance obligations of enterprise organizations but historically hasn’t had access to enterprise-grade tooling.

3.2 million download links expired before first access. That’s not a waste — it’s the system working. Expired links are transfers where the recipient either didn’t need the file, the need was fulfilled another way, or the link was sent in error and never clicked. Expiry is a security feature, and 3.2 million unexpired-but-never-needed links not sitting in email threads indefinitely is a good outcome.

Three patterns we didn’t expect

1. Compliance audit requests are becoming a primary transfer use case. We expected most transfer volume to be operational — teams sending files to partners, clients, vendors. What surprised us is that a substantial and fast-growing fraction of transfers in 2024 were audit-related: organizations packaging evidence responses for SOC 2 auditors, OCR investigations, FINRA examination requests, and legal discovery.

The audit-transfer use case has specific requirements that generic file sharing doesn’t meet: the evidence package needs to be immutable, the transmission needs to be logged with identity, and the audit trail for the transmission itself becomes part of the evidence record. Several customers came to us specifically because they’d had an auditor reject a transfer because it arrived as an email attachment rather than a verifiable, timestamped, authenticated delivery.

2. Insider-threat scenarios are reshaping access control requirements. In 2023, most of our access-control conversations with enterprise customers were about external threats: preventing unauthorized external access, protecting against credential stuffing, limiting link-sharing. In 2024, a larger share of the access control conversations were about internal threat scenarios.

The driver appears to be the workforce disruption of the past two years — layoffs, rapid hiring, remote work normalization — which has elevated insider-threat awareness in security teams. We saw a significant increase in requests for features that limit what a departing employee can do with access they legitimately held: retroactive link revocation on termination, session-token invalidation tied to HR system events, and download rate limiting that would flag anomalous bulk-download behavior.

We shipped several of these capabilities in 2024. The pattern points to a broader shift in how regulated organizations think about the insider-threat surface in file-transfer workflows.

3. The “we have S3” objection largely disappeared. For the first two years of operating at any scale, we frequently encountered organizations that treated object storage — typically S3 or Azure Blob — as a substitute for secure file transfer. The friction of setting up an S3 bucket and generating a pre-signed URL is low; the technical teams at these organizations had DIY’d their transfer workflow.

In 2024, that objection came up rarely. The shift seems to be driven by compliance and audit conversations: when an auditor asks about access controls on file transfers and the answer is “we use pre-signed S3 URLs with a 24-hour expiry,” the follow-up questions are hard. Who authenticated the recipient? Where’s the delivery receipt? Can you prove the file reached the intended party and not an account-compromised intermediary? DIY object storage answers none of those questions well.

The US compliance landscape is shifting under everyone’s feet

This was the year several compliance frameworks that organizations had treated as stable became active renegotiation projects.

The HIPAA Security Rule NPRM, which we covered in depth on this blog in August, is the clearest example. After more than two decades without significant revision, HHS is proposing changes that convert addressable safeguards to required, add specificity to encryption expectations, and tighten BA oversight requirements. Organizations that had “we’re HIPAA compliant” locked in as a static state are discovering it’s a moving target.

CMMC 2.0 implementation continued to advance, with more defense contractors entering the certification pipeline and the DIBCAC audit process generating detailed findings that propagated through the contractor community. The NIST 800-171 rev 3 publication added new requirements — specifically around supply-chain risk management — that rippled into the file-transfer context: how does a defense contractor demonstrate that their external file transfers to subcontractors and partners meet the CMMC Level 2 requirements?

NYDFS Part 500 amendments, which took effect in stages through 2023 and 2024, brought multi-factor authentication and encryption requirements to covered financial institutions at a level of specificity that made previously informal practices untenable. We saw a meaningful spike in NYDFS-driven inquiries from mid-size financial services firms in Q1 and Q2.

The through-line across all of these is that compliance is no longer a documentation exercise — auditors and regulators are asking for evidence of actual technical controls, not assertions. That shift benefits purpose-built tooling and makes DIY workflows more expensive to defend.

What we’re focused on in 2025

We’ll do a separate post on the 2025 roadmap, but three themes will drive most of what we ship.

Post-quantum migration. As we mentioned in our RSA field notes, the NIST PQC standards are finalized and compliance timelines are taking shape. We’re targeting ML-KEM support in hybrid TLS 1.3 mode in H1 2025 and completing the stored-data re-encryption path before year end. For regulated industries with long data retention requirements, the harvest-now-decrypt-later risk is real, and we’re treating the migration as urgent.

Audit-workflow tooling. Given the growth of audit-related transfers as a use case, we’re building purpose-specific tools for evidence packaging: sealed bundles with integrity attestation, auditor-specific access channels with time-limited credentials, and framework-aware evidence tagging. The goal is to make the product as useful for compliance professionals as it is for operational file transfer.

Internal transfer governance. The conversation at RSA 2024 and the feedback from our CISO-track customers this year made clear that the governance gap isn’t only at the external boundary. We’re extending the same audit, encryption, and access-control posture to internal team transfers in 2025.

We’re grateful for the 11,200 organizations that trusted us with 1.4 billion transfers this year. The patterns in that data continue to shape everything we build.