2025 in review: regulated file transfer turned a corner

We ended 2025 with 2.4 billion file transfers processed, up 71% from the 1.4 billion we reported a year ago. That number still surprises us when we say it out loud. The growth isn’t an abstraction — it’s 1.4 billion more regulated files moving through a system we’re responsible for securing, auditing, and delivering reliably than existed in the same period last year.

This is our 2025 retrospective. We’ll cover the numbers, three customer-side shifts we didn’t predict at the start of the year, the US regulatory cadence that drove a significant share of the compliance conversations, and what we’re focused on in 2026.

The numbers

2.4 billion transfers. Healthcare and financial services together represent 61% of transfer volume, up from 58% last year, which suggests those sectors are growing their adoption of purpose-built tooling faster than other verticals. The other notable growth sector was federal contracting and defense — CMMC 2.0 implementation drove a significant number of new customers who needed to demonstrate CUI handling controls.

Average file size: 61 MB. Up from 47 MB in 2024. The continued growth is driven by the same dynamics — larger imaging datasets in healthcare, bigger transaction file batches in financial services — plus the emergence of AI-generated content as a meaningful transfer category. AI-assisted document packages (regulatory submissions, audit packages, contract drafts) are larger than the manually-created equivalents.

97.1% of transfers encrypted end-to-end. We set a target at the start of the year to get this above 95% and we exceeded it. The remaining 2.9% are legacy protocol fallbacks — old SFTP configurations from partners who haven’t completed migrations — and we’re actively working down the list.

18,400 customers at year end. We added approximately 7,200 net new customers, continuing the mid-market growth trend we identified last year. The compliance-driven purchase is now clearly the dominant buying motion: more than 70% of new customers cite an active compliance program or audit finding as the direct driver of evaluation.

US-West region live. We launched our second US data residency region in May (covered in detail in our May engineering post). By year end, 23% of new workspaces chose US-West as their primary region. Customer-driven data residency requirements — state-level geographic constraints, FedRAMP-related data handling specifications — were the most common stated reason.

Boundary verification deployed. We shipped recipient verification at the boundary in Q3 and by Q4 had 68% of active workspaces with boundary verification enabled at IAL1 or above. The 80% accidental-disclosure reduction we documented in our October product post has held in the broader population.

CoSAI training-data reference architecture. We published the first version of our training-data transfer reference architecture through CoSAI in Q3, as we committed to in April. The working group commentary is being incorporated into the v2 draft for early 2026.

Three customer-side shifts we didn’t expect

1. The compliance program purchase decoupled from the security program purchase. In 2024, when a customer came to us because of a compliance requirement, the evaluation was usually led jointly by the compliance or legal team and the security team. In 2025, we saw a significant number of evaluations where the compliance team was the primary driver and the security team was a secondary stakeholder. This isn’t a criticism of either function — it’s a structural observation. Compliance teams are increasingly sophisticated buyers of technical tools and are evaluating security vendors directly against compliance requirements, not waiting for security to translate.

The consequence for us is that we now see RFPs with highly specific compliance-framework questions as the primary evaluation criteria, and our compliance documentation has become a first-pass filter before security questionnaires are even issued. The trust portal buildout we invested in last year is paying off in ways we didn’t anticipate.

2. Audit-as-a-service demand from mid-market. We expected audit-related transfers to continue growing as a use case. We didn’t expect customers to start asking us to help them operationalize the audit process itself. The pattern we’re seeing: a mid-market healthcare organization or financial services firm receives an OCR inquiry or FINRA examination request. They need to package a responsive evidence bundle — specific files, access logs, transmission records — and deliver it to a regulator or auditor with a verifiable chain of custody. They’re asking us to make that packaging and delivery workflow easy.

We weren’t fully built for this at the start of the year. By Q4 we had shipped sealed evidence bundles (immutable packaging with integrity attestation) and auditor-specific access channels (time-limited, scoped delivery credentials for auditors). Demand was higher than we projected. We’re investing more in this capability in 2026.

3. The post-quantum conversation arrived earlier than we expected. We wrote in our 2024 year-in-review that post-quantum migration was a 2025 priority. We were right that we needed to prioritize it; we were wrong about the pace of customer awareness. By Q2 2025 we were getting explicit post-quantum questions in procurement questionnaires from defense contractors and federal-adjacent customers. The NIST PQC standards publication and CISA guidance had driven awareness faster than we anticipated.

We shipped ML-KEM support in hybrid TLS 1.3 mode in May, meeting our H1 commitment. By year end, 31% of our enterprise workspace connections were using the hybrid mode when supported by both ends. The stored-data re-encryption path is in the final engineering stages and targeted for Q1 2026.

The US regulatory cadence

2025 was an unusually active year for US compliance framework updates, and those updates drove a significant share of our compliance conversations.

HIPAA NPRM moving toward final rule. The HIPAA Security Rule NPRM published in late 2023 continued to progress in 2025 without reaching final form. The directional clarity it provided was enough to drive action: covered entities and business associates who read our August 2024 analysis started moving on the addressable-to-required conversions and the BA oversight tightening without waiting for the final rule. The conversations we’re having are no longer about whether to act — they’re about how to document the actions taken.

FedRAMP changes. The FedRAMP authorization process saw significant changes in 2025, including updates to the Rev. 5 baselines and streamlined pathways for SaaS products. For customers pursuing FedRAMP-related authorization for their use of our platform, the updated documentation requirements and the clarity on cloud service provider responsibilities drove a round of documentation updates on our side. Our FedRAMP-ready package was updated in Q2 to align with Rev. 5 baseline structure.

NIST 800-171 Rev. 3. As we covered in our August compliance post, Rev. 3 is final and the CMMC 2.0 Level 2 assessment pipeline is using it. The organization-defined parameters, the supply chain risk management additions, and the tighter audit requirements generated significant customer inquiry. We see NIST 800-171 Rev. 3 mapping requests as one of our most common compliance documentation requests in H2 2025.

CMMC 2.0 Level 2 rollout. CMMC 2.0 implementation continued its gradual rollout through the defense industrial base in 2025. More defense contractors entered the C3PAO assessment pipeline; DIBCAC audit findings continued to propagate through the contractor community and inform what evidence packages need to contain. For SEND-SECURELY.COM, this translated to a sustained stream of CMMC-specific documentation requests and evidence package consultations. We’ve now supported well over 200 customers through CMMC assessment preparation.

NYDFS Part 500 amendments. The multi-factor authentication and encryption requirements from the NYDFS Part 500 amendments continued to generate inquiry from mid-size financial services firms that had not yet fully complied. By mid-2025 most of the compliance conversations on this topic were about documentation and evidence rather than implementing the controls themselves — the controls were largely in place, but organizations were working on producing the evidence that would satisfy an examiner.

The through-line across all of these: US compliance frameworks in the regulated sectors SEND-SECURELY.COM serves are in a period of active maturation. Frameworks that were treated as stable baselines are moving. Organizations that have been relying on annual compliance snapshots are discovering that the target moved while they weren’t looking. That’s an uncomfortable truth for compliance teams but a clear signal that purpose-built tooling that keeps current with framework changes — and helps customers understand what those changes mean — is increasingly essential rather than optional.

What we’re focused on in 2026

Three themes will drive the majority of our investment next year.

Completing the post-quantum migration. The stored-data re-encryption path is in final stages and ships Q1 2026. After that, we turn to the evidence problem: how do we give customers auditable proof that their stored data has been re-encrypted with PQC-safe algorithms? The regulated industries we serve need documentation of the migration, not just the migration itself. We’re building the audit trail alongside the cryptographic work.

Audit-workflow tooling, continued. The mid-market demand for audit packaging and evidence delivery tooling is significant and underserved. Our Q4 2025 shipments were a start; the 2026 plan is a purpose-built audit-workflow product track with framework-aware evidence tagging, regulated submission delivery with receipt attestation, and integration with the documentation structures that HIPAA, CMMC 2.0, and FINRA examiners actually use.

Internal transfer governance. The governance gap we identified two years ago — that organizations apply rigorous controls to external file transfers and much weaker controls to internal ones — is getting harder to ignore. The NYDFS Part 500 insider-threat provisions, the CMMC access control requirements, and the operational reality of hybrid work have elevated internal transfer governance on our customers’ agendas. We’re extending the same encryption, audit, and access-control posture to internal team transfers in 2026, building on the work we’ve done on identity and access control at the external boundary.

We’re grateful for the 18,400 organizations that trusted us with 2.4 billion transfers in 2025. The regulated file-transfer market turned a corner this year — from “nice to have” to “essential infrastructure” — and we feel the weight of that responsibility in everything we ship.