File Sharing for Accounting Offices — Privacy and No-Cloud Options

Why Cloud Storage Deserves Extra Scrutiny in Accounting Practices

Client financial data is not like a marketing presentation or a project proposal. It is subject to specific confidentiality obligations that vary by jurisdiction, the type of accounting practice, and the nature of the client relationship.

Tax records, payroll data, audit workpapers, management accounts, bank statements, and personal financial information are explicitly covered by professional confidentiality duties in most regulatory frameworks. Before storing these on any third-party platform, practitioners should confirm whether their professional standards body, their jurisdiction's data protection regulations, and any relevant client agreements permit that storage arrangement.

This article does not constitute legal or compliance advice. For specific obligations, consult your professional association and a qualified privacy or data protection adviser. What this article does address is the practical options for keeping file sharing internal when cloud storage is not appropriate.

The Case for On-Premises File Sharing

For many small accounting and bookkeeping practices, the answer to "where should client files live?" is: on hardware within the practice, accessible only to authorised staff, with no path through third-party infrastructure.

This approach:

• Keeps data physical location entirely within the practice
• Eliminates exposure to third-party cloud providers' terms of service, security incidents, or jurisdictional data requests
• Simplifies answering client questions about where their data is held
• Can satisfy data residency requirements that may apply depending on jurisdiction

Option 1 — Internal Shared Network Folder

A shared folder on a practice Windows machine — or a NAS device — provides file access to all permitted staff without any internet involvement.

Setting up on Windows:

1. Designate one machine (or NAS) as the file host
2. Create a structured folder hierarchy: Clients\[ClientName]\[Year]\
3. Share the root Clients folder with appropriate Windows permissions — individual staff accounts can be granted access to specific subfolders
4. Map as a network drive on staff machines for consistent access

Security considerations for this setup:

• Enable Windows password-protected sharing; do not use anonymous access
• Create a Windows local account for each staff member with only the access they need
• The host machine should have its own user account firewall configured to allow only LAN connections
• Encrypt the host machine's drive with BitLocker (available on Windows 10/11 Pro) — this protects data if the physical machine is ever stolen

Option 2 — NAS with ACL-Based Access Control

A business-grade NAS device (Synology, QNAP) provides access control lists (ACLs) that are considerably more flexible than Windows local account permissions. You can define who can read a folder, who can write, and who has no access at all — per folder, per user.

For a practice of 5–20 staff, a NAS with proper ACL configuration typically offers better security posture than a shared Windows folder:

• Centralised user management through the NAS admin panel
• Automatic access logging (who accessed which file and when)
• Optional two-factor authentication for NAS admin access
• Drive-level encryption available on most current NAS models

Option 3 — LAN Transfer Tool for In-Office File Movement

For day-to-day file handoffs between staff — sending a completed client tax return to a supervisor, transferring a batch of client bank statements from a partner's machine for processing — direct LAN transfer tools provide a fast, cloud-free path.

Oxolan operates entirely within your local network. No files leave the office network as part of the transfer. The sender selects a colleague from the application sidebar, drops in the file or folder, and the transfer completes directly over LAN.

Get Oxolan for Windows

Client File Delivery: A Separate Consideration

This article covers internal file sharing between staff. Delivering files to clients — sending completed tax returns, management accounts, or reports — is a separate workflow with its own considerations.

For client delivery, common approaches include:

• Encrypted email attachments (PDF with password, client receives password separately)
• A dedicated secure file-sharing portal (many practice management systems include one)
• Document signing platforms for agreements and authorisations

Unencrypted email attachments for sensitive client documents are a risk worth avoiding regardless of cloud vs local decisions.

Frequently Asked Questions

Does local file sharing mean our data is more secure than cloud? Not automatically. Local storage is only more secure if physical access controls (locked office, locked server cabinet), logical access controls (password-protected shares, appropriate user permissions), and backup discipline (regular offsite or encrypted cloud backup of the local data) are all in place. A shared folder with no password on an unlocked machine is less secure than many cloud services.

What about backup? If everything is on a local machine, what happens if it fails? Local storage must be backed up. A common approach: the NAS or host machine replicates data to an encrypted cloud backup service (Backblaze B2, Wasabi, or similar) nightly, or to a local external drive that is rotated offsite. The backup destination can be cloud storage even when the primary working copy is local.

How do we share files with clients or external accountants? For external parties who need access to specific documents, a secure portal is the cleanest solution. Many accounting-specific practice management platforms (Karbon, Firm24, Canopy) include client portals with appropriate audit trails. For ad-hoc needs, encrypted email or a one-time secure share link is appropriate.

Is a NAS sufficient for a practice of 10 staff, or do we need a server? A business-grade NAS handles file serving, access control, and backup for a 10-person practice without issue. A full Windows Server environment becomes relevant when the practice needs Active Directory, Exchange, or specific compliance-driven server applications.