Document storage is one of those decisions a firm typically makes once, badly, in the first year of trading, and then lives with for a decade. The wrong choice creates real costs: failed AML supervision visits, GDPR exposure, time spent hunting for the right version of an engagement letter, and a "shadow IT" problem where partners stash sensitive client files on personal OneDrive accounts. This is a comparison of the three options most UK firms genuinely shortlist.
What document storage has to do in a regulated firm
The job is bigger than "synced folders". A firm-grade document store needs: granular access control by client, matter and team member; immutable audit trail of who opened what and when; retention policy enforcement (typically six years for accounting records, longer for some matters); GDPR-compliant data residency, ideally within the UK or EU; secure external sharing without forcing the recipient to create an account; encryption at rest and in transit; and a sane way to plug into the firm's practice tool and email client. Some of these are baseline. Some genuinely differentiate the products.
Dropbox Business and Dropbox for Teams
Dropbox's strength is sheer usability - partners and clients understand it without training. Dropbox Business offers admin console, audit logs, remote wipe and team folders. Data residency in the EU is available on appropriate tiers. The weakness for accounting firms is that Dropbox's permissions model, while improved, is still folder-centric rather than matter-centric, and the line between "personal Dropbox" and "work Dropbox" on a partner's laptop has historically caused leakage. External sharing via link is easy, which is exactly the problem when the link gets forwarded.
SharePoint and OneDrive for Business
SharePoint is the default if the firm is already on Microsoft 365. The strengths are deep: granular permissions down to individual files, sensitivity labels, retention policies tied to records management, and tight integration with Outlook, Teams and Word. For a firm of any meaningful size, the cost of SharePoint is already absorbed in the M365 licence. The weaknesses are equally real - SharePoint is genuinely complex to administer well, the default setups are often dangerously permissive, and external sharing is configurable to the point of paralysis. SharePoint reward investment; firms that "just use it" without setup tend to drift into a mess.
Tresorit
Tresorit is the security-first choice. Swiss-based with EU data residency, end-to-end encrypted (the provider cannot read your files even in theory), and oriented around regulated industries - legal, accounting, healthcare. Strengths are the encryption model, the external sharing controls (expiry, watermarking, view-only PDF rendering), and the audit trail. The weakness is ecosystem: integrations are narrower than SharePoint or Dropbox, and the price per user is higher. For a firm where AML supervision and PII protection are existential, the trade-off is reasonable.
GDPR, data residency and AML record-keeping
UK and EU GDPR mean the firm has to know where its data physically sits and who can access it. All three vendors offer EU or UK data residency on appropriate tiers, but only Tresorit guarantees end-to-end encryption such that the vendor cannot decrypt customer files. AML supervision (whether by HMRC, an RPB or another body) increasingly asks how the firm controls access to KYC documents and how long it retains them. Whichever product you pick, the retention policy has to be documented, configured in the system, and tested annually.
External sharing and the client experience
The single most common cause of accidental disclosure in a small firm is "I emailed the wrong file" or "I left the link open after the engagement ended". All three products offer expiring links, password-protected shares and view-only rendering. The better answer for client-facing document exchange, though, is not a Dropbox link at all - it is a proper client portal where the document sits inside the client's authenticated workspace and the audit trail captures every view. Accupe's client portal handles this exchange natively; the underlying document store (Dropbox, SharePoint, Tresorit) becomes the firm's internal vault rather than the client-facing surface.
Cost over five years
For a 20-user firm, the rough order of cost over five years is: SharePoint as part of M365 (essentially incremental cost over licences you already pay); Dropbox Business standard tier (mid); Tresorit Business or Enterprise (higher, by a meaningful margin). Cost is not the only axis - a single AML breach or data-loss incident costs more than five years of any of these products - but it deserves to be on the table.
How firms actually choose
Most UK firms of 5 to 50 people end up on SharePoint because they are already paying for M365, with a thin layer of process and naming convention to make it usable. Firms that have had a security scare, or that handle particularly sensitive matters, layer Tresorit on top for a specific subset of files. Pure Dropbox shops still exist, particularly among smaller and older firms, but the direction of travel is away from Dropbox toward either Microsoft or a security-first alternative.
Closing
The product is half the decision. The other half is the discipline: a documented folder structure, a permissions review every six months, a leavers process that revokes access on the day someone leaves, and a retention policy that actually deletes files when it should. A great tool with no process is worse than an adequate tool with good process. Pick the platform that suits your firm's shape, then invest in the operating procedure that surrounds it.