Pssst. Parole first.
Sharing secrets with your customers is usually stressful. Sending NDA-related information via unencrypted email, is as good an idea as sending it via postcard.
Rule #1: Don't trust the Internet.
Dictating complex passwords over the phone ends in a thousand calls about what special character it was or whether the lowercase "b" was perhaps a capital letter. In Germany, sending a fax was a solution for "secure transmission" for many years. Since every fixed line has been converted to All-IP, Rule #1 applies.
Since your solutions rely on the self-hosted way, you know the answer to this problem. Today I would like to point out two open source software apps for sharing documents, passwords or anything else that you don't want everyone to see.
PrivateBin - Because ignorance is a bliss
The setup of PrivateBin on Cloudron is done in less than 5 minutes. It does not require any user management. Once installed, the front-end is minimalistic. Add your secret information or upload some attachments. Choose the expiration date (default is one week), check the burn after reading checkbox (checked means you can open the url once. After the first opening, the PrivateBin note will be permanently deleted) and set a password if you want. Click Send, copy the generated url and send it to your communication partner. Once you have decided on a password, dictate the (easier to dictate) password over the phone. Done.
Nextcloud as a GDPR-compliant postbox
Nextcloud is a huge toolbox with a lot of functionality that other tools have. But a small part of their original first specialty (file sharing), is a solution for secure sharing of secrets & files. Install Nextcloud on your Cloudron and open the app. Create a folder that you want to share as a GDPR-compliant mailbox. Click Share link and select File drop (upload only). Copy the generated link and send it to your communication partners. They will now be able to upload files to your postbox without seeing uploads that was previously done by others. The only thing missing is an automatically generated email from the app when a new upload is made. A new upload is only visible in the folder itself or in the activity stream (if enabled). If you found a good solution for this little glitch, please give me a ping.
Securing the transport way
Modern browsers and the apps on your Cloudron instance are capable of using TLS/SSL for end-to-end data encryption. PrivateBin uses AES for encrypted data in the bin itself. You can enable encryption in Nextcloud. If you choose strong passwords and ideally 2FA for your user accounts on Cloudron, you have done everything you need to do to communicate securely with your communication partners.