Simply Send · Encrypted Delivery

Secure Send,
Without Portals

Passkey-first encrypted delivery for messages and large files—no passwords, no portals. Built to prove identity, protect data, and keep auditors happy in one flow.

Simply Send is secure delivery for external sharing: passkey-first recipient verification, host-locked links, per-item encryption (keys wrapped in your Key Vault), and audit-ready events. It’s deployed inside your Azure environment, so access and policy remain customer-controlled.

  • Host-locked, time-bound links with per-item AES-256-GCM keys wrapped in your Key Vault.
  • Streaming for multi-GB payloads, resumable downloads, and inline previews that stay encrypted.

Why It’s Different

Passkey-first + OTP backup.Device-native passkeys with a rate-limited, short-lived OTP fallback (when enabled).
Host-locked links.Domain-verified, time-bound, download-limited; revoke anytime.
Per-item encryption.Each message/file gets its own key wrapped by your Key Vault–managed key encryption key.
Streaming large files.Chunked encryption, byte-range downloads, and resumable previews for multi-GB payloads.
Complete audit trail.Events for open/verify/OTP/download/reply are captured for compliance.

How It Works (3 Steps)

  1. 1. SendDrop files or paste a message, set expiry/limits, and hit send.
  2. 2. VerifyRecipient authenticates with passkey (or OTP if enabled) on your verified domain.
  3. 3. DeliverContent decrypts on the fly; replies/uploads stay encrypted and audited.

Recipient Experience

Sender & Admin Controls

Capability What it does Why it matters
Verified domains Links only run on approved hosts over HTTPS; blocks lookalike domains. Protects recipients from spoofed links and phishing.
Granular policies Expiry, max downloads, reply/attachment permissions, and instant revoke. Controls exposure and shuts access down in one click.
Secure Intake Gate inbound submissions by IP/CIDR; review and approve before they land. Stops untrusted uploads from reaching your workspace.
Custom domains & branding Customer URLs, colors, logos, and wording per tenant. Delivers trust and consistency to every recipient journey.
Audit-ready Filterable events for create/open/verify/reply/download. Answers “who accessed what, when” quickly and defensibly.

Security Architecture (Plain English)

Who It’s For

Best suited for

Teams that need secure external delivery with audit trails—legal, compliance, HR, finance, investigations, and customer support—without portal friction.

Not the best fit

Lightweight “anyone can share anything” consumer file-sharing, or workflows that require the vendor to host and manage recipient accounts.

Simply Send FAQs

Straight answers to the questions security, compliance, and IT teams ask before they approve secure delivery.

Does Simply Send require passkeys?

Passkeys (WebAuthn/FIDO2) can be required per tenant via configuration. If OTP fallback is enabled, recipients can authenticate using a short-lived, rate-limited email OTP when passkeys aren’t available.

How does OTP fallback work and how is it controlled?

OTP fallback is explicitly configurable (Lfs:AllowOtpFallback) and rate-limited (default 5/min per email+IP). Codes expire (10 minutes), have limited verification attempts, and are stored as salted SHA-256 hashes.

Where does data live — is this SaaS?

Simply Send is designed for customer-hosted deployments and can run inside your environment. Links can be enforced to verified domains and branded per domain/tenant.

How are messages encrypted?

Messages are encrypted with AES-GCM-256 using per-message keys. Additional authenticated data (AAD) binds encryption to the chat/link context to reduce token replay across threads. Keys are wrapped by a KEK (Azure Key Vault or configured key wrap).

How are files encrypted and delivered securely at large size?

Files are encrypted at rest using chunked AES-GCM-256 with a per-file data encryption key (DEK) plus salt. Each chunk has its own nonce and tag, supporting efficient range decrypt for partial reads. Downloads are range-enabled (206 responses) and support resumable delivery.

Do you support resumable uploads?

Yes. Simply Send supports resumable uploads via TUS (/api/tus OPTIONS/POST/HEAD/PATCH). Sessions are tracked and finalized into encrypted document records when complete. Multipart uploads are also supported for direct uploads.

What prevents a link from being reused on another domain?

Host pinning is enforced: the request host must match the issued LinkHost. Mismatches are rejected to prevent token reuse across domains. Verified domains can be enforced, and lookalike hosts are blocked.

What’s audited?

Access logs and audit events cover link creation, opens, OTP request/verify, downloads (including bytes served), replies, uploads, and revocations. Logs include IP/UA, timestamps, and actor identity where available.

Can we revoke access instantly?

Yes. Links can be revoked by token, by link ID, or in bulk per thread. Policies support expiry, view/download limits, and access can be shut down immediately. Background polling can be configured not to consume view counts.

What is Secure Intake?

Secure Intake allows anonymous external submissions via /api/lfs/intake, optionally restricted by IP/CIDR allowlist. Submissions are reviewed and approved/denied by admins/analysts; approval creates a controlled secure thread with reply/upload policies.

Can admins perform read-only audits?

Yes. When enabled, admins can start a time-limited (e.g., 24h) read-only audit session for a recipient. In audit mode, replies/uploads/downloads are blocked and the session is designed to be defensible.

Is Simply Send archive-ready?

Yes. Simply Send content is stored as LFS (DataType.LFS) and can be searched/exported by admins, with access restricted by role/feature gates.

Ready to ship securely?

Book a demo and see Simply Send in action.

Book a Demo