SendSafely

Articles in this section

See more

Long Term Data Storage & Auditability for Compliance

To meet business needs and comply with financial industry regulatory requirements, some SendSafely customers may wish to keep the data contained in their encrypted packages for longer than the default maximum. Follow these simple steps to enable admin access to all of your organization's SendSafely packages for longer than a year.

SendSafely recommends the following setup for organizations that are subject to compliance and regulatory requirements:

Primary Configuration Steps

Step 1: Set up a Master Key

A Master Key provides a privileged organization admin the ability to decrypt items transferred through their SendSafely portal. Please note: a Master Key can only decrypt packages created after the date the key is successfully configured in your SendSafely portal. It cannot provide access to historical packages created prior to its setup date, or to packages that have already been deleted. 

Step 2: Configure your Portal-wide and Feature-specific Expiration Settings

Admins can specify the default, minimum, and maximum package expiration for all users via the Enterprise Console. Expiration settings apply to all packages sent using the web portal, Chrome extension, email integrations, and API. Dropzone Package Expiration is configured separately in the Dropzone profile, while Workspaces are designed for longer term collaboration and are currently not subject to data expiration settings.  

A warning about File Expiration! SendSafely does not recommend disabling File Expiration as it is an important Security and Privacy Control for preventing future unauthorized access to sensitive information.  

Expiration settings are separate from File Deletion settings. Organizations who require long term file storage should keep File Expiration settings active and instead disable File Deletion (Step 4 below). This approach keeps the security/privacy benefits of the expiration settings intact (i.e., files are stored encrypted in an inaccessible state) but does allow your portal Admins to come back in and unexpire/"reenable" access to files if ever needed for compliance or audit purposes using a Master Key (Step 1 above).

Step 3: Connect your own S3 bucket

Configuring your own AWS S3 Bucket provides a range of useful options regarding the long-term storage of SendSafely packages, including:

  • Disabling File Deletion as described in Step 4 below
  • Data storage in any geolocation supported by AWS
  • Leveraging versioning in your S3 bucket to allow for easy recovery from unintended user actions, such as accidental data deletion
  • Allowing organizations to maintain custody of their own encrypted packages within their own AWS environments. This is a popular option for internal compliance teams when communicating with external auditors.

Step 4: Request Disabling File Deletion

SendSafely customers can disable file deletion to block both automatic and manual package deletion options. With deletion disabled, files still expire on schedule to prevent recipient access, but remain in storage and can be reactivated in the future as needed. If you’ve connected your own S3 bucket and wish to disable file deletion, please email support@sendsafely.com.

Step 5: Enable Audit Log API

The Audit Log API provides Enterprise security and compliance teams broader visibility into events occurring in their SendSafely portal. Authorized users can perform targeted searches of log data as part of ad-hoc incident investigation, or ingest the audit feed into their SIEM platforms for unified monitoring and alerting.

Step 6: Enable & Enforce SSO

Integrate SendSafely with your organization's SSO solution to authenticate users. SendSafely supports SSO using the SAML2 authentication standard, is listed in the application catalogs for Okta, OneLogin, and Azure AD, and also supports Google SSO. Once you've enabled SSO, we recommend enforcing it.

Advanced Compliance Options

Leverage Custom SendSafely Actions

SendSafely Actions enable organizations to easily integrate SendSafely with their internal or third-party API-based platforms. Designed for deployment within an organization's own environment, Actions facilitate custom or security-sensitive tasks like package decryption, while ensuring both business and data privacy requirements are met. Commonly utilized Actions among SendSafely customers include:

    • Data Loss-Prevention integrations for API-based DLP platforms such as the GCP DLP API
    • AV Scanning integrations for API-based malware scanning platforms such as SophosLabs Intelix and OPSWAT Metadefender
    • Security Automation platforms such as Tines
    • Compliance storage via automated / programmatic package decryption & export
    • Write Once, Read Many (WORM) AWS S3 storage for SendSafely package and/or package contents
    • ...and more!

For additional critical portal administration information, be sure to review and complete the “Set Up Checklist for SendSafely Administrators

Related articles