1. Bookmark–and Share!–Key Resources

Set yourself and your users up for a successful onboarding by providing them with our New User Guide, as well as with these educational resources:

• Our Help Center offers answers to common technical questions, and detailed guidance on setting up popular SendSafely integrations for platforms such as Zendesk, Salesforce, and Freshdesk.
• Our Blog announces exciting new SendSafely features as they are released.
• For feature videos, check out our YouTube.
• Our Developer Docs, GitHub, and REST API empower you to leverage SendSafely in automated workflows for end-to-end encrypted file exchange and storage.
• Our Trust Center is a great place to learn about our approach to privacy and security. 
• For any questions our documentation doesn't answer, please email support@sendsafely.com.
  

2. Assign a Backup Administrator, and Follow Best Practices to Secure Admin Accounts
SendSafely requires your portal to have at least 2 Admin users configured at all times. Promote another user to Admin by navigating to the Users tab of your Enterprise Console and clicking the checkbox to the right of their email address.

Admins can manage all user accounts, Dropzones, and other SendSafely platform settings. Because of this, Admin accounts should only be used to perform administrative functions, and not for daily SendSafely use. Enforcing 2FA and SSO (steps 4 and 5 of this checklist) are especially important for Admin accounts.

3. Set up a Custom URL
Set up a custom URL for your SendSafely portal for improved branding and deliverability. You can also set up a custom domain for email notifications.

4. Integrate & Enforce Single Sign-On
Integrate SendSafely with your SAML2-based SSO solution to authenticate your employees. SendSafely is listed in the application catalogs for Okta, OneLogin, and Microsoft Entra (Azure AD), and also supports Google SSO.

Once you've integrated SendSafely with your SSO solution, enforce its use for all of your employees by submitting a request to support@sendsafely.com.

You can also set up SSO for your guests.

5. Enforce 2FA
If possible, you should leverage your SSO provider to provide 2FA/MFA user authentication protection. SendSafely has begun mandating 2FA enforcement to protect all users; this is especially important for customers who lack an SSO provider, or who wish to retain break-glass accounts exempt from SSO.

Enforce 2FA for your portal. We support a variety of Two-Step Authentication options.

We strongly recommend using your company SSO solution in addition to enforcing 2FA for your SendSafely portal.

6. Set up a Master Key
Determine whether your organization needs a Master Key, and if it does, follow our guidance to configure one. A Master Key grants an organization the ability to decrypt all items transferred through its SendSafely portal. Some customers will find this essential for compliance, auditing, or archival reasons, especially if you need to recover data after an employee's offboarding, or if you operates within a regulated industry such as Financial Services.

Note: A Master Key can only decrypt packages created after the key is configured. It cannot provide access to deleted packages, or to historical packages created prior to its successful configuration. 

7. Plan Service Account Use
Admins can create and manage Service Accounts to use with our API, Dropzones, and integrations. Most Dropzone-based workflows require the use of a Trusted Device Key or Master Key. Note that Service Accounts have unique requirements for Trusted Device Key generation.

To ensure access to historical packages, make sure to back up your Trusted Device Key or Master Key somewhere safe.

8. Configure Data Retention Settings

Admins can specify default, minimum, and maximum package expiration for all users and Dropzones from the Configuration tab of the Enterprise Console. These expiration settings apply to all packages sent and received via the web portal, integrations, and API.  

Note: These expiration settings do not apply to Workspaces, which are designed for long-term collaboration. If you wish to enforce automatic expiration and deletion on Workspaces, reach out to your account representative to request a script-based solution. 

Long Term Storage

Excepting Workspaces, SendSafely packages are subject to a default maximum expiration of 365 days. Organizations required to retain data for longer should configure a Master Key and review their options for longer-term storage:

• Backend your portal onto your own AWS S3 Bucket, and then Disable File Deletion platform-wide. Note that while you can also Disable Package Expiration, we encourage you to allow packages to expire as a privacy control, retaining them for compliance and unexpiring them as needed.
• Enterprise customers can use our S3 Private Archive Action to programmatically export decrypted package contents to a private S3 bucket (commonly, a WORM bucket) for long-term storage.
• Use the SendSafely API to regularly download all packages for processing or archival as required. Our GitHub has several code examples for programmatically exporting packages, including our Secure Package Export Utility.

9. Encourage Users to Leverage Strong Verification Options
Your external recipients and collaborators can authenticate to Send Items packages and Workspaces by a number of methods: one-time email PIN, one-time SMS PIN, Login via Google, and Guest SSO.

Educate your users on the most secure options, and leverage SMS over email PIN codes wherever possible. SMS verification can be easily enabled from the Workspace Collaborators page and the Send Items screen.

10. Enable the Audit Log

The Audit Log captures portal-wide package, user, and admin activity, and can be pulled via REST or pushed to an S3 bucket for consumption by your SIEM system. To enable it, contact your account representative.