1. Bookmark "New User" SendSafely Resources
Start with the SendSafely blog to learn about new platform features as they are released. Find answers to common technical questions in our Help Center which includes detailed guidance on setting up various popular SendSafely integrations. Leverage our Developer Center to learn how to add SendSafely to your automated workflows. You can also email support@sendsafely.com with any questions.

2. Plan Employee On-boarding & New User Education
New user education is a critical component of a successful on-boarding plan. SendSafely provides many useful resources that can be incorporated into your internal on-boarding documentation and employee guidance.  It is recommended you start by reviewing the SendSafely New User Guide with the aim of providing it to your employees along with the applicable “Quick Start Guides + Videos”, and demo recordings.

3. Assign a Backup Administrator User
SendSafely requires having at least 2 Administrator user accounts configured at all times (as a primary & backup account in case someone is out on vacation).  Administrators can manage all User Accounts and also SendSafely platform features like Dropzones directly from the Enterprise Console. 

4. Elect a Custom URL
Set up a custom URL for your SendSafely portal for improved branding and deliverability.

5. Enforce 2FA/MFA to Protect All User Accounts
SendSafely has begun mandating the enforcement of 2FA/MFA to protect all employee user accounts. This is especially important for privileged Administrator accounts. Ensure Two Step Authentication is enforced platform wide for your SendSafely portal.  If available, also leverage your enterprise SSO solution to provide 2FA/MFA user authentication protection (see below). If SSO is not available, review the supported SendSafely Two Step Authentication options, and enforce them within the SendSafely Enterprise Console. Note - SendSafely recommends utilizing both your company SSO solution and also enforcing 2FA/MFA for your SendSafely portal. This will ensure any break-glass accounts exempted from SSO are still protected with strong authentication controls.  

6. Integrate & Enforce Single Sign On (SSO)
Integrate SendSafely with your organization's SSO solution to authenticate your employees. SendSafely supports SSO using the SAML2 authentication standard, and is listed in the application catalogs for Okta, OneLogin and Azure AD, and also supports Google SSO.

Once SendSafely is integrated with your SSO solution, be sure to enforce its use for all your employees by submitting a request to support@sendsafely.com.

7. Plan Service Account Usage (Particularly for Dropzones)
Administrators can create and manage designated Service Accounts from the Enterprise Console to use with our API, Dropzones and third party integrations.  Before using a Service Account be sure to fully understand both the security benefits and also the potential requirement for generating backup private decryption keys if used to host production Dropzones.  Review the following Service Account documentation:

• Blog - SendSafely Service Accounts
• Help Center Article - Creating Service Accounts

"Non-Service Account" Dropzone Setup Instructions: When setting up a production Dropzone using a fully registered user account (instead of using a Service Account) we recommend backing up the initial Trusted Browser Key for the Dropzone "Owner". This initial key can be used to access all historical packages received via that Dropzone - which is especially useful if you choose to automate the download/export of received files in the future.

8. Setup a SendSafely Master Key
Assess whether you need a Master Key configured for your SendSafely portal as part of a compliance, audit, or archival program.  A Master Key provides an organization the ability to decrypt items transferred through its SendSafely platform. This is especially important if you need to recover data after an employee leaves the company, or if your organization operates within a regulated industry, such as Financial Services. Please note: a Master Key can only decrypt packages sent and received after the date the key is successfully configured in your SendSafely portal.  It cannot provide access to historical packages sent/received prior to its setup date or to packages that have already been deleted.

9. Configure SendSafely Data Retention Settings for your Organization

SendSafely Admins can specify the default, minimum and maximum package expiration for all users from the Configuration tab of the Enterprise Console. File expiration settings apply to all packages sent using the web portal, Chrome extension, email integrations and the API.  

Important Note: These file expiration settings configured in the Enterprise Console do not apply to Dropzones or Workspaces. Dropzone Package Expiration is configured separately in each individual Dropzone profile (which can be updated by admins via impersonation). Workspaces are designed for longer term collaboration and are currently not subject to data expiration settings (there is a script that can be leveraged to enforce expiration on Workspaces if needed). 

Long Term Storage Options

The maximum package expiration is 365 days. Organizations required to retain data for extended periods of time, or export it to other systems for archival or compliance purposes should read up on Long Term Data Storage & Auditability for Compliance with SendSafely, then set up a SendSafely Portal Master Key and then utilize one of the following long term storage options:  

1. Configure your own AWS S3 Bucket for use with SendSafely - Utilizing this feature provides you with additional options regarding long term storage of packages sent and received through your SendSafely instance. This includes  "Disabling Package Expiration" and "Disabling File Deletion" which are portal-wide settings. You can also utilize versioning in S3 buckets to recover more easily from unintended user actions such as accidental deletion.   
   • Note - Disabling package expiration may negatively affect the user experience since users will be unable to delete any sent files. For these cases, users will still be able to immediately expire access to the files to prevent access but the files will remain available in the system for compliance purposes. 
2. Scheduled Export of Sent/Received Packages via the SendSafely API - the SendSafely API can be used to automatically download all packages sent/received on a regularly scheduled basis.  The downloaded files can then be processed or archived as required.  SendSafely provides a Package Export Utility along with several source code examples for exporting packages via the SendSafely API on GitHub.

10. Secure Privileged Administrative & Service Accounts
As a best practice, Admin accounts should only be used for performing Administrative functions and not for daily SendSafely use. Ensure 2FA/MFA authentication controls are utilized to protect these privileged accounts, ideally via enterprise SSO if available.   

Service Accounts used to host Dropzones or provide API access should not be assigned Administrative privileges.  When possible these accounts should also be protected by 2FA/MFA.  After initial setup, Service Accounts should not be used to log into the SendSafely portal, and instead be managed by an Admin via the Enterprise Console.

11. Encourage Users to use SMS Verification to Protect Sensitive Files
Both SendSafely Send and Workspaces provide an SMS verification option for recipients and collaborators. Encourage your users to require external guests be authenticated using an SMS pin for extra protection against unauthorized access. SMS verification can be easily enabled from the Workspace Collaborators page and the Send Items screen.