SendMeDocs is designed for the transmission and temporary storage of sensitive documents, including government-issued identification, tax records, financial statements, and protected health information. The following describes the technical, administrative, and organizational measures in place to protect the confidentiality, integrity, and availability of data processed by the service.
All communication between clients, application servers, and storage infrastructure is encrypted using TLS 1.2 or higher. Plaintext connections are rejected at the transport layer. This applies to all surfaces of the service, including the dashboard, upload portal, API, and webhook delivery.
Uploaded documents are stored with AES-256 server-side encryption. Encryption keys are managed by the storage infrastructure and are not accessible to application code. Database fields containing sensitive values use encryption where appropriate.
Documents are permanently deleted from storage after the organization's configured retention period, which ranges from 7 to 30 days depending on the plan. Deletion is measured from the time a request is marked as completed. Once deleted, files cannot be recovered by any party, including SendMeDocs.
All dashboard authentication is performed via passkeys (WebAuthn/FIDO2). No passwords are stored, transmitted, or accepted by the system. Each device registers an independent cryptographic credential, eliminating the risk of credential stuffing, phishing, and password reuse attacks.
The service enforces strict multi-tenant isolation at the database and application layers. Every query is scoped to the authenticated organization. Role-based access control limits administrative operations to authorized members. Upload tokens are single-use and cryptographically generated, scoped to a specific request.
All email and SMS notifications are logged with delivery status and timestamps. Credit and billing transactions maintain a complete, append-only ledger. Session activity is tracked per device. Policy and BAA acceptances are recorded with the acceptor's identity, IP address, user agent, and timestamp.
SendMeDocs does not use tracking cookies, third-party analytics, or advertising pixels. A single session cookie is used for authentication. No document content is read, analyzed, indexed, or used for any purpose beyond delivering it to the authorized recipient.
The service is hosted on infrastructure that supports regulated workloads and maintains appropriate compliance certifications. Application and storage components are provisioned in a single geographic region. Access to production systems is restricted and logged.
Uploaded documents are stored encrypted and served only to authenticated, authorized users within the requesting organization. SendMeDocs does not inspect, analyze, or derive information from document content. Documents are not used for training, analytics, or any purpose other than providing the requested service.
Files are automatically and permanently removed from object storage after the organization's retention period expires. The retention window begins when a request is marked as completed. Organizations may also delete individual requests or their entire account at any time. All deletions are permanent and include the removal of associated files from storage.
In the event of a confirmed security incident involving unauthorized access to personal data, SendMeDocs will notify affected organizations without undue delay and no later than the timeframe required by applicable law. For organizations operating under a Business Associate Agreement, notification will comply with the breach notification requirements specified in that agreement.
Organizations subject to HIPAA that use SendMeDocs to collect documents containing protected health information may execute a Business Associate Agreement at no additional cost on any paid plan. The BAA is available for review at sendmedocs.com/baa. To accept, sign in to your dashboard and navigate to Settings > Compliance. The agreement takes effect upon electronic acceptance by an authorized representative of the organization.
Documents are stored in S3-compatible object storage with AES-256 server-side encryption. The storage infrastructure supports regulated workloads and maintains appropriate compliance certifications.
Files are automatically and permanently deleted from storage. The retention window is determined by the organization's plan (7 to 30 days from request completion). There is no mechanism to recover files after deletion.
SendMeDocs uses passkeys (WebAuthn/FIDO2) for all dashboard authentication. There are no passwords in the system. Each device registers its own cryptographic credential, which is verified locally by the device's secure enclave before being validated by the server.
Yes. HIPAA-covered entities and business associates may execute a Business Associate Agreement from the dashboard at no additional cost. Navigate to Settings > Compliance to review and accept the current version.
Security concerns may be reported through our contact form. All reports are reviewed promptly and handled in accordance with our incident response procedures.
