secure-transmit is a file transmission service that allows you to transmit data of any size, from anyone you like, to anyone you like. • You can prove that the data was only transmitted to the people you designated. • You can prove that the transmission completed. • You can prove that the correct data was transmitted. • You can attach detailed, personalized instructions telling your correspondents what you would like them to do. • All of your data and metadata is only accessible to you and the people with whom you intend to share it. • No client side infrastructure needs to be installed on any of the correspondents’ machines. • You don't need a subscription, an account, or a long term relationship with secure-transmit to use the service.

Electronic communications occur every day. But occasionally, you need to transmit data of some significance for a particular task. Perhaps you are transmitting your financial records to your accountant, or sensitive legal documents to your lawyer, or complicated design documents to your vendor. Transmissions are communications that have consequences, should the information being transmitted go astray or awry. They require some combination of the following attributes: • There is a lot of data to be transmitted. • It is essential that the data be secure in transmission. • It is crucial that the data not be accessed by anyone other than the desired correspondent. • The data being transmitted needs attached instructions, explanations or warnings. • Feedback on the state of the transmission is required. • After the data is transmitted, proof of the transmission is required. secure-transmit is designed to satisfy the requirements of data transmission. For most people, data transmissions occur infrequently. This means that the user community for data transmission infrastructure within any organization is large, but diffuse. Almost everyone needs to transmit data occasionally. Almost no-one needs to transmit data daily. Most market alternatives or improvised solutions do not fit this use case well.

You should consider secure-transmit: • When you need to occasionally or intermittently send or receive data with a changing collection of people, and you don’t want to manage another user account or subscription service to accomplish these communications • When you need to be certain with whom you're corresponding • When you need to be sure that nobody else can intercept your data in transit, including employees of the transmission service you're using • When you need to keep records of what was sent and received secure-transmit is for securely transmitting a well defined packet (even very large in size) of data between a well defined set of correspondents, for a well defined purpose, and keeping track of what was sent from whom, to whom, and when.

When you define a transmission, you name the correspondents who will exchange data in the transmission. You will be required to define for each correspondent the proofs of their identity, including yourself. At a minimum, a correspondent must have an email address, but they can also be required to demonstrate that they control a phone number (voice or text), on which they will receive one time security codes. In addition, a correspondent can be associated with a public key, and to prove their identity they will be required to demonstrate that they possess the private key paired with their public key. Finally, a password can be attached to a transmission, and all correspondents must be able to demonstrate their knowledge of the password as a further proof of identity.

When you define a transmission, you provide proofs of identity for all correspondents, including you. secure-transmit requires that you click on a link and provide your proof(s) of identity before alerting any of your correspondents of the transmission. Your proof(s) of identity are shared with all of your correspondents, as well as the assurance that secure-transmit has verified them all (email, and optionally, phone, private key, and password). Your correspondents should recognize your proof(s) of identity, and if they do not, they can feel free to check them (by sending an email or calling a phone number), or totally disregard your transmission as being untrustworthy.

When data is uploaded for transmission, it is stored in an AWS S3 directory, encrypted with keys that are not stored by AWS. (The AWS storage mechanism is called Server Side Encryption, with Client Side Keys). The unencrypted file is never stored in the file system or memory of any server, and the decryption keys are inaccessible to secure-transmit without information held only by the correspondents. Furthermore, when the transmission is defined, you can specify a geographic region where the encrypted data will reside, which is sometimes required by various regulations. Finally, when the transmission is defined, you will be required to define a file retention period, after which the data being transmitted will be automatically deleted. If you like, by selecting the gear on the Transmission screen, you can request notification by text or email when this deletion occurs.

The metadata associated with a transmission define the proofs of identity of all correspondents, and any instructions to be shared with correspondents. In addition, all activity associated with a transmission are logged, to allow the sponsor of the transmission to know that their data was correctly received. All of this data is stored in secure-transmit's internal database, but it is stored in such a manner that it is not accessible to secure-transmit without keys held only by the correspondents. Every record in secure-transmit's internal database is encrypted with its own key. The keys are not held by secure-transmit, but instead are held by the correspondents. In the course of the transmission, when files are uploaded or downloaded by correspondents, each of these actions requires the correspondent to pass a key to secure-transmit, and secure-transmit will use this key to locate and decrypt the correct record. Only then will be metadata associated with the transmission in question be revealed to secure-transmit, so that it can perform the actions necessary to make the transmission happen. Furthermore, when the transmission is defined, a records retention period can be defined. When this period expires, all of the records associated with the transmission will be deleted. Because of the structure of secure-transmit's internal database, it is impossible for secure-transmit to know what transmissions are in flight, or to know what customers are being served at any time. Because of the requirement that every record have its own decryption key, a single decryption of a record in secure-transmit's database can reveal data about only ONE transmission. secure-transmit cannot leak a list of user account names and data, because it has no list of user accounts. In fact, secure-transmit does not have user accounts as most systems implement them.

secure-transmit doesn't require a user account, and doesn't have subscriptions, as previously mentioned. secure-transmit can be used in an entirely ad hoc manner, where the sponsor pays for each transmission individually. If a user or organization anticipates lots of transmissions, there is a flexible mechanism for allowing a bulk purchase to be used by a purchaser who can define a set of transmission sponsors. At the moment, secure-transmit allows user to try the service for small transmissions (<10MB). Larger transmissions cost money, and a transmission cannot be initiated without payment having been arranged. It is possible to pay for a single transmission. A transmission whose total data to be transmitted is less than 1GB costs $3 USD, a transmission whose total data to be transmitted is less than 5GB costs $5 USD, and a transmission whose total data to be transmitted is less than 20GB costs $10 USD. Data is accounted when it is delivered to the recipient(s). If there are 5 recipients, each downloading 1GB, this is a 5GB transmission. If a transmission racks up downloads larger than what was paid, or if a free transmission exceeds its 10MB allotment, downloads will be suspended until the funding is increased. If you expect to have a recurring need for transmissions, it is cheaper and easier to pay secure-transmit a lump sum which can be used to fund a large number of transmissions. This model should be thought of like charging up a transit card and using it to ride the subway a bunch of times, or paying into an EZPass account and riding the turnpike as much as you want. Each transmission debits a balance in a tab, and when the money is used up, the tab will stop working, or the user can pay more money into the account. Like a subway card, the tab should be thought of as a token that gives access to funding, rather than a user identity. There are two different kinds of tabs - Basic and Enhanced. You can open a Basic Tab with a deposit of $35 USD. When you open the tab, it will create a passphrase associated with your proof(s) of identity. When you want to fund a transmission, you provide the passphrase, and the charges associated with the transmission will be debited from the tab. Only someone who can provide your proof(s) of identity can use your passphrase. A Basic Tab allows you to grant the ability to use the tab to two other identities. This grant is known as a User Proxy, and each of the User Proxies of a Basic Tab will be associated with a single identity and will have its own passphrase. This is designed for a small office, or a family, to share access to the Basic Tab. An Enhanced Tab can be opened with a deposit of $250 USD or more. Enhanced Tabs are designed for use by a mid to large organizations. To grant access to the tab to many employees, the Enhanced Tab is not limited in its number of proxies. Conceivably you could grant an individual User Proxy to each employee you would like to give access to the tab. Alternatively, there is another type of proxy available to the Enhanced Tab to simplify management of a large group of employees. A Domain Proxy associates a passphrase with an email domain. Any person whose proofs of identity connect to a specified domain will be able to use the proxy. When you check the tab records it will reference all charges against the account by proxy and by sponsor, so charges can be ascribed to the sponsor who generated them. Enhanced Tabs can also limit the use of a proxy to a specified number of transmissions, a specified maximum expenditure, or a specified lifespan. When you create a Basic or Enhanced Tab you will be able to access an interface that allows you to grant or retract access through the proxies associated with your tab.. The proxy mechanism allows the person who funded the tab to maintain their own set of authorized users without requiring any assistance from secure-transmit. The charges from secure-transmit do not scale in any way by the number of users accessing the account. Charges are based only on number of transmissions and the amount of data transmitted.

• Goal: To transfer medical records from Dr. Sender to Dr. Receiver • Your Role: Transmission Sponsor and Data Recipient • Sponsor actions: • Visit https://app.secure-transmit.com.(https://app.secure-transmit.com) Select "Start Transmission" and "Confirm" • Define Sponsor proofs of identity. Use an email and phone known to Dr. Sender and Dr. Receiver, to establish your identity. Click "Define Sponsor" • Describe the transmission. Give a title and description that makes it clear what data you want Dr. Sender to send, and why you want Dr. Receiver to receive it. Define a file retention period that is long enough for both doctors or their designates to respond. Hit the gear button, and opt to send yourself text messages for contacts, and email alerts for uploads, downloads, and file deletion. Click "Define Transmission" • Input the proofs of identity for Dr. Sender (email and phone), and detailed instructions describing what you need them to send. Dr. Sender's instructions are only sent to Dr. Sender, so you can safely include any patient identification to clarify whose records you want sent. Click "Define Sender" • Input the proofs of identity for Dr. Receiver (email and phone), and detailed instructions describing the records they are to receive. Dr. Receiver's instructions are only sent to Dr. Receiver, so you can safely include any patient identification to clarify whose records they will be receiving. Click "Next Recipient" • Check the "Sponsor is Recipient 2" checkbox to add yourself to the list of recipients. Click "Done with Recipients". • Check over the information you have entered on the security review page. If all is well, click "Next". • Click "Arrange For Payment", "Pay for a single Transmission", "Transmit 1GB for $3" and "Checkout" • Agree to the terms of service and enter your credit card information. • Read through the instructions in the "Final Review" page. • secure-transmit actions: • A Sponsor email with a link to the Sponsor interface for this transmission is sent to the Sponsor (you). • Sponsor actions: • Click on the link in the Sponsor email. • Confirm that you want to proceed. • Request and respond to a security code on your phone. • At this point you have verified your identity, but there is nothing that you can do but wait for data from Dr. Sender. • secure-transmit actions: • Upon the Sponsor confirming they want to proceed, secure-transmit sends the Sponsor (you) a text alert that an initial contact has been made on the Sponsor's link. • Upon the Sponsor verifying their identity, the sender email is sent to Dr. Sender. • Sender actions: • Dr. Sender's office staff read their email from secure-transmit, recognize you as one of their patients, understand what you are asking them to send, and decide to send you the data you are requesting. • Dr. Sender's office staff click on the link in the sender email. • Dr. Sender's staff confirm they want to proceed. • Dr. Sender's staff request and respond to a security code on Dr. Sender's office phone. • Dr. Sender's staff upload the file(s) requested. • secure-transmit actions: • Upon Dr. Sender's staff confirming that they want to proceed, secure-transmit sends the Sponsor (you) a text message alerting you that initial contact has been made on the Sender's link. • Upon each file upload, secure-transmit sends the Sponsor (you) an email alerting you that a file upload has been made by the Sender. • Upon the first file upload, secure-transmit sends all recipients (Dr. Receiver and you) a recipient email with a connection link inside. • Recipient actions: • Dr. Receiver's staff read their email from secure-transmit, recognize you as one of their patients, understand what you are trying to send them, and decide to download the data you are trying to transmit. • Dr. Receiver's staff clicks on the link in the Recipient email, and clicks that they want to proceed. • Dr. Receiver's staff request and respond to a security code on Dr. Receiver's office phone. • Dr. Receiver's staff clicks "Download Files", and downloads the files to be transmitted. • secure-transmit actions: • Upon Dr. Receiver's staff clicking that they want to proceed, secure-transmit sends the Sponsor (you) a text alerting of an initial contact on the Recipient's link. • Upon each download by Dr. Receiver's staff, secure-transmit sends the Sponsor (you) an email alerting you of a download by the Recipient. • Sponsor actions: • Upon receiving the Recipient email telling you that files are available for download, you click the link in your original Sponsor email, and click that you want to proceed. • You request and respond to a security code on your phone. • You select "Download Files" and download the files from Dr. Sender for your records. • You select "Review Activity" and download a signed record of all the activity on this transaction for your records. • secure-transmit actions: • Upon the Sponsor clicking that they want to proceed, secure-transmit sends the Sponsor a text alerting them of an initial contact on the Sponsor's link. • Upon each download by the Sponsor, secure-transmit sends the Sponsor an email alerting them of a download by the Sponsor. • Upon the expiration of the File Retention period, secure-transmit sends the Sponsor an email alerting them that the files associated with this transmission have been deleted. • Discussion: • Cooperation from your correspondents is essential. No system can extract data from someone unwilling to send it, or from someone confused by the request. Sometimes, it will be necessary to call a correspondent and ask them to click on the link. Giving clear and explicit titles, descriptions and instructions is important for getting people to participate. • If 1 GB turns out to be insufficient for the data to be transmitted, the Sponsor will receive an email informing them that the funding has run out. If the Sponsor then clicks the link in the Sponsor email, and confirms their identity, their interface will have an option to "Add Funds", and the Sponsor will be able to increase the transmission to the 5 GB level. • Note that there is two factor authentication of all correspondents. • Note that the Sender and Recipient metadata are separate - it is not necessary that information about the Sender be revealed to the Recipient. Sponsor proofs of identity and descriptive metadata about the transmission are available to all correspondents, but information about Senders and Recipients are not shared. • Note that text alerts on initial contacts allow real time monitoring of activity by correspondents. If someone is not responding to your request, you can contact them and ask them again, or in the Sponsor interface, you can select "Manage Participants" and re-send their message with amended instructions. • Note that the File Retention period can be changed at any time during the transmission, up to a maximum of 30 days. If a correspondent is unavailable for some period, you can extend the File Retention period by selecting "Manage Transmission" in the Sponsor interface located in your email. If everyone has downloaded the files and you want them reaped immediately, you can set the File Retention period to 0 days and the files will be deleted within 15 minutes of that action. • Note that alerts are optional and selected from the gear setting on the Transmission screen. If you don't want any text or email notifications of progress in your transmission, by default you will not receive them.

• Goal: To make a one time transmission to a customer • Your Role: Transmission Sponsor and Data Sender • Sponsor actions: • Visit https://app.secure-transmit.com.(https://app.secure-transmit.com) Select "Start Transmission" and "Confirm" • Define Sponsor proofs of identity. Use an email and phone known to your Receiver, to establish your identity. Click "Define Sponsor" • Describe the transmission. Give a title and description that makes it clear what data you are transmitting, and what you want your Recipient to do with it. Define a file retention period that is long enough for your Recipient to respond. Hit the gear button, and opt to send yourself text messages for contacts, and email alerts for downloads and file deletion. If the data being transmitted are especially sensitive, hit the padlock button, and add and confirm a password for the transmission. Add a "Forgot Password" question and answer if there is the slightest possibility that you will forget the password you just added. Click "Define Transmission" • Check the box "Sponsor is the transmission Sender" defining you as the transmission Sender. Click "Define Sender" • Input the proofs of identity for your Recipient (email and phone), and detailed instructions describing the data you are sending them, and what you expect them to do with it. If you added a password, tell them that there is a password, and that you will provide it, but don't include the password in the instructions. Sending the password in the Recipient instructions defeats the purpose of the password, which is to provide another factor of authentication. Click "Done with Recipients" • Check over the information you have entered on the security review page. If all is well, click "Next" • Click "Arrange For Payment", "Pay for a single Transmission", "Transmit 1GB for $3" and "Checkout" • Agree to the terms of service and enter your credit card information. • Read through the instructions in the "Final Review" page. • secure-transmit actions: • A Sponsor email with a link to the sponsor interface for this transmission is sent to the Sponsor (you). • Sponsor actions: • Click on the link in the Sponsor email. • Confirm that you want to proceed. • If you attached a password to this transmission, enter the password. • Request and respond to a security code on your phone. • At this point you have verified your identity. Select "Upload File" from the interface. • Click on "Choose File" and navigate to the file to send and select it. Note your file size - if it is larger than 1GB you will have to add funds to this transmission. • Enter a Descriptive File Title. • By default, the uploaded file will keep the name it has in your file system. If you would like it to have a different name when uploaded, input that name in the "Filename: field. If you want to remind your Recipient of any confidentiality requirement on the file, it is a good idea to incorporate it in the uploaded filename (e.g. "ITAR_Controlled_file.dat", or "NDA_Covered_file.dat"). • If there are any specific notes to be attached to the file, they can be added one by one by typing them in the "Add a Note to the File:" field and hitting enter. You can add as many notes as you want. • After all the metadata has been attached to the file, click the "Send File" button. A bar will display the upload progress. • After the entire file has uploaded, a recap of all the metadata, and an estimate of the upload speed will be displayed. If you would like to upload another file, you can hit the back button, or you can click the "Upload File" button on your "Sponsor Interface" tab, which is still open in your browser. • If you attached a password to the transmission, you are responsible for giving that password to your Recipient. Ideally, you should call your Recipient and pass the information to him via voice. Somewhat less securely, you could text the password to your Recipient. As a last resort, you could email the password to the Recipient. If you are going to email the password, it largely defeats the purpose of attaching a password in the first place - if you were concerned enough that someone who could break email security might be watching that you added a password, why would you transmit the password by email? A secure option, if you have a tolerant Recipient, is to instruct them to call or text you for the password when they are going to download the file. • secure-transmit actions: • Upon the Sponsor confirming they want to proceed, secure-transmit sends the Sponsor (you) a text alert that an initial contact has been made on the Sponsor's link. • Upon upload of the first file, secure-transmit sends an email with a Recipient link to your Recipient. • Recipient actions: • The Recipient reads their email from secure-transmit and decides that the file transmission it describes makes sense, that they know you, and that they want the data you want to send them. • The Recipient clicks on the link in the Recipient email. • The Recipient confirms they want to proceed. • If you assigned a password to the transmission, the Recipient will be required to enter it now. If you haven't sent it to them, they will have to contact you to get it. Making a Recipient chase you down for a password you assigned requires a tolerant and committed Recipient. If you need the extra security of a transmission password, work out how you are going to distribute it to your Recipient(s). • The Recipient asks for and responds to a security code sent to their phone. • Having proved their identity, the Recipient is presented with an interface. They click "Download Files", and are presented with a list of all the files that you have uploaded. The Recipient can download as many of the files as they like. Simultaneous download is supported. • secure-transmit actions: • Upon the Recipient confirming that they want to proceed, secure-transmit sends the Sponsor (you) a text message alerting you that initial contact has been made on the Recipient's link. • Upon each file download, secure-transmit sends the Sponsor(you) an email alerting you that the Recipient has downloaded a file, which file they downloaded, and what the MD5 and SHA256 checksum of the file is, as well as other metadata associated with the download. • Sponsor actions: • After reviewing the file download emails secure-transmit has sent you, and concluding that you have successfully transmitted the data you intended to send, you click on your original Sponsor email link. • You confirm that you want to proceed. • If you assigned a password to the transmission, you supply the transmission password. • You request and respond to a security code sent to your phone. • Having now proved your identity, you are presented with the Sponsor's Interface. You click on "Review Activity". You download a cryptographically signed record of all activity on this transmission for your records. • Since the data has been transmitted, you return to the Sponsor Interface tab on your browser, and click on "Manage Transmission". You set the file retention for this transmission to 0 days. • secure-transmit actions: • Since the file retention for this transmission has expired, within 15 minutes all files uploaded for this transmission will be deleted. • secure-transmit sends the Sponsor (you) an email confirming that all files associated with this transmission have been deleted since you selected that option. • Discussion: • The cryptographically signed activity record will allow you to prove that file(s) were transmitted, and what version of the file(s) were downloaded. It also records the remote IP addresses from which all connections were made. • Automated Internet cache builders can visit connection links, after they are used by transmission participants. These automated hits are identified in the activity record. These hits would cause extraneous alerts to be sent, which is why transmission correspondents are required to affirmatively ask to proceed. Tying the alerts to an actual user action eliminates the cache builder hits. • Note that text alerts on initial contacts allow real time monitoring of activity by correspondents. If someone is not responding to your request, you can contact them and ask them again, or in the Sponsor interface, you can select "Manage Participants" and re-send their message with amended instructions. • Note that the File Retention period can be changed at any time during the transmission, up to a maximum of 30 days. If a correspondent is unavailable for some period, you can extend the File Retention period by selecting "Manage Transmission" in the Sponsor interface. If everyone has downloaded the files and you want them reaped immediately, you can set the File Retention period to 0 days and the files will be deleted within 15 minutes of that action. • Note that alerts are optional. If you don't want any text or email notifications of progress in your transmission, by default you will not receive them.