Built with a security-first architecture. Your files are protected with bank-grade encryption and zero-knowledge design.
SecureSend is built on a zero-knowledge architecture, which means we cannot access your files or their contents. All encryption happens locally in your browser before any data is transmitted to our servers.
When you upload a file, it is encrypted using AES-256-GCM with a randomly generated 256-bit key. This key is never sent to our servers — it exists only in your browser and is embedded in the sharing link URL as a fragment (the part after the # symbol). Since URL fragments are never sent to the server in HTTP requests, we have no way to access the encryption key or decrypt your files.
Files are encrypted using AES-256-GCM (Galois/Counter Mode), the same encryption standard used by governments and financial institutions worldwide. This provides authenticated encryption, ensuring both confidentiality and integrity.
Each file is encrypted with a unique 256-bit key generated using cryptographically secure random number generation. Keys are never reused across files.
All encryption and decryption operations happen locally in your browser. Unencrypted file contents never leave your device or traverse our network.
Files are stored in encrypted form on Cloudflare R2 object storage. Without the encryption key (which only you possess), the stored data is computationally infeasible to decrypt.
When you select a file to share, your browser generates a unique 256-bit encryption key and encrypts the file using AES-256-GCM. A random initialization vector (IV) is generated for each encryption operation to ensure uniqueness.
The encrypted file data is uploaded to our servers via TLS/HTTPS. The encryption key remains in your browser and is never transmitted. We receive only the encrypted blob, which is stored as-is on Cloudflare R2.
A sharing link is created with the format https://usesecuresend.com/d/[link-id]#[encryption-key]. The encryption key is placed in the URL fragment (after #), which is never sent to our servers when the link is accessed.
When the recipient opens the link, their browser extracts the encryption key from the URL fragment. The encrypted file is downloaded, then decrypted locally in the browser. The decrypted file is then made available for download.
Set custom expiration times for your links - from a few hours up to 30 days or any timeframe you choose. Once expired, the encrypted files are permanently deleted and cannot be recovered.
Control how many times your files can be downloaded. Once the limit is reached, access is automatically revoked.
Add an additional layer of security with password protection. Recipients must enter the correct password before they can access the files.
Create links that expire after a single download or immediately after the first visit, perfect for highly sensitive information.
Revoke access to your links at any time with a single click. Once revoked, the files become immediately inaccessible to all recipients.
Monitor when your links are visited and files are downloaded. IP addresses are hashed for privacy while still providing useful audit information.
SecureSend is designed with data protection regulations in mind. Our zero-knowledge architecture helps organizations meet their data protection obligations by ensuring that sensitive information remains confidential.
Our architecture supports GDPR compliance by design. Since we cannot access file contents, personal data shared through SecureSend remains under the data controller's control. Users can delete their data at any time, and expired links are automatically purged from our systems.
We follow industry best practices for secure software development, including regular security audits, dependency updates, and penetration testing. All connections to our service use TLS 1.3 or higher.
We take security seriously and appreciate the work of security researchers in helping us maintain a secure service. If you believe you have discovered a security vulnerability, please report it to us responsibly.
Please send vulnerability reports to security@usesecuresend.com with the following information:
We commit to acknowledging reports within 48 hours and will work with you to understand and address any valid issues. We ask that you provide us a reasonable amount of time to address the issue before making any information public.
If you have any questions about our security practices or would like to discuss our architecture in more detail, please contact us at:
Email: security@usesecuresend.com