Encrypted link sharing for legal, finance, HR, and security

Encrypt, share, and verify
with CIPH4

Name: CIPH4
Brand: CIPH4

Stop sending sensitive files through email, Slack, and shared drives that never forget. CIPH4 encrypts in the browser, deletes on the schedule you set, and hands you a signed receipt the moment the file is gone.

Start sharing for free

End-to-end encrypted. Tamper-evident receipts you can verify yourself.

ciph4.com/dashboard

Dashboard

Real-time view of your shares

Live7d ▾

Active

147

Views 7d

Open req

Burned

Failed

Expiring

Recent shares

4 of 24

Recipient

Status

Size

CIPH4-Q3-SOC2-evidence.pdf

Sealed 2h ago · 6d 18h left

auditor@example.com

ACTIVE

2.3 MB

wire-details-q3.pdf

1 view remaining · 2h left

cfo@example.com

1 VIEW

118 KB

nda-mutual-q2.pdf

Burned · deletion receipt issued

legal@example.com

BURNED

84 KB

compensation-Q3-letters.zip

Viewed once · 5d 2h left

hr@example.org

VIEWED

1.2 MB

Receipts auto-issue on burn · Verifiable on ciph4.com/verify

OUTCOMES

Outcomes that matter.

Every tile maps to shipped code. No invented metrics.

Eliminate plaintext exposure

Files and secrets are encrypted in the sender's browser before they leave it. Our servers store ciphertext only — there is no master key to leak.

Replace email attachments

Send links that expire on time, views, or downloads. Recipients open without signing up. Senders watch every access in real time.

Prove deletion, don't promise it

Every Enterprise drop produces an Ed25519-signed deletion receipt, verifiable anytime on our public /verify page. Compliance gets evidence, not assurances.

Tamper-evident audit trail

Every action is hash-chained with SHA-256 and re-verified continuously. Editing the past breaks the chain — and you'll know.

Govern without slowing teams down

Org-level policies set expiry caps, recipient identity, IP rules, and MFA enforcement. Users get a simple compose box; admins get full controls.

Run your compliance program in one place

Readiness templates for SOC 2, HIPAA, GDPR, ISO 27001, NIST 800-53, FedRAMP, and CMMC — control catalogs your team populates with policies, vendors, risks, and evidence, all linked to the audit chain.

HOW IT WORKS

Four moves. Provable at every step.

CIPH4 isn't a vault you have to log in to. It's a thin layer between you, your recipient, and the cryptographic evidence your auditor wants to see.

Drop in

Files and text are encrypted in your browser before they ever leave the tab. The encryption key never reaches CIPH4 — there is no master key and no backdoor to fall back on.

Set the terms

Choose recipients, expiry, view caps, download caps, and watermarks. The share burns when any condition is hit — first read, view limit, download limit, or expiration time.

Share the link

The decryption key lives inside the link itself, in a part of the URL that browsers never send to servers. Recipients open the link, optionally re-verify their identity, and read.

Prove it's gone

On burn, expiry, or revocation, CIPH4 issues a signed deletion receipt. Drop it on the verifier and your auditor sees green.

COMPARE

Why teams switch from email and vaults.

If you've ever sent a sensitive PDF as an email attachment, this is the upgrade. If you've ever provisioned a data room for one wire instruction, this is the downgrade in cost, not control.

✓ Yes· ✗ No· ~ Partial (available via add-on, optional config, or limited shape).

Feature comparison: CIPH4 vs email + PDF, file-sharing SaaS, and data-room vault.
Feature	CIPH4	Email + PDF	File-sharing SaaS	Data-room vault
Encrypted in your browserA server-side breach yields ciphertext only — your data never reaches us in readable form.	Yes	No	Partial	Partial
Decryption key never on serverNo master key for us to leak, subpoena, or accidentally log.	Yes	No	No	No
Signed deletion receipts (Enterprise)Your auditor gets a portable proof of destruction, verifiable on our public /verify page.	Yes	No	No	Partial
Burn-on-readThe file is gone before it can be forwarded, screenshot-shared, or quietly archived.	Yes	No	Partial	No
Public deletion-receipt verifierDrop any Ed25519-signed receipt into our public /verify page to confirm the signature — no account required.	Yes	No	No	No
Per-recipient watermark (Enterprise)Every recipient sees a unique mark on the document — if it ever surfaces somewhere it shouldn't, you know exactly who leaked it.	Yes	No	Partial	Partial
Bring-your-own KMS (Enterprise)Your KMS wraps the encryption key. We can't unwrap without your permission — revocation and residency stay with you.	Yes	No	Partial	Partial
Setup timeFrom signup to first encrypted share. No procurement cycle, no implementation sprint, no governance gap while you wait.	5 min	instant (but unsafe)	1–2 days	weeks

BUILT FOR

Built for the teams who have to prove it.

Six teams, one defensible artifact. Each page below shows how the encryption + receipts model lands against the proof that team's auditor, regulator, or opposing counsel actually asks for.

INDUSTRIES

Mapped to your regulator's audit shape.

Same product, different regulator. Each industry page maps the encryption + receipts model to the specific frameworks, control IDs, and disposition evidence your auditor cites — not just to a generic compliance posture.

Legal services

Privileged transfer that doesn't show up in discovery. Opposing counsel verifies the destruction receipt offline; bar inquiries see a clean chain of custody.

Financial services

KYC packets, term sheets, and regulator filings that satisfy FINRA recordkeeping without leaving NPI in a mailbox for the next six years.

Healthcare

PHI movement that produces HIPAA-aligned disposition evidence on every transfer — care-team to vendor, provider to payer, clinician to patient. Templates help your compliance team turn the trail into BAA-ready artifacts.

Government contractors

CUI exchange that maps to NIST 800-171 access-log controls — the audit-log shape your SSP actually wants, the disposition artifact a CMMC assessor accepts.

M&A advisory

Deal rooms that scale with the deal, not the seat. Signed per-bidder destruction artifacts at close; closing legal attaches them to the binder.

PRICING

Simple, transparent pricing.

Start free. Upgrade when you need team features.

Free

Free forever

20 secure links a month
Files up to 10 MB
1 GB total storage
Links expire in 1h or 24h
Passphrase protection
See who opened, in real time
Email notifications
AI summaries on every share

Teams

$49

/seat/month

Everything in Free, plus:

250 secure links a month
Files up to 100 MB
50 GB per user
Collect files from outside people
Build custom workflows with our REST API
Export everything to CSV
Links expire up to 7 days
Departments and shared workspaces
AI dashboard insights

Enterprise

Custom

Tailored per contract

Everything in Teams, plus:

Unlimited secure links
Files up to 1 GB
500 GB per user
Sign in with your identity provider
Auto-provision users from your IdP
Compliance program templates (7 frameworks)
Built-in threat detection
Manage encryption keys in your own KMS
Signed deletion receipts your auditor can verify
Custom branding and outbound email
Webhooks (Slack, ticketing, SIEM)

See full feature comparison

All prices per seat, billed monthly. No annual commitment required. Need a custom plan?

FAQ

Questions auditors always ask.

The seven questions a security buyer brings to every demo, answered without the marketing varnish.

CIPH4 stores ciphertext; the decryption key is encoded into the URL fragment (the part after #), which browsers never send to a server. Your recipient receives a complete link; we receive a server hit with no key in it. If you lose the link, we cannot recover the file — that's the point.
A JSON document with the share ID, event type (burn / expire / revoke), UTC timestamp, a SHA-256 of the destroyed ciphertext, and an anchor into the tamper-evident audit log — all signed by an Ed25519 key whose public half lives at a fixed .well-known URL. The reference verifier checks the signature offline, so your auditor doesn't need an account.
By clicking the link. For sensitive sends you can require a second factor — a magic link to the recipient's verified email (Teams and Enterprise) or recipient SSO (Enterprise) — before the ciphertext is fetched. The key still rides in the URL fragment and is never sent to us.
Yes, on Enterprise. You bring your KMS — AWS KMS, Azure Key Vault, or GCP KMS — and we wrap each share's data key with yours. CIPH4 can't unwrap without your KMS permission. Storage stays on CIPH4-managed Azure Blob; what's portable is the key custody and the audit story.
Expiry deletes the ciphertext at a wall-clock time you set. Burn-on-read deletes it as soon as the recipient successfully decrypts it once. You can combine them with a download cap too — e.g. expires in 7 days, after 1 view, OR after 3 downloads, whichever fires first — and CIPH4 issues a signed receipt for the trigger that fired.
Yes, instantly. Open the share from your dashboard and click Revoke — the ciphertext is zeroed within seconds, the link stops working, and CIPH4 issues a signed revocation receipt for your audit log. Works whether the recipient has opened it yet or not. If they reopen the link after a revoke, they see a clean "this share is no longer available" page.
Every view fires a real-time event on the share's timeline — when it opened, from what IP, on what device, and (if you required identity verification) which recipient. You can also subscribe to webhooks (view.opened, view.failed, burn.committed) to forward into Slack, a ticketing tool, or your SIEM. The whole trail is hash-chained, so it stays tamper-evident.

Stop sending PDFs you can't prove you deleted.

20 free links a month, no credit card. Set up in five minutes — no procurement cycle. Hand your auditor a verifier link they can check offline, not a Slack screenshot.

Start sharing for free Talk to sales

Encrypt, share, and verify with CIPH4