How Echoworx Works

Echoworx secures the second half of the conversation—the outbound journey and the reply chain—where sensitive data actually leaves your control. This page goes under the hood: the architecture, the mail flow, the deployment model, and the delivery and authentication options that let your teams modernize secure communication without adding manual drag.

Portrait of young and senior business people having a meeting and using technology mobile phone, laptop and tablet in the office

Tech Brief PDF

Architecture

Echoworx is built as a policy-driven encryption layer that complements the stack you already run. Your inbound defenses protect the perimeter. Echoworx secures what happens next—the outbound message, the attachments, and every secure reply that follows.

The platform is 100% AWS deployed and recognized as qualified AWS software. That gives architects a clean, cloud-native foundation to review and approve, with no new hardware to manage and no software to patch.

Core architectural principles:

Policy at the center: A central policy engine evaluates every outbound message against your rules, then selects the right cryptographic path automatically. You define policy once; the platform enforces it consistently across high-volume, high-stakes external interactions.
Stack-aware, not stack-replacing: Echoworx integrates with Microsoft 365, Google Workspace, your existing secure email gateways (SEGs), and DLP tooling. Mail routes back through your established systems, so journaling, spam filtering, and inspection keep working exactly as intended.
Cloud-native scale: An AWS-native design removes fixed-capacity limits, processing hundreds of millions of secure messages for organizations with hundreds of thousands of users.
Visibility built in: API-driven reporting and direct SIEM integration feed delivery states, verification events, and policy triggers into your existing threat intelligence and audit workflows.
Automated cryptography: Key and certificate management for S/MIME and PGP is fully automated—generation, renewal, and rollover—so secure communication never stalls on a manual step.

This architecture aligns directly with the modernization programs already underway: cloud migration, hybrid simplification, policy-based email security, and consolidation of external communication controls.

How Delivery Orchestration Works Before Sending

Protection is prepared before a message leaves your enterprise. Echoworx evaluates each outbound message and assembles it for secure delivery in one governed motion.

Policy evaluation: The engine assesses sender identity, recipient domain, data classification, and message content against your rules.
Method selection: Based on that evaluation and recipient capability, the platform routes the message through the right path—certificate-based encryption, TLS, Web Portal, encrypted PDF, or encrypted attachment.
Credential resolution: Required certificates, keys, passwords, or verification steps are retrieved or generated in real time.
Branding and assembly: Branded, localized elements are applied so every secure message feels native to your enterprise.
Delivery: The message is sent through the selected method without manual steps.

You set the policy once. Echoworx enforces it consistently, message after message, at scale.

Why it matters: Method selection becomes an architectural decision, not a per-user choice. That removes friction, lowers support volume, and keeps your security posture uniform across the business.

Mail Flow / Topology

Protection is prepared before a message leaves your enterprise. Echoworx evaluates each outbound message and assembles it for secure delivery in one governed motion.

Graphic illustration of Echoworx's Mail Flow / Topology

Outbound flow:

Send: A user simply writes and sends. No new client behavior is required.
Route: Mail flows through your existing infrastructure—Microsoft 365, Google Workspace, or your SEG—then to Echoworx via standard SMTP routing.
Policy evaluation: The engine assesses sender identity, recipient domain, data classification, and content against your rules.
Method selection: Based on that evaluation and recipient capability, the platform routes the message through the right path—TLS, Web Portal, encrypted document, S/MIME, or PGP.
Key and credential resolution: Required certificates, keys, or verification steps are retrieved or generated in real time.
Branding and delivery: Branded, localized elements are applied, and the message is delivered through the selected method.

Inbound and reply flow:

Inbound S/MIME and PGP messages are decrypted using private keys stored securely within the platform, with branded headers and footers applied to decrypted messages. To support this, you configure gateway rules to route encrypted inbound messages to Echoworx. Secure replies stay inside the governed channel, so the full conversation—not just the first message—remains protected and auditable.

The result is a predictable topology: one policy, many paths, consistent control. Method selection becomes an architectural decision, not a per-user guess.

Deployment Options

Echoworx deploys without local software or heavy hardware appliances, so the footprint stays light and the review stays clean. Deployment is designed to slot into transformation already in motion—reducing moving parts, lowering operational risk, and keeping control where it belongs.

Deployment characteristics:

Cloud-native footprint: A 100% AWS deployment and qualified AWS software status give architecture and security teams a clear basis for approval.
Regional deployment and data residency: The platform is deployed across secure regions in North America and Europe, with infrastructure that helps keep sensitive data within your chosen borders—supporting GDPR, DORA, NIS2, and DACH-region sovereignty expectations.
Mail integration: Connect through standard SMTP routing alongside Microsoft 365, Google Workspace, or existing secure email gateways. Inbound decryption uses gateway rules to route encrypted messages to Echoworx.
Identity integration: Align with your identity providers through OpenID Connect and SAML, with direct ties to Microsoft Entra ID and Okta for governed administrator and recipient access.
Key sovereignty: With Manage Your Own Key (MYOK), you retain ownership of your encryption keys, backed by FIPS 140-3 validated AWS KMS hardware. You create, rotate, and automate keys under your own governance.
Centralized administration: Manage certificates, keys, delivery rules, and policy from one console that integrates with your identity providers and aligns to enterprise policy with less effort.

Common Infrastructure

Fully branded (Logo, URL, oAuth)
Logical segmentation
Immediate deployment (days)
Fully managed

Diagram Echoworx Dedicated Instance Deployment Option

Partners

Separate DB table space & application dedicated to client
Fully managed with patch/updates input with client
Moderate deployment timeline (weeks).
Admin API access can be supported

Diagram of Echoworx's Deployment Options Dedicated AWS Tenant

Large Enterprise

Separate AWS tenant with separate infrastructure
Dedicated DB Instance and table space
Fully managed with patch/updates inputs with client
Longer deployment timeline (4+ weeks) depending on resourcing
Admin API access can be supported

Delivery and Authentication Options

One policy governs every path. Echoworx selects the delivery method that matches the recipient’s context, then verifies access with the right factor—without sacrificing control or recipient experience.

Graphic illustrating Echoworx's encryption delivery options

Delivery methods:
- TLS with intelligent fallback: Connection validity is verified on the fly. If a domain is ineligible, the platform pivots automatically to the Web Portal or an encrypted document, so delivery never fails and data is never exposed.
- Secure Web Portal: A controlled, trackable environment for recipients without certificate infrastructure, with branded, localized access and at-rest encryption.
- Encrypted documents: End-to-end protection for the full message or specific attachments using Secure PDF, Office, and ZIP technologies, delivered straight to the inbox with offline access.
- Certificate encryption (S/MIME and PGP): For regulated, structured exchanges, with automated key handling, LDAP certificate retrieval, recipient uploads, and integration with DigiCert, SwissSign, and your internal AWS Private CA.
Authentication options:
Access scales to message risk, drawing on the identity model you already run.
- Federated identity: OpenID Connect and OAuth let recipients reuse trusted credentials from major providers.
- Enterprise SSO: SSO web services support governed auto-login through your existing portal, with Microsoft Entra ID and Okta integration.
- Passkeys: Biometric and PIN-based passkeys remove shared secrets entirely for supported recipients.
- Text Message and Phone Verification: A one-time code is delivered to the recipient’s mobile device for quick, secure step-up authentication.
- Voice Call Verification for 2-Step Verification: When a recipient lives in a rural area, has accessibility needs, or simply cannot receive a text message, Echoworx delivers the verification step through a voice call. This inclusive fallback restores access when text message is unavailable, reducing authentication delays and recipient complaints.
Every method shares the same foundation: consistent policy enforcement, recipient-friendly access, and enterprise-grade governance—across 28 languages and any device.

Modernize Secure Communication with the Same Discipline.

Do not let secure external communication trail the infrastructure it protects. As you migrate to the cloud, simplify hybrid architecture, and consolidate external communication controls, bring encryption, policy, identity, and delivery into one governed model. Echoworx gives your architects a cloud-native layer built to keep pace with your modernization strategy.

Talk to Enterprise Sales

Security Assurance & Certification Programs