One Platform. Every Recipient. Secure Every Time.

Core Delivery Methods

[See how delivery orchestration works before sending]

Web Portal |

Your Secure Digital Mailroom
When sensitive information needs a controlled, trackable home, the Secure Web Portal delivers it without the password fatigue that frustrates recipients and floods IT with reset tickets.

• Familiar credentials, fewer barriers: Federated sign-in with OpenID Connect and OAuth support across Microsoft 365, Gmail, and more, recipients sign in with credentials they already trust. No new passwords to manage.
• Seamless, governed access: SSO web services integrate the portal into your existing business experience for auto-login.
• No-authentication mode: For low-risk communications, no-authentication mode provides direct link access while still tracking activity.
• Modern verification, the inclusive way: Senders can apply sender-set passwords or phone verification. Voice Call Verification for 2-Step Verification gives recipients in rural areas, those with accessibility needs, or anyone who cannot receive a text message a reliable alternative. It provides an inclusive fallback when text message is unavailable, enabling access while reducing authentication delays and recipient complaints.
• Passwordless and future-ready: Passkeys with biometric authentication deliver convenience and security in a single step.
• At-rest protection: Messages are stored encrypted at rest in the Echoworx cloud, with standard retention periods of 30, 60, or 90 days and longer terms available on request.
• Built-in oversight: Secure reply, read receipts, and full message audit and recall give senders and administrators lasting visibility and control.

Full Message Encryption |

Lock Down the Whole Message
When the entire message—body and attachments—must be protected, full message encryption secures it end to end and delivers it straight to the inbox.

• Trusted formats: Robust encryption for PDF, Office 365, and ZIP files keeps protection consistent across the documents your teams send every day.
• Less friction for recipients: Self-registration lets recipients set a password with a single prompt. Sender-set passwords enable access with a shared passphrase, bypassing registration entirely. Verification code access opens protected messages with a one-time code—no registration, no delays.
• Productivity without exposure: Recipients access encrypted messages and documents offline, so work continues while data stays secure at rest.

Encrypted Attachments |

Protect Exactly What Matters
Sometimes the message is routine but the attachment is sensitive. Echoworx encrypts only the attachment and leaves the body in clear text, focusing protection precisely where it belongs.

• Efficient by design: Ideal for automated, high-volume workflows like bulk electronic statements, where security and efficiency must coexist.
• Workflow integrity preserved: PDF, Microsoft Office, and ZIP files are encrypted natively and retain their original names and properties, preserving compatibility with existing document management systems. Other file types are bundled into an encrypted PDF or ZIP.
• Inline viewing: Encrypted PDFs and Office documents open directly within Outlook for Web and Gmail.
• Direct and fast: Attachments arrive in the inbox, ready for offline access. Self-registration or sender-set passphrases let recipients unlock attachments without unnecessary steps. With verification code access, recipients unlock them instantly using a one-time code shared by the sender.
• Branded delivery: Headers and footers can carry a password management link or a passphrase hint.

TLS with Intelligent Fallback |

The Automated Security Net
For business-to-business communication, TLS is the workhorse of in-transit encryption. But when a partner domain is not TLS-enabled, most systems fail—sending in the clear or blocking the message entirely. That is a risk no enterprise can afford.

• On-the-fly validation: Echoworx verifies the validity of a TLS connection at send time.
• Allow list and block list: Configure an allow list to send only to defined TLS domains, or a block list to exclude specific TLS domains from this path.
• Delivery that never fails: If TLS is unavailable, the platform automatically pivots to a secure alternative like the Web Portal or encrypted PDF. Data is never exposed.
• Effortless compliance: This seamless fallback enforces your security policy without manual intervention, supporting resilient controls expected under frameworks like DORA and NIS2.
• Invisible to users: Senders simply send. Recipients change nothing. Protection happens behind the scenes.

Certificate Encryption |

PGP and S/MIME, Modernized for the Cloud
Managing keys has long meant conflicting versions, outdated directories, and operational bottlenecks. Echoworx moves certificate management to the cloud and resolves these legacy problems for good.

• Automated key handling: The system retrieves recipient certificates through LDAP lookups, generates sender keys on the fly when needed, and lets recipients upload their own x509 certificates or PGP public keys. Recipients can also generate a self-signed S/MIME certificate directly through the portal.
• Trusted roots, ready on demand: API integration with AWS, DigiCert and SwissSign enables real-time retrieval and generation of trusted S/MIME credentials whenever a key is required.
• Inbound and outbound covered: Inbound S/MIME and PGP messages are decrypted using private keys stored securely within the platform, with branded headers and footers applied to decrypted messages.
• A clean migration path: Import existing employee certificates and keypairs to migrate your full operation to the cloud, consolidating all certificate-based email activity under one secure communication platform.