Featured·Buyer's guide
Dropbox vs Google Drive vs CIPH4 for compliance teams
Your team uses Dropbox or Google Drive. Here's where each fits — and what 'encrypted at rest' actually means when the vendor holds the keys.
May 22, 2026
11 min read
Field notes
Notes from teams who send things that matter.
Plain-English writing on how sales, HR, compliance, legal, and incident-response teams actually move sensitive payloads — written by us, posted when we have something specific to say.
Read post
Archive
19 earlier posts
- Buyer's guideMay 19, 2026·8 min
Track which bidder viewed which document — without buying Intralinks
Per-bidder document tracking without the VDR price tag — how per-recipient receipts and per-share timelines replace Intralinks-style analytics on sub-$100M deals.
- Field guideMay 15, 2026·8 min
Share PHI with a third-party HIPAA consultant when there's no portal
Your BAA says "returned or destroyed." SFTP and encrypted email don't ship the destruction artifact. Here's the workflow that closes the clause cleanly.
- DevOpsMay 11, 2026·8 min
Send your SOC 2 evidence pack to an auditor who won't accept email
Drata and Vanta collect your SOC 2 evidence beautifully. Then comes the handoff to an auditor who won't accept email. Here's the missing step.
- WorkflowsMay 8, 2026·8 min
Deliver a layoff packet without an email trail counsel can subpoena
How HR teams deliver separation packets to remote employees with proof of receipt — and without leaving an email exhibit your opposing counsel can subpoena.
- ComplianceMay 4, 2026·8 min
If your vendor goes out of business, can the auditor still verify your receipts?
Vendor lock is a real audit objection. Receipts signed with a public key you keep on file stay verifiable forever — even if the vendor is gone.
- WorkflowsMay 1, 2026·8 min
Securely deliver a Day-1 credential bundle to a new hire
A new hire needs email, VPN, password manager, and Slack on Day 1 — before they have any of them. Here's the identity-bound credential handoff that holds up under audit.
- Field guideApr 27, 2026·8 min
Can my recipient prove the file they got hasn't been tampered with?
Sender-side tamper evidence is easy. Letting your recipient prove the file they got matches the file you sent is the cryptographic claim most tools can't make.
- Buyer's guideApr 23, 2026·8 min
CMMC file sharing for small DoD subcontractors
Kiteworks and PreVeil are priced for primes. Here's an honest control-by-control read of where a $49/seat tool fits CMMC Level 2 and where it doesn't.
- Buyer's guideApr 20, 2026·9 min
What a file-request link is and when to use one instead of email
Dropbox file requests are drop-folders. For KYC, source-of-funds, and client tax docs, you need per-uploader audit rows and a signed receipt on delivery.
- EngineeringApr 16, 2026·8 min
What a hash-chained audit log is and why auditors trust it more
Regular logs can be edited. A hash-chained audit log can't — and a one-paragraph explanation is usually enough to satisfy a sharp auditor.
- WorkflowsApr 13, 2026·8 min
Send a contract to opposing counsel without waiving privilege
ABA 477R requires reasonable safeguards when sending privileged documents. Chain of custody, identity-bound delivery, and signed disposal records — what survives.
- Field guideApr 9, 2026·9 min
Sharing rotated credentials during a ransomware incident
Slack is compromised. Email may be compromised. The IdP is suspect. Here's the out-of-band credential-handoff channel your IR playbook is probably missing.
- ComplianceApr 6, 2026·9 min
How to deliver a DSAR response file without email attachments
Your DSAR-intake tool stops at the request. Here's the downstream workflow for delivering, proving receipt, and proving destruction under GDPR Article 12.
- WorkflowsApr 2, 2026·8 min
How to send wire instructions to a client without enabling BEC fraud
"Verify by phone" stopped working around 2019. Here's a tool-based control for sending wire instructions that fits inside the closing workflow your team already runs.
- WorkflowsMar 30, 2026·7 min
How small M&A boutiques share due-diligence files without a VDR
Sub-$50M M&A deals don't justify a $25K data room. Here's the per-bidder share-link workflow that ships clean IOI packets and post-close evidence.
- ComplianceMar 27, 2026·9 min
What a HIPAA-compliant file-sharing audit trail actually contains
If HHS's 2025 HIPAA Security Rule NPRM is finalized as drafted, audit logging for ePHI access becomes mandatory. Here's the field-by-field checklist mapped to §164.312(b).
- DevOpsMar 23, 2026·7 min
How to send a contractor an API key without leaving it in Slack
The contractor-onboarding credential handoff that survives a stolen laptop, defeats Slack retention, and produces a SOC 2 evidence row by default.
- EngineeringMar 20, 2026·9 min
Client-side vs server-side encryption for one-time secret links
If the vendor can read your secret link before delivery, it can be subpoenaed, breached, or insider-leaked. Here's the threat-model split your review needs.
- ComplianceMar 16, 2026·8 min
How to prove to your auditor that a file was actually deleted
Auditors want a signed, verifiable deletion artifact — not your word that the file is gone. Here's what closes the loop without a vendor support ticket.
Ready to see it?
20 free links a month, no credit card. When you need single sign-on, compliance templates, or signed deletion receipts your auditor can verify — we'll talk.