Deliver a layoff packet without an email trail counsel can subpoena

Picture this Friday afternoon: you're closing out a reduction-in-force, twenty separation packets are sitting in your Outlook drafts folder, and somewhere on the other side of the building your General Counsel is asking — for the third time — whether the severance terms and the FMLA acknowledgment "really need" to go out as PDF attachments to personal email addresses. You know the answer she wants. You also know what your mail-archive retention policy actually does to those messages.

This post is about the gap between those two things, and how to close it without rebuilding your HRIS or asking the affected employee to install anything.

The discovery problem nobody warned you about

Most HR teams treat email as the delivery layer for separation paperwork because it's what's there. The packet gets generated in Workday or BambooHR or a homegrown template, exported to PDF, and attached to a message that goes to the employee's personal Gmail. The packet contains a separation agreement, a release of claims, a severance schedule, sometimes a non-compete addendum, sometimes a list of return-of-property items, and a deadline.

That message — and every attachment on it — is now in three places minimum: your Exchange or Microsoft 365 store, the employee's inbox, and whatever backup tier Microsoft retains beyond your active mailbox. Your retention policy might say emails older than 90 days are purged. Your discovery counsel will tell you that policy is irrelevant the moment a litigation hold is issued, which on a meaningful RIF happens before the layoff is even announced.

The exhibit your opposing counsel walks into deposition with isn't the separation agreement itself. It's the email carrying the separation agreement, with its full metadata, its delivery timestamp, the cc list, and the body text where one of your managers said something casual that you wish they hadn't. The Word-track-changes version of the agreement that an analyst on your team forwarded to a colleague for review. The "is this number final?" exchange with finance.

"We didn't lose the case on the terms. We lost it on what was in the email thread carrying the terms." — the kind of thing GCs tell us, every quarter, in onboarding calls

The point of a separation packet delivery system isn't to make the packet itself disappear. It's to make sure the packet is the only thing that exists, and that proof-of-delivery doesn't depend on a 14-month-old email server log that may or may not survive a migration.

What "delivery without retention" actually means

When we talk to HR leaders about this, the request resolves to four specific things:

1. The employee can open the packet, on the device they have, without creating an account or downloading software.
2. There is a record that proves they opened it — admissible, timestamped, not depending on the employee's email provider.
3. The file itself stops existing somewhere defensible: after they download it, after a deadline passes, or after a fixed number of views.
4. Nothing in HR's own systems — not the mail server, not the file share, not the Slack channel where the analyst asked finance about the number — carries a durable copy of the packet that has to be produced under e-discovery.

That fourth item is where most "secure file transfer" products fail. ShareFile, Box, even Tresorit — they all retain the file by default. Retention is the point of those platforms; they're built for collaboration, not for delivery. A secure-share link from Box still leaves the file in Box. Your legal hold still attaches to it.

A self-destructing link with zero-knowledge encryption breaks that pattern. The packet exists ciphertext-only on our servers, encrypted in the sender's browser before it ever leaves their machine, and the key to decrypt it lives in the URL fragment — the part after the # in the link — which never reaches us. When the link burns, the bytes are physically deleted from storage. There is no archived copy. There is nothing to subpoena, because there is nothing in our possession to hand over.

That's the architectural posture we explain in detail on the security page, and it's the same posture our HR-team workflow guide is built around.

The actual delivery flow

Here's how a clean separation delivery looks end-to-end. None of this requires the affected employee to install anything, sign up, or have an account on our platform.

The HR business partner drops the packet PDF — separation agreement, release, severance schedule, benefits continuation notice, return-of-property checklist, sometimes a personalized cover letter — into a single multi-file drop. Multi-file means the recipient gets one link, not five, and they download the whole bundle in one action.

The HR business partner sets four conditions:

• Time expiry: 72 hours. Standard RIF practice gives the employee 21 or 45 days to consider, but the acknowledgment link only needs to survive long enough for them to download and save locally. The deadline on the agreement itself is in the agreement.
• Download cap: 2. One real download, one buffer for the "I lost it, can you resend?" call. Cap-hit burns the link.
• Recipient identity binding: the link works only when opened from the email address the packet was addressed to. We verify with a magic-link confirmation, not a password.
• Passphrase (optional, situational): for executive separations or any packet where the personal email channel itself is a concern, a separately-communicated passphrase — usually delivered by phone or text — gates the decryption.

The employee gets a notification email saying their packet is ready, with a link to a CIPH4 page. They click. They confirm their email. They see a clean page with a "Download" button and one line of progress text. They click Download. The browser decrypts the bundle locally and saves it. The link burns. The encrypted bytes are deleted from our storage on a 5-minute defense-in-depth delay.

The HR business partner gets back a few specific things they can hand to legal:

• A timestamp the link was issued.
• A timestamp the recipient verified their email identity.
• A timestamp the file was downloaded.
• A timestamp the link was burned, and the reason it burned (cap-hit, time-expiry, or revoke).
• On Enterprise plans, a signed Proof-of-Deletion Receipt — a cryptographic artifact, anchored to a tamper-evident audit chain, that an outside party can verify without trusting CIPH4 or the HR team.

That last piece is what makes this defensible in a hearing. The receipt is signed with a dedicated Ed25519 key, and our public verification page lets anyone — your opposing counsel, an arbitrator, an OFCCP investigator — paste the receipt in and confirm it's authentic. No special software, no account, no negotiation about access.

The audit trail your counsel actually wants

When employment counsel asks "do you have proof of delivery?" they don't want a screenshot. They want a continuous, tamper-evident record that survives the witness who built the record leaving the company.

Every state-changing event on a CIPH4 drop — created, viewed, downloaded, burned, revoked, modified (with categorical metadata describing what changed — expiry, view caps, recipient list) — is written to a hash-chained audit log. Each row's integrity hash incorporates the previous row's hash, so if anyone goes back and edits, deletes, or reorders entries, the chain breaks visibly. The verification endpoint will report the gap, and the row number where it occurred.

This matters more than it sounds like it does. Most HRIS audit trails are advisory — they're a feature of the database, and the database administrator can quietly edit them. A hash-chained log can't be quietly edited. It can be deleted entirely, but it can't be modified to say something different from what it originally said. The signed Proof-of-Deletion Receipt (Enterprise) issued at burn time anchors to the specific chain position the destruction event landed at; your counsel takes that receipt to our public verifier page and confirms in front of a judge that the receipt is authentic and the chain anchor still resolves — proving the row showing "Jane Doe downloaded the packet at 14:32:07 UTC on Tuesday" is mathematically the row that was written then. (Full-chain export for an open subpoena is a customer-side CSV export, not the public verifier surface.)

Practical takeaway: when you set up the workflow, decide who owns the audit-export step. We've seen the best results when the HR business partner sends the packet, but the COMPLIANCE_AUDITOR role on their org account — usually a paralegal or employee-relations specialist — pulls and archives the audit log monthly as part of routine recordkeeping. That way the export exists before any litigation hold is even contemplated, which is the posture that actually holds up.

The packet contents tradeoff

A question we get a lot: "should the separation agreement itself go through CIPH4, or just the supporting documents?"

The honest answer depends on whether your separation process requires a counter-signed document. If you're using DocuSign or Adobe Sign for the executed agreement, route the unsigned-for-review copy through CIPH4 and let DocuSign handle the signature path. The CIPH4 link gets used for the review window, then burns; the executed PDF lives in DocuSign with its own retention policy, which your counsel has presumably already vetted.

If your process is "PDF goes out, employee prints and signs, employee scans back," then the entire packet — outbound and inbound — fits cleanly in our model. The outbound packet goes through a self-destructing drop. The inbound signed copy comes back through a file request — same architecture, reverse direction, encrypted-by-the-employee-in-their-browser, fulfilled to the HR business partner.

The thing to avoid is the hybrid where the summary cover letter goes through email and the binding agreement goes through CIPH4. That defeats the purpose. The cover letter is the document with the casual language counsel doesn't want under subpoena. The agreement is the boilerplate you've already cleared.

Practical takeaway: if it's worth encrypting, it's worth encrypting the entire bundle, including the cover letter.

What this looks like operationally

For an HR team running a RIF with 40 affected employees, the flow we see work is:

1. HR ops generates packets in a batch from the HRIS export.
2. Each packet is dropped into CIPH4 as a multi-file drop, addressed to the affected employee's confirmed personal email.
3. Notification emails go out from CIPH4's domain, not from a manager's personal inbox.
4. A dashboard tracks who opened, who downloaded, who hasn't engaged 48 hours in.
5. Non-engagers get a phone call from their manager, not a follow-up email. The phone call doesn't create discoverable email artifacts; it does create an entry in the HRIS contact log, which already exists in the discoverable record.
6. At the end of the consideration period, the COMPLIANCE_AUDITOR role pulls a CSV export of the audit log for the entire batch and files it with the matter records.

A 40-person RIF runs cleanly through this workflow with one HR ops person at the helm — exact wall-clock depends on packet size and how many follow-up phone calls non-engagers need, but the per-packet drop creation itself is a couple of minutes once the template is in place. The audit export is its own short step at the end. The same architecture applies to incident-response paperwork workflows — different document type, same delivery + audit shape.

What to do next

If your separation packets are currently going out as Outlook attachments, the move is to pilot the workflow above on the next individual termination — not the next batch — and run the audit export through your employment counsel to confirm it satisfies their evidentiary preferences before standardizing it. Start on Teams; the multi-file drop, the modify-after-send for "I had the wrong severance number" corrections, and the file-request inbound channel for signed-back copies are the load-bearing features, and they're all there.

If you'd rather walk through a real packet flow with us before piloting, the HR workflow page has a sandbox and a contact form, and our team will sit on a 30-minute call with your HR business partner and your General Counsel together — which, in our experience, is the conversation that actually moves the decision.