Everything you wanted to know.

CIPH4 lets you share secrets through encrypted, self-destructing links. Files encrypt in your browser before they leave it, so our servers store ciphertext only — even we can't read what you send.

Sign up, click + New on your dashboard, paste a secret or upload a file, set your expiry conditions (a time window, a view count, a download cap, or any combination — first to hit destroys the link), click Create. Share the resulting link with your recipient: the decryption key travels in the URL fragment, so any channel works.

Yes — Free covers 20 encrypted links a month. Teams ($49/seat) adds team capacity, the API, and 7-day expiry. Enterprise pricing is tailored per contract — contact sales for SSO, SCIM, the compliance suite, BYOK, and signed deletion receipts. Full comparison on /pricing.

Strong encryption running entirely in your browser (AES-256-GCM). We generate a fresh per-share key locally, encrypt your data, and send only the ciphertext to our server. The key lives in the URL fragment (after the #) — which the HTTP spec says browsers never send to servers. So we receive ciphertext we can't decrypt; the recipient's browser pulls the key from the URL and decrypts locally.

A free account gives you 20 secure links per month with dashboard access: notifications, drop management, and per-drop audit timeline. No credit card required. Paid plans unlock the REST API, higher limits, team features, the compliance suite, and signed deletion receipts.

Yes — in real time. Your dashboard streams access events as they happen with timestamp, IP, rough geo, and device fingerprint. Email notifications and cryptographically signed webhooks (Enterprise) are also available. Recipients see no read-receipt UI — visibility is sender-only by design.

Any text (passwords, API keys, credentials, code snippets) or files (PDFs, images, documents, archives). File size caps: 10MB on Free, 100MB on Teams, 1GB on Enterprise. Teams and Enterprise also bundle multiple files in one encrypted drop.

We can't recover it — that's the design, not a limitation. The decryption key lives only in the link you shared; CIPH4 never sees it. If you lose the link before the recipient opens it, you'll need to create a fresh drop and resend. If you lose it after they've opened it, the file is already burned and gone. The dashboard always shows the share's status, so check there first — most "lost" links turn out to be in a sent Slack message or email thread.

Yes for shared secrets. The decryption key lives in the URL fragment (the part after the #), which the HTTP specification says browsers never send to servers. Our servers see only encrypted blobs we can't read. A full database compromise would yield nothing useful. File Requests work a little differently: the file is encrypted client-side, and the key is wrapped with your organization's key so only your organization can unwrap it. We always store operational metadata (file names, recipient emails, IPs, timestamps) for audit and security monitoring; we never store the encrypted content beyond the share's lifetime.

No — architecturally, not by policy. The key exists only in the URL fragment you share and in the sender + recipient browser memory. No URL-fragment logging, no backdoor, no master key.

Enterprise feature that controls how your file-request keypair is wrapped. CIPH4-managed (default, server-side key) or Cloud KMS (AWS KMS, Azure Key Vault, GCP KMS — we can't unwrap without your KMS permission). Note: shared secrets (drops) are always encrypted client-side regardless of mode; BYOK only affects file-request key wrapping.

Enterprise feature for post-delivery controls. Options: a confidential watermark overlay, disable printing, disable download (view-only in browser), and revocable access (disable the key after delivery). Defaults can be set org-wide.

Once viewed (or once it hits a view/download/time limit), the ciphertext is removed from our platform and queued for permanent deletion. Irreversible. The audit log keeps the access trail (IP, timestamp, user agent); the content is gone. Enterprise accounts get a signed Proof-of-Deletion Receipt at destruction time.

Yes, on Enterprise. Every destruction event emits a cryptographically signed Proof-of-Deletion Receipt recording the secure-link ID, destruction timestamp, a fingerprint of the destroyed content, and an anchor into our tamper-evident audit log. Download as JSON or PDF from the secure-link panel, or in bulk for an audit window. Auditors can verify the receipt independently at /verify without needing a CIPH4 account or our help. The audit-log anchor means any after-the-fact tampering invalidates the receipt: cryptographic proof of destruction, not policy assurance.

A second gate on top of the URL key. The passphrase is hashed in your browser before it ever reaches us, then required to unlock the secure link. 10 failed attempts auto-revokes. The pattern: send the link by email, send the passphrase by Signal or phone — two-channel delivery, not two-factor auth.

Six rules run against access patterns in real time: IP scanning (one IP viewing 5+ different senders' links), geo anomalies (3+ regions within 1 hour), brute-force passphrase attempts, rapid-fire single-link access, link forwarding (one link opened from 8+ unique IPs in 24 hours), and unusual access times (outside the org's business-hours window). On detection: auto-flag for review, auto-revoke the link, or alert the sender.

Technically the link is just a URL — anyone with the link and the passphrase (if you set one) can open it. That's why CIPH4 has three layers that defeat the forwarding case: (1) recipient identity binding (Teams and Enterprise), where the recipient verifies their email via a single-use magic link before they can decrypt; (2) per-IP allow rules (Enterprise) that pin access to the recipient organization's network range; and (3) link-forwarding threat detection that flags one link being opened from multiple browser fingerprints. With identity binding turned on, a forwarded link is useless to whoever it lands with.

Open the share in your dashboard and click Revoke. The encrypted file is destroyed within seconds, the link stops working immediately, and a signed revocation receipt is issued for your audit log. This works whether the wrong recipient has opened it yet or not. If they had already opened it before you revoked, the audit log shows you exactly when, from what IP, and what device — useful for any follow-up notification.

CIPH4 uses Stripe for secure payment processing. When you upgrade to Teams or Enterprise, you are redirected to a Stripe Checkout page to enter your payment details. Billing is monthly, and you can manage your subscription, update payment methods, and view invoices through the Stripe Customer Portal accessible from your account settings.

Yes. Upgrade anytime from billing settings — takes effect immediately with prorated billing. Downgrade through the Stripe Customer Portal — takes effect at the end of your current billing period. Feature access flips automatically.

CIPH4 accepts all major credit and debit cards (Visa, Mastercard, American Express, Discover) through Stripe. Depending on your region, additional payment methods like bank transfers, SEPA direct debit, or other local payment methods may be available through Stripe Checkout.

Contact sales@ciph4.com within 14 days of your initial subscription for a full refund. After the 14-day window, we do not offer partial refunds, but you can cancel your subscription at any time and continue to use your plan until the end of the current billing period.

Contact sales@ciph4.com for annual billing options and volume discounts for large organizations. Annual plans typically include a discount compared to monthly billing. We also offer custom Enterprise pricing for organizations with specific requirements.

All invoices are available through the Stripe Customer Portal. Navigate to your billing settings and click "Manage Billing" to access the portal, where you can view, download, and print invoices for all past payments.

Free is individual use. Teams ($49/seat) adds team capacity, the API, departments, and file requests. Enterprise has custom pricing — contact sales to add SSO/SCIM, BYOK, the compliance suite, deletion receipts, webhooks, and custom branding. Full feature comparison on /pricing.

Your team logs into CIPH4 via your existing identity provider — SAML 2.0, OIDC, Azure AD, Okta, or Google Workspace. With SSO enforced, anyone with your email domain is auto-redirected to your IdP at login. Configure in the org's SSO tab.

Automatic add + remove. Connect your IdP (Okta, Azure AD, OneLogin) via SCIM 2.0 and new hires get CIPH4 accounts automatically; departures get access revoked immediately. No manual user management.

Enterprise admins enforce policies that apply to every member's drops: require passphrases, cap expiry duration, require DRM, restrict key-management modes, set file-retention windows, pick compliance framework templates. Set in org Settings; auto-enforced at drop creation.

Seven: SOC 2, HIPAA, GDPR, ISO 27001, NIST 800-53, FedRAMP, and CMMC. Each ships as a control catalog your team populates with evidence, plus a health dashboard (control coverage %, MTTR) and audit reports as PDF/CSV/JSON.

Restrict who can view your org's drops by IP range (corporate CIDR), time of day (business hours only), email domain (approved recipients only), or day of week (block weekends). Rules enforce server-side before any ciphertext is released.

Enterprise lets you put your own brand on the CIPH4 surface: custom logo, brand name, primary color, custom domain, disclaimer + email footer + agreement copy. External recipients see your brand on the file-request and drop-view pages.

Four roles: Super Admin (everything, including org-delete), Security Manager (create + view all team drops, audit logs, export), Compliance Auditor (read-only audit + export), User (own drops only). Set at invite time; changeable by admins.

CIPH4 works in all modern browsers that support the Web Crypto API: Google Chrome (v60+), Mozilla Firefox (v60+), Safari (v11+), Microsoft Edge (v79+), and Opera (v47+). The Web Crypto API is required for client-side AES-256-GCM encryption. Internet Explorer is not supported.

Yes. CIPH4 is fully responsive and works on iOS Safari, Android Chrome, and all modern mobile browsers. The interface adapts to mobile screen sizes with a mobile-optimized header and navigation. File uploads and the in-browser PDF/image viewer work on mobile devices. For the best experience on iOS, use Safari 14 or later.

File size limits depend on your plan: Free allows up to 10MB per file, Teams allows up to 100MB per file, and Enterprise allows up to 1GB per file. These limits apply to the raw file size before encryption. Multi-file drops (Teams and Enterprise) can contain multiple files, each subject to the per-file size limit.

Teams and above. Generate an API key from Settings → API Keys, pass it as a Bearer token in the Authorization header. The REST API covers drops, orgs, analytics, compliance, and more. Full docs at /docs.

The built-in viewer supports PDFs and common image formats (PNG, JPG, GIF, SVG, WebP) for inline rendering with DRM controls. Other file types are available for download (unless DRM no-download is enabled). The content scanner supports text analysis for .txt, .csv, .json, .log, .pdf, and .docx files.

Yes. CIPH4 is a fully managed SaaS platform at ciph4.com. We handle infrastructure, security patches, uptime, and backups so your team can focus on sharing secrets securely. All plans run on our managed infrastructure with enterprise-grade SLAs.

Two ways. (1) Outbound: every CIPH4 share is just a link — you paste it into Slack, Outlook, Gmail, Teams, iMessage, SMS, or any other channel. Because the decryption key is in the link itself (in a URL fragment those channels never see on their servers), the channel can't read what you sent. (2) Inbound notifications: Enterprise sends real-time access events as webhooks into Slack, ticketing tools (Jira, Linear, Zendesk), or your SIEM. So when a counterparty opens a deal document, your Slack pings. No native add-in to install — the integration is the link plus the webhook, and that keeps CIPH4 out of your IT review queue.

Common reasons include: you have reached your monthly link limit (20 for Free, 250 for Teams; Enterprise has no monthly cap), your file exceeds the size limit for your plan (10MB Free / 100MB Teams / 1GB Enterprise), or you are using a feature not available on your plan. Check your plan limits in Settings > Plan.

Whatever you set: a duration (1h / 24h / 7d), a specific date, a view count, or a download count — whichever hits first. Once expired, the ciphertext is removed and queued for permanent deletion. It can't be recovered.

Common fixes: verify host + port + credentials in Org → SMTP; try port 587 (STARTTLS) or 465 (SSL); confirm your server allows external connections. Gmail needs an App Password (not your account password) with 2FA on. Use Send Test Email to see the exact error.

Possible causes: already viewed (one-time link), expired, revoked, IP blocked by access rules, accessed outside allowed hours, or recipient's email domain not on the allowlist. Check the drop status + audit log in your dashboard. If burned or revoked, you'll need to create a new one.

No. Passphrases are hashed in your browser before they reach us. We never see or store the plain passphrase, so we cannot recover it. You will need to create a new secure link and share the passphrase through a separate secure channel. This is by design for maximum security.

Suspicious access pattern detected. Common triggers: failed passphrase attempts (brute force), one IP hitting drops from many senders (reconnaissance), or one drop accessed from multiple regions in a short window (credential sharing). Review in the Threats dashboard and resolve, revoke, or investigate.

Go to Settings > Sessions to see all your active sessions. You can revoke individual sessions by clicking the revoke button next to each one. When a session is revoked, that device is immediately logged out. This is useful if you suspect unauthorized access or have lost a device.

CIPH4 tracks bounce events and surfaces them in the share's timeline so you see immediately when delivery failed. The link itself isn't tied to email delivery — the recipient can still open it if they get the link through any other channel (Slack, SMS, in person). If you used recipient identity binding, the magic-link email may have been what bounced; you can switch off identity binding for that share, resend the link via a different channel, or correct the recipient address and reissue. The original share is never auto-revoked on bounce — that's a deliberate choice so a typo in one email doesn't kill a deal-critical document.